drx: malloc(): memory corruption: 0x0000000001556850 ***

[Susanne588586]

$ r2  -b32 -w ./ls
[0x00000000]>  drx 0x00 0x10000  rwx
Usage: drx N [address] [length] [rwx]
*** Error in `r2': free(): invalid next size (fast): 0x0000000001556830 ***
*** Error in `r2': malloc(): memory corruption: 0x0000000001556850 ***

Kind Regards
Susann E.

will submit valgrind later

[Susanne588586]

(gdb) r -w ./ls
Starting program: /usr/local/bin/r2 -w ./ls
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

Breakpoint 1, main (argc=3, argv=0x7fffffffeb68, envp=0x7fffffffeb88) at radare2.c:160
160             RThreadLock *lock = NULL;
(gdb)   drx 0x00 0x10000  rwx
Undefined command: "drx".  Try "help".
(gdb) c
Continuing.
 -- Heisenbug: A bug that disappears or alters its behavior when one attempts to probe or isolate it.
[0x0040488f]>   drx 0x00 0x10000  rwx
Usage: drx N [address] [length] [rwx]
*** Error in `/usr/local/bin/r2': free(): invalid next size (fast): 0x0000000000668010 ***
*** Error in `/usr/local/bin/r2': malloc(): memory corruption: 0x0000000000668030 ***

