Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Double free with aa on Oreo #1699

Closed
jvoisin opened this issue Nov 18, 2014 · 2 comments
Closed

Double free with aa on Oreo #1699

jvoisin opened this issue Nov 18, 2014 · 2 comments
Labels
blocker RAnal

Comments

@jvoisin
Copy link
Contributor

jvoisin commented Nov 18, 2014

This is what I've got on this binary:

jvoisin@kaa 17:51 ~/download/OREO gdb r2
Reading symbols from r2...done.
gdb-peda$ r ./oreo_35f118d90a7790bbd1eb6d4549993ef0
Starting program: /usr/local/bin/r2 ./oreo_35f118d90a7790bbd1eb6d4549993ef0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
 -- How about a nice game of chess?
[0x08048500]> aa
*** Error in `/usr/local/bin/r2': double free or corruption (out): 0x0000000000781810 ***

Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x5a (b'Z')
RCX: 0xffffffffffffffff 
RDX: 0x6 (b'\x06')
RSI: 0x5350 (b'PS')
RDI: 0x5350 (b'PS')
RBP: 0x7fffffff9cb0 --> 0x7ffff40f7b70 ("double free or corruption (out)")
RSP: 0x7fffffff9918 --> 0x7ffff3fae418 (<__GI_abort+328>:   mov    rdx,QWORD PTR fs:0x10)
RIP: 0x7ffff3facd27 (<__GI_raise+55>:   cmp    rax,0xfffffffffffff000)
R8 : 0x3031383138373030 (b'00781810')
R9 : 0x0 
R10: 0x8 (b'\x08')
R11: 0x206 (b'\x06\x02')
R12: 0x7fffffff9ac0 --> 0xffffffffffffffff 
R13: 0x7 (b'\x07')
R14: 0x5a (b'Z')
R15: 0x7 (b'\x07')
[-------------------------------------code-------------------------------------]
   0x7ffff3facd1d <__GI_raise+45>:  movsxd rdi,ecx
   0x7ffff3facd20 <__GI_raise+48>:  mov    eax,0xea
   0x7ffff3facd25 <__GI_raise+53>:  syscall 
=> 0x7ffff3facd27 <__GI_raise+55>:  cmp    rax,0xfffffffffffff000
   0x7ffff3facd2d <__GI_raise+61>:  ja     0x7ffff3facd4d <__GI_raise+93>
   0x7ffff3facd2f <__GI_raise+63>:  repz ret 
   0x7ffff3facd31 <__GI_raise+65>:  nop    DWORD PTR [rax+0x0]
   0x7ffff3facd38 <__GI_raise+72>:  test   ecx,ecx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff9918 --> 0x7ffff3fae418 (<__GI_abort+328>:  mov    rdx,QWORD PTR fs:0x10)
0008| 0x7fffffff9920 (" ")
0016| 0x7fffffff9928 ("")
0024| 0x7fffffff9930 ("")
0032| 0x7fffffff9938 ("")
0040| 0x7fffffff9940 ("")
0048| 0x7fffffff9948 ("")
0056| 0x7fffffff9950 ("")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
0x00007ffff3facd27 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56  ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  0x00007ffff3facd27 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff3fae418 in __GI_abort () at abort.c:89
#2  0x00007ffff3fee9f4 in __libc_message (do_abort=do_abort@entry=0x1, 
    fmt=fmt@entry=0x7ffff40f7a40 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff3ff6006 in malloc_printerr (ptr=<optimized out>, str=0x7ffff40f7b70 "double free or corruption (out)", action=0x1)
    at malloc.c:4996
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0x0) at malloc.c:3840
#5  0x00007ffff67dd551 in cs_close (handle=0x7fffffff9dc0) at cs.c:241
#6  0x00007ffff67b4a05 in analop (a=0x680ef0, op=0x7fffffff9ef0, addr=0x8048896, buf=0x780800 "U\211\345\203\354He\241\024", 
    len=0x1000) at /home/jvoisin/dev/r2/radare2/libr/..//libr/anal/p/anal_x86_cs.c:329
