ARM disassemble+ Crash at ldmge r1!, {r4, r5, r6, r7, r8, r9, r10, r11}

Question

I found a crash in memcpy() function, which gets called from one of 802.11n specific aggregation function in wifi driver. From the core analysis, the crash point is mentioned below,

0x012014f8 <memcpy+100>: ldmge r1!, {r4, r5, r6, r7, r8, r9, r10, r11}

Why do we see a crash after the ldmge instruction execution?

I would like to know which parameter of memcpy() is corrupted - src_addr,dest_addr or length? Could you please provide your inputs by looking into the disassemble code. Please find the disassemble code of memcpy() from gdb and backtrace from core file.

---

disas *

Dump of assembler code for function memcpy:
0x01201494 <memcpy+0>:    cmp r2, #0  ; 0x0
0x01201498 <memcpy+4>:    moveq   pc, lr
0x0120149c <memcpy+8>:    push    {r4, r5, r6, r7, r8, r9, r10, r11, lr}
0x012014a0 <memcpy+12>:   mov r3, r0
0x012014a4 <memcpy+16>:   cmp r2, #16 ; 0x10
0x012014a8 <memcpy+20>:   blt 0x12016b8 <mc_bytes>
0x012014ac <memcpy+24>:   ands    r12, r3, #3 ; 0x3
0x012014b0 <memcpy+28>:   beq 0x12014d8 <memcpy+68>
0x012014b4 <memcpy+32>:   rsb r12, r12, #4    ; 0x4
0x012014b8 <memcpy+36>:   cmp r12, #2 ; 0x2
0x012014bc <memcpy+40>:   ldrb    r4, [r1], #1
0x012014c0 <memcpy+44>:   ldrbge  r5, [r1], #1
0x012014c4 <memcpy+48>:   ldrbgt  r6, [r1], #1
0x012014c8 <memcpy+52>:   strb    r4, [r3], #1
0x012014cc <memcpy+56>:   strbge  r5, [r3], #1
0x012014d0 <memcpy+60>:   strbgt  r6, [r3], #1
0x012014d4 <memcpy+64>:   sub r2, r2, r12
0x012014d8 <memcpy+68>:   ands    r12, r1, #3 ; 0x3
0x012014dc <memcpy+72>:   bne 0x120156c <mc_unaligned>
0x012014e0 <memcpy+76>:   tst r3, #15 ; 0xf
0x012014e4 <memcpy+80>:   ldrne   r4, [r1], #4
0x012014e8 <memcpy+84>:   subne   r2, r2, #4  ; 0x4
0x012014ec <memcpy+88>:   strne   r4, [r3], #4
0x012014f0 <memcpy+92>:   bne 0x12014e0 <memcpy+76>
0x012014f4 <memcpy+96>:   cmp r2, #32 ; 0x20
**0x012014f8 <memcpy+100>:    ldmge   r1!, {r4, r5, r6, r7, r8, r9, r10, r11}****
0x012014fc <memcpy+104>:  subge   r2, r2, #32 ; 0x20
0x01201500 <memcpy+108>:  stmiage r3!, {r4, r5, r6, r7, r8, r9, r10, r11}
0x01201504 <memcpy+112>:  bge 0x12014f4 <memcpy+96>
0x01201508 <memcpy+116>:  cmp r2, #16 ; 0x10
0x0120150c <memcpy+120>:  ldmge   r1!, {r4, r5, r6, r7}
0x01201510 <memcpy+124>:  subge   r2, r2, #16 ; 0x10
0x01201514 <memcpy+128>:  stmiage r3!, {r4, r5, r6, r7}
0x01201518 <memcpy+132>:  tst r2, #8  ; 0x8
0x0120151c <memcpy+136>:  beq 0x1201534 <memcpy+160>
0x01201520 <memcpy+140>:  ldr r4, [r1], #4