^C
Program received signal SIGINT, Interrupt.
0x00007ffff3b3c3f8 in pthread_once () from /usr/lib/libpthread.so.0
(gdb) bt
#0  0x00007ffff3b3c3f8 in pthread_once () from /usr/lib/libpthread.so.0
#1  0x00007ffff414125c in backtrace () from /usr/lib/libc.so.6
#2  0x00007ffff406ed52 in backtrace_and_maps () from /usr/lib/libc.so.6
#3  0x00007ffff40c1d7f in __libc_message () from /usr/lib/libc.so.6
#4  0x00007ffff40c754e in malloc_printerr () from /usr/lib/libc.so.6
#5  0x00007ffff40c9039 in _int_malloc () from /usr/lib/libc.so.6
#6  0x00007ffff40cab80 in malloc () from /usr/lib/libc.so.6
#7  0x00007ffff7de20ba in local_strdup () from /lib64/ld-linux-x86-64.so.2
#8  0x00007ffff7de52e7 in _dl_map_object () from /lib64/ld-linux-x86-64.so.2
#9  0x00007ffff7def905 in dl_open_worker () from /lib64/ld-linux-x86-64.so.2
#10 0x00007ffff7deb764 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2
#11 0x00007ffff7def31b in _dl_open () from /lib64/ld-linux-x86-64.so.2
#12 0x00007ffff4169632 in do_dlopen () from /usr/lib/libc.so.6
#13 0x00007ffff7deb764 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2
#14 0x00007ffff41696cf in dlerror_run () from /usr/lib/libc.so.6
#15 0x00007ffff4169741 in __libc_dlopen_mode () from /usr/lib/libc.so.6
#16 0x00007ffff4141145 in init () from /usr/lib/libc.so.6
#17 0x00007ffff3b3c400 in pthread_once () from /usr/lib/libpthread.so.0
#18 0x00007ffff414125c in backtrace () from /usr/lib/libc.so.6
#19 0x00007ffff406ed52 in backtrace_and_maps () from /usr/lib/libc.so.6
#20 0x00007ffff40c1d7f in __libc_message () from /usr/lib/libc.so.6
#21 0x00007ffff40c754e in malloc_printerr () from /usr/lib/libc.so.6
#22 0x00007ffff40c8227 in _int_free () from /usr/lib/libc.so.6
#23 0x00007ffff7b73d12 in cmd_debug_reg (core=0x6068e0 <r>, str=0x6c2644 "x 0x00 0x10000  rwx") at cmd_debug.c:515
#24 0x00007ffff7b763f7 in cmd_debug (data=0x6068e0 <r>, input=0x6c2643 "rx 0x00 0x10000  rwx") at cmd_debug.c:1233
#25 0x00007ffff615cef9 in r_cmd_call (cmd=0x6928a0, input=0x6c2642 "drx 0x00 0x10000  rwx") at cmd.c:172
#26 0x00007ffff7b94845 in r_core_cmd_subst_i (core=0x6068e0 <r>, cmd=0x6c2642 "drx 0x00 0x10000  rwx") at cmd.c:1341
#27 0x00007ffff7b93065 in r_core_cmd_subst (core=0x6068e0 <r>, cmd=0x6c2642 "drx 0x00 0x10000  rwx") at cmd.c:909
#28 0x00007ffff7b95246 in r_core_cmd (core=0x6068e0 <r>, cstr=0x84a070 "  drx 0x00 0x10000  rwx", log=1) at cmd.c:1524
#29 0x00007ffff7b6fb9d in r_core_prompt_exec (r=0x6068e0 <r>) at core.c:710
#30 0x0000000000404695 in main (argc=3, argv=0x7fffffffeb68, envp=0x7fffffffeb88) at radare2.c:593
(gdb) x/i $pc
=> 0x7ffff3b3c3f8 <pthread_once+72>:    jmp    0x7ffff3b3c3bf <pthread_once+15>
(gdb) info threads
  Id   Target Id         Frame 
* 1    Thread 0x7ffff7fca700 (LWP 2828) "r2" 0x00007ffff3b3c3f8 in pthread_once () from /usr/lib/libpthread.so.0
gdb) thread 1
[Switching to thread 1 (Thread 0x7ffff7fca700 (LWP 2828))]
#0  0x00007ffff3b3c3f8 in pthread_once () from /usr/lib/libpthread.so.0
(gdb) disas 0x00007ffff3b3c3f8
Dump of assembler code for function pthread_once:
   0x00007ffff3b3c3b0 <+0>:     testl  $0x2,(%rdi)
   0x00007ffff3b3c3b6 <+6>:     je     0x7ffff3b3c3bb <pthread_once+11>
   0x00007ffff3b3c3b8 <+8>:     xor    %eax,%eax
   0x00007ffff3b3c3ba <+10>:    retq   
   0x00007ffff3b3c3bb <+11>:    push   %rsi
   0x00007ffff3b3c3bc <+12>:    xor    %r10,%r10
   0x00007ffff3b3c3bf <+15>:    mov    (%rdi),%eax
   0x00007ffff3b3c3c1 <+17>:    mov    %eax,%edx
   0x00007ffff3b3c3c3 <+19>:    test   $0x2,%eax
   0x00007ffff3b3c3c8 <+24>:    jne    0x7ffff3b3c419 <pthread_once+105>
   0x00007ffff3b3c3ca <+26>:    and    $0x3,%edx
   0x00007ffff3b3c3cd <+29>:    or     0x20f025(%rip),%edx        # 0x7ffff3d4b3f8 <__fork_generation>
   0x00007ffff3b3c3d3 <+35>:    or     $0x1,%edx
   0x00007ffff3b3c3d6 <+38>:    lock cmpxchg %edx,(%rdi)
   0x00007ffff3b3c3da <+42>:    jne    0x7ffff3b3c3c1 <pthread_once+17>
   0x00007ffff3b3c3dc <+44>:    test   $0x1,%eax
   0x00007ffff3b3c3e1 <+49>:    je     0x7ffff3b3c3fa <pthread_once+74>
   0x00007ffff3b3c3e3 <+51>:    xor    %edx,%eax
   0x00007ffff3b3c3e5 <+53>:    test   $0xfffffffc,%eax
   0x00007ffff3b3c3ea <+58>:    jne    0x7ffff3b3c3fa <pthread_once+74>
   0x00007ffff3b3c3ec <+60>:    mov    $0x80,%esi
   0x00007ffff3b3c3f1 <+65>:    mov    $0xca,%eax
   0x00007ffff3b3c3f6 <+70>:    syscall 
=> 0x00007ffff3b3c3f8 <+72>:    jmp    0x7ffff3b3c3bf <pthread_once+15>
   0x00007ffff3b3c3fa <+74>:    push   %rdi
   0x00007ffff3b3c3fb <+75>:    push   %rdi
   0x00007ffff3b3c3fc <+76>:    callq  *0x10(%rsp)
   0x00007ffff3b3c400 <+80>:    pop    %rdi
   0x00007ffff3b3c401 <+81>:    lock incl (%rdi)
   0x00007ffff3b3c404 <+84>:    add    $0x8,%rsp
   0x00007ffff3b3c408 <+88>:    mov    $0x7fffffff,%edx
   0x00007ffff3b3c40d <+93>:    mov    $0x81,%esi
   0x00007ffff3b3c412 <+98>:    mov    $0xca,%eax
   0x00007ffff3b3c417 <+103>:   syscall 
   0x00007ffff3b3c419 <+105>:   add    $0x8,%rsp
   0x00007ffff3b3c41d <+109>:   xor    %eax,%eax
   0x00007ffff3b3c41f <+111>:   retq   
End of assembler dump.