#7  0x00007ffff67c41a6 in r_anal_op (anal=0x680ef0, op=0x7fffffff9ef0, addr=0x8048896, data=0x780800 "U\211\345\203\354He\241\024", 
    len=0x1000) at op.c:46
#8  0x00007ffff67c6228 in fcn_recurse (anal=0x680ef0, fcn=0x77bc70, addr=0x8048896, buf=0x780800 "U\211\345\203\354He\241\024", 
    len=0x1000, depth=0x10) at fcn.c:254
#9  0x00007ffff67c6fa3 in r_anal_fcn (anal=0x680ef0, fcn=0x77bc70, addr=0x8048896, buf=0x780800 "U\211\345\203\354He\241\024", 
    len=0x1000, reftype=0x0) at fcn.c:498
#10 0x00007ffff7b88278 in r_core_anal_fcn (core=0x607600 <r>, at=0x8048896, from=0x80487b4, reftype=0x0, depth=0x5) at anal.c:779
#11 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x8048810, from=0x80487b4, reftype=0x0, depth=0x6) at anal.c:908
#12 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x80487b4, from=0x80487b4, reftype=0x0, depth=0x7) at anal.c:908
#13 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 <r>, at=0x804879b, from=0x804875c, reftype=0x63, depth=0x8) at anal.c:954
#14 0x00007ffff7b887c0 in r_core_anal_fcn (core=0x607600 <r>, at=0x8048729, from=0x8048644, reftype=0x0, depth=0x9) at anal.c:892
#15 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x8048644, from=0x8048644, reftype=0x0, depth=0xa) at anal.c:908
#16 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 <r>, at=0x80485ec, from=0x8048598, reftype=0x0, depth=0xb) at anal.c:954
#17 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x80485be, from=0x8048598, reftype=0x0, depth=0xc) at anal.c:908
#18 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x8048598, from=0x8048598, reftype=0x0, depth=0xd) at anal.c:908
#19 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 <r>, at=0x804855b, from=0x804855b, reftype=0x0, depth=0xe) at anal.c:954
#20 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 <r>, at=0x8048522, from=0xffffffffffffffff, reftype=0x0, depth=0xf)
    at anal.c:954
#21 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x8048500, from=0xffffffffffffffff, reftype=0x0, depth=0x10)
    at anal.c:908
#22 0x00007ffff7b8b08b in r_core_anal_all (core=0x607600 <r>) at anal.c:1523
#23 0x00007ffff7b4478a in cmd_anal (data=0x607600 <r>, input=0x74d161 "a") at cmd_anal.c:1870
#24 0x00007ffff7b83f50 in r_cmd_call (cmd=0x6a9ea0, input=0x74d160 "aa") at cmd_api.c:179
#25 0x00007ffff7b624f5 in r_core_cmd_subst_i (core=0x607600 <r>, cmd=0x74d160 "aa") at cmd.c:1366
#26 0x00007ffff7b60954 in r_core_cmd_subst (core=0x607600 <r>, cmd=0x74d160 "aa") at cmd.c:919
#27 0x00007ffff7b631d7 in r_core_cmd (core=0x607600 <r>, cstr=0x74f7e0 "aa", log=0x1) at cmd.c:1572
#28 0x00007ffff7b29257 in r_core_prompt_exec (r=0x607600 <r>) at core.c:941
#29 0x0000000000405282 in main (argc=0x2, argv=0x7fffffffe3c8, envp=0x7fffffffe3e0) at radare2.c:737
#30 0x00007ffff3f97ec5 in __libc_start_main (main=0x403148 <main>, argc=0x2, argv=0x7fffffffe3c8, init=<optimized out>, 
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe3b8) at libc-start.c:287
#31 0x0000000000402a79 in _start ()
gdb-peda$
@radare
Copy link
Collaborator

radare commented Nov 18, 2014

I guess its a bug for the capstone pluin. Can u verify with x86.udis? Also, a valgrind log may help to identify the issue better.