0x01201524 <memcpy+144>:  ldr r5, [r1], #4
0x01201528 <memcpy+148>:  sub r2, r2, #8  ; 0x8
0x0120152c <memcpy+152>:  str r4, [r3], #4
0x01201530 <memcpy+156>:  str r5, [r3], #4
0x01201534 <memcpy+160>:  tst r2, #4  ; 0x4
0x01201538 <memcpy+164>:  ldrne   r4, [r1], #4
0x0120153c <memcpy+168>:  subne   r2, r2, #4  ; 0x4
0x01201540 <memcpy+172>:  strne   r4, [r3], #4
0x01201544 <memcpy+176>:  cmp r2, #0  ; 0x0
0x01201548 <memcpy+180>:  beq 0x1201568 <memcpy+212>
0x0120154c <memcpy+184>:  cmp r2, #2  ; 0x2
0x01201550 <memcpy+188>:  ldrb    r4, [r1], #1
0x01201554 <memcpy+192>:  ldrbge  r5, [r1], #1
0x01201558 <memcpy+196>:  ldrbgt  r6, [r1], #1
0x0120155c <memcpy+200>:  strb    r4, [r3], #1
0x01201560 <memcpy+204>:  strbge  r5, [r3], #1
0x01201564 <memcpy+208>:  strbgt  r6, [r3], #1
0x01201568 <memcpy+212>:  pop {r4, r5, r6, r7, r8, r9, r10, r11, pc}
0x0120156c <mc_unaligned+0>:  bic r1, r1, #3  ; 0x3
0x01201570 <mc_unaligned+4>:  teq r12, #1 ; 0x1
0x01201574 <mc_unaligned+8>:  beq 0x12015e8 <mc_1>
0x01201578 <mc_unaligned+12>: teq r12, #2 ; 0x2
0x0120157c <mc_unaligned+16>: beq 0x1201650 <mc_2>
0x01201580 <mc_3+0>:  ldr r8, [r1], #4
0x01201584 <mc_3+4>:  cmp r2, #16 ; 0x10
0x01201588 <mc_3+8>:  blt 0x12015d8 <mc_3+88>
0x0120158c <mc_3+12>: lsr r4, r8, #24
0x01201590 <mc_3+16>: ldm r1!, {r5, r6, r7, r8}
0x01201594 <mc_3+20>: orr r4, r4, r5, lsl #8
0x01201598 <mc_3+24>: lsr r5, r5, #24
0x0120159c <mc_3+28>: orr r5, r5, r6, lsl #8
0x012015a0 <mc_3+32>: lsr r6, r6, #24
0x012015a4 <mc_3+36>: orr r6, r6, r7, lsl #8
0x012015a8 <mc_3+40>: lsr r7, r7, #24
0x012015ac <mc_3+44>: orr r7, r7, r8, lsl #8
0x012015b0 <mc_3+48>: stmia   r3!, {r4, r5, r6, r7}
0x012015b4 <mc_3+52>: sub r2, r2, #16 ; 0x10
0x012015b8 <mc_3+56>: cmp r2, #32 ; 0x20
0x012015bc <mc_3+60>: bge 0x120158c <mc_3+12>
0x012015c0 <mc_3+64>: b   0x12015d8 <mc_3+88>
0x012015c4 <mc_3+68>: lsr r4, r8, #24
0x012015c8 <mc_3+72>: ldr r8, [r1], #4
0x012015cc <mc_3+76>: orr r4, r4, r8, lsl #8
0x012015d0 <mc_3+80>: str r4, [r3], #4
0x012015d4 <mc_3+84>: sub r2, r2, #4  ; 0x4
0x012015d8 <mc_3+88>: cmp r2, #4  ; 0x4
0x012015dc <mc_3+92>: bge 0x12015c4 <mc_3+68>
0x012015e0 <mc_3+96>: sub r1, r1, #1  ; 0x1
0x012015e4 <mc_3+100>:    b   0x1201544 <memcpy+176>
0x012015e8 <mc_1+0>:  ldr r8, [r1], #4
0x012015ec <mc_1+4>:  cmp r2, #16 ; 0x10
0x012015f0 <mc_1+8>:  blt 0x1201640 <mc_1+88>
0x012015f4 <mc_1+12>: lsr r4, r8, #8
0x012015f8 <mc_1+16>: ldm r1!, {r5, r6, r7, r8}
0x012015fc <mc_1+20>: orr r4, r4, r5, lsl #24
0x01201600 <mc_1+24>: lsr r5, r5, #8
0x01201604 <mc_1+28>: orr r5, r5, r6, lsl #24