[radare]

Fixed

[Susanne588586]

this is by no means fixed:

[0x0040488f]>   drx 0x00 0x10000  rwx
Usage: drx N [address] [length] [rwx]
*** Error in `r2': free(): invalid next size (fast): 0x0000000002aed810 ***
*** Error in `r2': malloc(): memory corruption: 0x0000000002aed830 ***

r2 -v
radare2 0.9.7git @ linux-little-x86-64 git.0.9.6-457-gc56bb2c
commit: c56bb2cd29ac9644a0db91492395db1e53f0327f build: 2014-02-03

[radare]

Should be fixed now

[Susanne588586]

same thing, also behaviour is different between immediate drx and af,pdf,drx:

$  r2 -v
radare2 0.9.7git @ linux-little-x86-64 git.0.9.6-457-gc56bb2c
commit: c56bb2cd29ac9644a0db91492395db1e53f0327f build: 2014-02-03
[0x0040488f]>   drx 0x00 0x10000  rwx
Usage: drx N [address] [length] [rwx]
*** Error in `r2': free(): invalid next size (fast): 0x0000000001e92820 ***
*** Error in `r2': malloc(): memory corruption: 0x0000000001e92840 ***
^C^C^C^C^C^C

[Susanne588586]

ok, cannot reproduce after reboot.

[radare]

The problem i found in drx was related to the r_str_set0word or so, that was failing when two consecutive whitespaces are found

On 03 Feb 2014, at 12:52, Susanne588586 [email protected] wrote:

same thing, also behaviour is different between immidiate drx and af,pdf,drx:

$ r2 -v
radare2 0.9.7git @ linux-little-x86-64 git.0.9.6-457-gc56bb2c
commit: c56bb2c build: 2014-02-03
[0x0040488f]> drx 0x00 0x10000 rwx
Usage: drx N [address] [length] [rwx]
*** Error in r2': free(): invalid next size (fast): 0x0000000001e92820 ***
*** Error inr2': malloc(): memory corruption: 0x0000000001e92840 ***
^C^C^C^C^C^C

—
Reply to this email directly or view it on GitHub.

[Susanne588586]

it is still fragil, eg see modified args:

[0x0040488f]>  drx 0x00000000 -1  rwx
Usage: drx N [address] [length] [rwx]
*** Error in `r2': free(): invalid next size (fast): 0x000000000233d010 ***
*** Error in `r2': malloc(): memory corruption: 0x000000000233d030 ***

[radare]

cant reproduce. can you show more evidences like a gdb bakctrace or a valgrind log?
On 03 Feb 2014, at 20:05, Susanne588586 [email protected] wrote:

it is still fragil, eg see modified args:

``[0x0040488f]> drx 0x00000000 -1 rwx
Usage: drx N [address] [length] [rwx]
*** Error inr2': free(): invalid next size (fast): 0x000000000233d010 ***
*** Error in`r2': malloc(): memory corruption: 0x000000000233d030 ***

—
Reply to this email directly or view it on GitHub.

[Susanne588586]

nope, because its fixed
see "ok, cannot reproduce after reboot." Seem my trash got stacked" :)