Can you try to construct a smaller test case? Should be easy to fix anyway.. Like using RFREE instead of free for example. I will look at it when at home

On 18 Nov 2014, at 17:53, jvoisin [email protected] wrote:

This is what I've got on this binary:

jvoisin@kaa 17:51 ~/download/OREO gdb r2
Reading symbols from r2...done.
gdb-peda$ r ./oreo_35f118d90a7790bbd1eb6d4549993ef0
Starting program: /usr/local/bin/r2 ./oreo_35f118d90a7790bbd1eb6d4549993ef0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
-- How about a nice game of chess?
[0x08048500]> aa
*** Error in `/usr/local/bin/r2': double free or corruption (out): 0x0000000000781810 ***

Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x5a (b'Z')
RCX: 0xffffffffffffffff
RDX: 0x6 (b'\x06')
RSI: 0x5350 (b'PS')
RDI: 0x5350 (b'PS')
RBP: 0x7fffffff9cb0 --> 0x7ffff40f7b70 ("double free or corruption (out)")
RSP: 0x7fffffff9918 --> 0x7ffff3fae418 (<__GI_abort+328>: mov rdx,QWORD PTR fs:0x10)
RIP: 0x7ffff3facd27 (<__GI_raise+55>: cmp rax,0xfffffffffffff000)
R8 : 0x3031383138373030 (b'00781810')
R9 : 0x0
R10: 0x8 (b'\x08')
R11: 0x206 (b'\x06\x02')
R12: 0x7fffffff9ac0 --> 0xffffffffffffffff
R13: 0x7 (b'\x07')
R14: 0x5a (b'Z')
R15: 0x7 (b'\x07')
[-------------------------------------code-------------------------------------]
0x7ffff3facd1d <__GI_raise+45>: movsxd rdi,ecx
0x7ffff3facd20 <__GI_raise+48>: mov eax,0xea
0x7ffff3facd25 <__GI_raise+53>: syscall
=> 0x7ffff3facd27 <__GI_raise+55>: cmp rax,0xfffffffffffff000
0x7ffff3facd2d <__GI_raise+61>: ja 0x7ffff3facd4d <__GI_raise+93>
0x7ffff3facd2f <__GI_raise+63>: repz ret
0x7ffff3facd31 <__GI_raise+65>: nop DWORD PTR [rax+0x0]
0x7ffff3facd38 <__GI_raise+72>: test ecx,ecx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff9918 --> 0x7ffff3fae418 (<__GI_abort+328>: mov rdx,QWORD PTR fs:0x10)
0008| 0x7fffffff9920 (" ")
0016| 0x7fffffff9928 ("")
0024| 0x7fffffff9930 ("")
0032| 0x7fffffff9938 ("")
0040| 0x7fffffff9940 ("")
0048| 0x7fffffff9948 ("")
0056| 0x7fffffff9950 ("")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
0x00007ffff3facd27 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0 0x00007ffff3facd27 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff3fae418 in __GI_abort () at abort.c:89
#2 0x00007ffff3fee9f4 in __libc_message (do_abort=do_abort@entry=0x1,
fmt=fmt@entry=0x7ffff40f7a40 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff3ff6006 in malloc_printerr (ptr=, str=0x7ffff40f7b70 "double free or corruption (out)", action=0x1)
at malloc.c:4996
#4 _int_free (av=, p=, have_lock=0x0) at malloc.c:3840
#5 0x00007ffff67dd551 in cs_close (handle=0x7fffffff9dc0) at cs.c:241
#6 0x00007ffff67b4a05 in analop (a=0x680ef0, op=0x7fffffff9ef0, addr=0x8048896, buf=0x780800 "U\211\345\203\354He\241\024",
len=0x1000) at /home/jvoisin/dev/r2/radare2/libr/..//libr/anal/p/anal_x86_cs.c:329