0x01201608 <mc_1+32>: lsr r6, r6, #8
0x0120160c <mc_1+36>: orr r6, r6, r7, lsl #24
0x01201610 <mc_1+40>: lsr r7, r7, #8
0x01201614 <mc_1+44>: orr r7, r7, r8, lsl #24
0x01201618 <mc_1+48>: stmia   r3!, {r4, r5, r6, r7}
0x0120161c <mc_1+52>: sub r2, r2, #16 ; 0x10
0x01201620 <mc_1+56>: cmp r2, #32 ; 0x20
0x01201624 <mc_1+60>: bge 0x12015f4 <mc_1+12>
0x01201628 <mc_1+64>: b   0x1201640 <mc_1+88>
0x0120162c <mc_1+68>: lsr r4, r8, #8
0x01201630 <mc_1+72>: ldr r8, [r1], #4
0x01201634 <mc_1+76>: orr r4, r4, r8, lsl #24
0x01201638 <mc_1+80>: str r4, [r3], #4
0x0120163c <mc_1+84>: sub r2, r2, #4  ; 0x4
0x01201640 <mc_1+88>: cmp r2, #4  ; 0x4
0x01201644 <mc_1+92>: bge 0x120162c <mc_1+68>
0x01201648 <mc_1+96>: sub r1, r1, #3  ; 0x3
0x0120164c <mc_1+100>:    b   0x1201544 <memcpy+176>
0x01201650 <mc_2+0>:  ldr r8, [r1], #4
0x01201654 <mc_2+4>:  cmp r2, #16 ; 0x10
0x01201658 <mc_2+8>:  blt 0x12016a8 <mc_2+88>
0x0120165c <mc_2+12>: lsr r4, r8, #16
0x01201660 <mc_2+16>: ldm r1!, {r5, r6, r7, r8}
0x01201664 <mc_2+20>: orr r4, r4, r5, lsl #16
0x01201668 <mc_2+24>: lsr r5, r5, #16
0x0120166c <mc_2+28>: orr r5, r5, r6, lsl #16
0x01201670 <mc_2+32>: lsr r6, r6, #16
0x01201674 <mc_2+36>: orr r6, r6, r7, lsl #16
0x01201678 <mc_2+40>: lsr r7, r7, #16
0x0120167c <mc_2+44>: orr r7, r7, r8, lsl #16
0x01201680 <mc_2+48>: stmia   r3!, {r4, r5, r6, r7}
0x01201684 <mc_2+52>: sub r2, r2, #16 ; 0x10
0x01201688 <mc_2+56>: cmp r2, #32 ; 0x20
0x0120168c <mc_2+60>: bge 0x120165c <mc_2+12>
0x01201690 <mc_2+64>: b   0x12016a8 <mc_2+88>
0x01201694 <mc_2+68>: lsr r4, r8, #16
0x01201698 <mc_2+72>: ldr r8, [r1], #4
0x0120169c <mc_2+76>: orr r4, r4, r8, lsl #16
0x012016a0 <mc_2+80>: str r4, [r3], #4
0x012016a4 <mc_2+84>: sub r2, r2, #4  ; 0x4
0x012016a8 <mc_2+88>: cmp r2, #4  ; 0x4
0x012016ac <mc_2+92>: bge 0x1201694 <mc_2+68>
0x012016b0 <mc_2+96>: sub r1, r1, #2  ; 0x2
0x012016b4 <mc_2+100>:    b   0x1201544 <memcpy+176>
0x012016b8 <mc_bytes+0>:  teq r2, #0  ; 0x0
0x012016bc <mc_bytes+4>:  ldrbne  r12, [r1], #1
0x012016c0 <mc_bytes+8>:  strbne  r12, [r3], #1
0x012016c4 <mc_bytes+12>: subsne  r2, r2, #1  ; 0x1
0x012016c8 <mc_bytes+16>: bne 0x12016bc <mc_bytes+4>
0x012016cc <mc_bytes+20>: pop {r4, r5, r6, r7, r8, r9, r10, r11, pc}

End of assembler dump.

Crash Point:

backtrace *

#0  0x012014f8 in memcpy () from libc.so.3
#1  0x78276c04 in wlan_11n_aggregate_pkt (priv=0x0, pra_list=0x3f5898, 
    headroom=<value optimized out>, ptrindex=0)
    at \mlan\mlan_11n_aggr.c:98
#2  0x002ff4e8 in ?? ()

Please let me know if you need further information.