#7 0x00007ffff67c41a6 in r_anal_op (anal=0x680ef0, op=0x7fffffff9ef0, addr=0x8048896, data=0x780800 "U\211\345\203\354He\241\024",
len=0x1000) at op.c:46
#8 0x00007ffff67c6228 in fcn_recurse (anal=0x680ef0, fcn=0x77bc70, addr=0x8048896, buf=0x780800 "U\211\345\203\354He\241\024",
len=0x1000, depth=0x10) at fcn.c:254
#9 0x00007ffff67c6fa3 in r_anal_fcn (anal=0x680ef0, fcn=0x77bc70, addr=0x8048896, buf=0x780800 "U\211\345\203\354He\241\024",
len=0x1000, reftype=0x0) at fcn.c:498
#10 0x00007ffff7b88278 in r_core_anal_fcn (core=0x607600 , at=0x8048896, from=0x80487b4, reftype=0x0, depth=0x5) at anal.c:779
#11 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 , at=0x8048810, from=0x80487b4, reftype=0x0, depth=0x6) at anal.c:908
#12 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 , at=0x80487b4, from=0x80487b4, reftype=0x0, depth=0x7) at anal.c:908
#13 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 , at=0x804879b, from=0x804875c, reftype=0x63, depth=0x8) at anal.c:954
#14 0x00007ffff7b887c0 in r_core_anal_fcn (core=0x607600 , at=0x8048729, from=0x8048644, reftype=0x0, depth=0x9) at anal.c:892
#15 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 , at=0x8048644, from=0x8048644, reftype=0x0, depth=0xa) at anal.c:908
#16 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 , at=0x80485ec, from=0x8048598, reftype=0x0, depth=0xb) at anal.c:954
#17 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 , at=0x80485be, from=0x8048598, reftype=0x0, depth=0xc) at anal.c:908
#18 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 , at=0x8048598, from=0x8048598, reftype=0x0, depth=0xd) at anal.c:908
#19 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 , at=0x804855b, from=0x804855b, reftype=0x0, depth=0xe) at anal.c:954
#20 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 , at=0x8048522, from=0xffffffffffffffff, reftype=0x0, depth=0xf)
at anal.c:954
#21 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 , at=0x8048500, from=0xffffffffffffffff, reftype=0x0, depth=0x10)
at anal.c:908
#22 0x00007ffff7b8b08b in r_core_anal_all (core=0x607600 ) at anal.c:1523
#23 0x00007ffff7b4478a in cmd_anal (data=0x607600 , input=0x74d161 "a") at cmd_anal.c:1870
#24 0x00007ffff7b83f50 in r_cmd_call (cmd=0x6a9ea0, input=0x74d160 "aa") at cmd_api.c:179
#25 0x00007ffff7b624f5 in r_core_cmd_subst_i (core=0x607600 , cmd=0x74d160 "aa") at cmd.c:1366
#26 0x00007ffff7b60954 in r_core_cmd_subst (core=0x607600 , cmd=0x74d160 "aa") at cmd.c:919
#27 0x00007ffff7b631d7 in r_core_cmd (core=0x607600 , cstr=0x74f7e0 "aa", log=0x1) at cmd.c:1572
#28 0x00007ffff7b29257 in r_core_prompt_exec (r=0x607600 ) at core.c:941
#29 0x0000000000405282 in main (argc=0x2, argv=0x7fffffffe3c8, envp=0x7fffffffe3e0) at radare2.c:737
#30 0x00007ffff3f97ec5 in __libc_start_main (main=0x403148

, argc=0x2, argv=0x7fffffffe3c8, init=,
fini=, rtld_fini=, stack_end=0x7fffffffe3b8) at libc-start.c:287
#31 0x0000000000402a79 in _start ()
gdb-peda$

Reply to this email directly or view it on GitHub.

@jvoisin
Copy link
Contributor Author

jvoisin commented Nov 18, 2014 

[0x08048500]> e asm.arch = x86.udis
[0x08048500]> aa
*** Error in `/usr/local/bin/r2': double free or corruption (out): 0x000000000078f180 ***

Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x5a (b'Z')
RCX: 0xffffffffffffffff 
RDX: 0x6 (b'\x06')
RSI: 0x6272 (b'rb')
RDI: 0x6272 (b'rb')
RBP: 0x7fffffff5720 --> 0x7ffff40f7b70 ("double free or corruption (out)")
RSP: 0x7fffffff5388 --> 0x7ffff3fae418 (<__GI_abort+328>:   mov    rdx,QWORD PTR fs:0x10)
RIP: 0x7ffff3facd27 (<__GI_raise+55>:   cmp    rax,0xfffffffffffff000)
R8 : 0x3038316638373030 (b'0078f180')
R9 : 0x0 
R10: 0x8 (b'\x08')
R11: 0x206 (b'\x06\x02')
R12: 0x7fffffff5530 --> 0x7fffffff5600 --> 0x7ffff40f7a50 ("': %s: 0x%s ***\n")
R13: 0x7 (b'\x07')
R14: 0x5a (b'Z')
R15: 0x7 (b'\x07')
[-------------------------------------code-------------------------------------]
   0x7ffff3facd1d <__GI_raise+45>:  movsxd rdi,ecx
   0x7ffff3facd20 <__GI_raise+48>:  mov    eax,0xea
   0x7ffff3facd25 <__GI_raise+53>:  syscall 
=> 0x7ffff3facd27 <__GI_raise+55>:  cmp    rax,0xfffffffffffff000
   0x7ffff3facd2d <__GI_raise+61>:  ja     0x7ffff3facd4d <__GI_raise+93>
   0x7ffff3facd2f <__GI_raise+63>:  repz ret 
   0x7ffff3facd31 <__GI_raise+65>:  nop    DWORD PTR [rax+0x0]
   0x7ffff3facd38 <__GI_raise+72>:  test   ecx,ecx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff5388 --> 0x7ffff3fae418 (<__GI_abort+328>:  mov    rdx,QWORD PTR fs:0x10)
0008| 0x7fffffff5390 (" ")
0016| 0x7fffffff5398 ("")
0024| 0x7fffffff53a0 ("")
0032| 0x7fffffff53a8 ("")
0040| 0x7fffffff53b0 ("")
0048| 0x7fffffff53b8 ("")
0056| 0x7fffffff53c0 ("")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
0x00007ffff3facd27 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56  ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  0x00007ffff3facd27 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff3fae418 in __GI_abort () at abort.c:89
#2  0x00007ffff3fee9f4 in __libc_message (do_abort=do_abort@entry=0x1, 
    fmt=fmt@entry=0x7ffff40f7a40 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff3ff6006 in malloc_printerr (ptr=<optimized out>, str=0x7ffff40f7b70 "double free or corruption (out)", action=0x1)
    at malloc.c:4996
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0x0) at malloc.c:3840
#5  0x00007ffff4fdfcb8 in sdb_set_internal () from /usr/local/lib/libr_db.so.0.9.9-git
#6  0x00007ffff4fdfe7c in sdb_set_owned () from /usr/local/lib/libr_db.so.0.9.9-git
#7  0x00007ffff4fd2a06 in sdb_array_insert () from /usr/local/lib/libr_db.so.0.9.9-git
#8  0x00007ffff4fd2cc9 in sdb_array_set () from /usr/local/lib/libr_db.so.0.9.9-git
#9  0x00007ffff4fd2bd2 in sdb_array_add () from /usr/local/lib/libr_db.so.0.9.9-git
#10 0x00007ffff4fd2b5f in sdb_array_add_num () from /usr/local/lib/libr_db.so.0.9.9-git
#11 0x00007ffff67c5cbc in r_anal_fcn_xref_add (a=0x680ef0, fcn=0x73dd20, at=0x80488fd, addr=0x8048904, type=0x63) at fcn.c:118
#12 0x00007ffff67c6ab3 in fcn_recurse (anal=0x680ef0, fcn=0x73dd20, addr=0x80488f0, buf=0x7fffffff7db0 "\213EЋU\364e3\025\024", 
    len=0x1fa0, depth=0xe) at fcn.c:423
#13 0x00007ffff67c6bb4 in fcn_recurse (anal=0x680ef0, fcn=0x73dd20, addr=0x80488a9, 
    buf=0x7fffffff9f20 "\220\307\004$o\214\004\b\350\252\373\377\377\241\200\242\004\b\211D$\b\307D$\004 ", len=0x1fa0, depth=0xf)
    at fcn.c:429
#14 0x00007ffff67c6b47 in fcn_recurse (anal=0x680ef0, fcn=0x73dd20, addr=0x80488aa, 
    buf=0x789e30 "\307\004$o\214\004\b\350\252\373\377\377\241\200\242\004\b\211D$\b\307D$\004 ", len=0x1000, depth=0x10) at fcn.c:428
#15 0x00007ffff67c6fa3 in r_anal_fcn (anal=0x680ef0, fcn=0x73dd20, addr=0x80488aa, 
    buf=0x789e30 "\307\004$o\214\004\b\350\252\373\377\377\241\200\242\004\b\211D$\b\307D$\004 ", len=0x1000, reftype=0x63)
    at fcn.c:498
#16 0x00007ffff7b88278 in r_core_anal_fcn (core=0x607600 <r>, at=0x80488aa, from=0x80488a7, reftype=0x63, depth=0x4) at anal.c:779
#17 0x00007ffff7b887c0 in r_core_anal_fcn (core=0x607600 <r>, at=0x8048896, from=0x80487b4, reftype=0x0, depth=0x5) at anal.c:892
#18 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x8048810, from=0x80487b4, reftype=0x0, depth=0x6) at anal.c:908
#19 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x80487b4, from=0x80487b4, reftype=0x0, depth=0x7) at anal.c:908
#20 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 <r>, at=0x804879b, from=0x804875c, reftype=0x63, depth=0x8) at anal.c:954
#21 0x00007ffff7b887c0 in r_core_anal_fcn (core=0x607600 <r>, at=0x8048729, from=0x8048644, reftype=0x0, depth=0x9) at anal.c:892
#22 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x8048644, from=0x8048644, reftype=0x0, depth=0xa) at anal.c:908
#23 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 <r>, at=0x80485ec, from=0x8048598, reftype=0x0, depth=0xb) at anal.c:954
#24 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x80485be, from=0x8048598, reftype=0x0, depth=0xc) at anal.c:908
#25 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x8048598, from=0x8048598, reftype=0x0, depth=0xd) at anal.c:908
#26 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 <r>, at=0x804855b, from=0x804855b, reftype=0x0, depth=0xe) at anal.c:954
#27 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 <r>, at=0x8048522, from=0xffffffffffffffff, reftype=0x0, depth=0xf)
    at anal.c:954
#28 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x8048500, from=0xffffffffffffffff, reftype=0x0, depth=0x10)
    at anal.c:908
#29 0x00007ffff7b8b08b in r_core_anal_all (core=0x607600 <r>) at anal.c:1523
#30 0x00007ffff7b4478a in cmd_anal (data=0x607600 <r>, input=0x6c2461 "a") at cmd_anal.c:1870
#31 0x00007ffff7b83f50 in r_cmd_call (cmd=0x6a9ea0, input=0x6c2460 "aa") at cmd_api.c:179
#32 0x00007ffff7b624f5 in r_core_cmd_subst_i (core=0x607600 <r>, cmd=0x6c2460 "aa") at cmd.c:1366
#33 0x00007ffff7b60954 in r_core_cmd_subst (core=0x607600 <r>, cmd=0x6c2460 "aa") at cmd.c:919
#34 0x00007ffff7b631d7 in r_core_cmd (core=0x607600 <r>, cstr=0x74f7e0 "aa", log=0x1) at cmd.c:1572
#35 0x00007ffff7b29257 in r_core_prompt_exec (r=0x607600 <r>) at core.c:941
#36 0x0000000000405282 in main (argc=0x2, argv=0x7fffffffe3c8, envp=0x7fffffffe3e0) at radare2.c:737
#37 0x00007ffff3f97ec5 in __libc_start_main (main=0x403148 <main>, argc=0x2, argv=0x7fffffffe3c8, init=<optimized out>, 
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe3b8) at libc-start.c:287
#38 0x0000000000402a79 in _start ()
gdb-peda$

fu

@radare radare closed this as completed in 1f685fc Nov 18, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocker RAnal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jvoisin @radare