/R segfaults

[jvoisin]

gdb$ r 0x1d01ebcc
Starting program: /usr/bin/r2 0x1d01ebcc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Warning: read (init_offset)
Warning: read (main)
Warning: read (get_fini)
 -- RADARE CUMS WITH ABSOLUTELY NO WARRANTY
[0x0040166a]> /R

Program received signal SIGSEGV, Segmentation fault.
-----------------------------------------------------------------------------------------------------------------------[regs]
  RAX: 0x00007FFFEC563010  RBX: 0x0000000000693550  RBP: 0x00007FFFFFFFC210  RSP: 0x00007FFFFFFFC1A8  o d I t S z a p C 
  RDI: 0x00007FFFEC563F90  RSI: 0x00000000000000FF  RDX: 0xFFFFFFFFFFFFFFFF  RCX: 0x0000000000000000  RIP: 0x00007FFFF464D0BD
  R8 : 0x0000000000000000  R9 : 0x0000000000100000  R10: 0x0000000000000000  R11: 0x00007FFFF464CB9A  R12: 0x0000000000402790
  R13: 0x00007FFFFFFFE280  R14: 0x0000000000000000  R15: 0x0000000000000000
  CS: 0033  DS: 0000  ES: 0000  FS: 0000  GS: 0000  SS: 002B                
[0x002B:0x00007FFFFFFFC1A8]-------------------------------------------------------------------------------------------[stack]
0x00007FFFFFFFC1F8 : 50 E2 89 00 00 00 00 00 - 50 C2 FF FF FF 7F 00 00 P.......P.......
0x00007FFFFFFFC1E8 : 10 05 69 00 00 00 00 00 - D0 E2 89 00 00 00 00 00 ..i.............
0x00007FFFFFFFC1D8 : 00 00 00 00 00 10 00 00 - 10 10 00 00 00 00 00 00 ................
0x00007FFFFFFFC1C8 : 10 05 69 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ..i.............
0x00007FFFFFFFC1B8 : 10 30 56 EC FF 7F 00 00 - 10 10 00 00 00 00 00 00 .0V.............
0x00007FFFFFFFC1A8 : 9C 0B 32 F6 FF 7F 00 00 - 00 00 00 00 00 10 00 00 ..2.............
-----------------------------------------------------------------------------------------------------------------------[code]
=> 0x7ffff464d0bd <__memset_sse2+2285>: movdqa XMMWORD PTR [rdi+0x70],xmm0
   0x7ffff464d0c2 <__memset_sse2+2290>: lea    rdi,[rdi+0x80]
   0x7ffff464d0c9 <__memset_sse2+2297>: jae    0x7ffff464d090 <__memset_sse2+2240>
   0x7ffff464d0cb <__memset_sse2+2299>: add    rdi,r8
   0x7ffff464d0ce <__memset_sse2+2302>: lea    r11,[rip+0xfffffffffffffb38]        # 0x7ffff464cc0d <__memset_sse2+1085>
   0x7ffff464d0d5 <__memset_sse2+2309>: lea    rcx,[rip+0xf1164]        # 0x7ffff473e240
   0x7ffff464d0dc <__memset_sse2+2316>: movsx  rcx,WORD PTR [rcx+r8*2]
   0x7ffff464d0e1 <__memset_sse2+2321>: lea    r11,[rcx+r11*1]
-----------------------------------------------------------------------------------------------------------------------------
__memset_sse2 () at ../sysdeps/x86_64/multiarch/../memset.S:880
880 ../sysdeps/x86_64/multiarch/../memset.S: No such file or directory.
gdb$ bt
#0  __memset_sse2 () at ../sysdeps/x86_64/multiarch/../memset.S:880
#1  0x00007ffff6320b9c in r_io_read_at (io=0x690510, addr=0x1010, buf=0x7fffec563010 '\377' <repeats 200 times>..., len=0x1000) at io.c:268
#2  0x00007ffff6320b2f in r_io_read (io=0x690510, buf=0x7fffec563010 '\377' <repeats 200 times>..., len=0x1000) at io.c:256
#3  0x00007ffff7b9a29d in r_core_read_at (core=0x606540 <r>, addr=0x401010, buf=0x7fffec563010 '\377' <repeats 200 times>..., size=0x1000) at io.c:317
#4  0x00007ffff7b86eba in r_core_search_rop (core=0x606540 <r>, from=0x28010, to=0x40166a, opt=0x0, grep=0x6c40d2 "") at cmd_search.c:262
#5  0x00007ffff7b875f3 in cmd_search (data=0x606540 <r>, input=0x6c40d1 "R") at cmd_search.c:382
#6  0x00007ffff6109fc9 in r_cmd_call (cmd=0x694000, input=0x6c40d0 "/R") at cmd.c:172
#7  0x00007ffff7b8d02b in r_core_cmd_subst_i (core=0x606540 <r>, cmd=0x6c40d0 "/R") at cmd.c:1353
#8  0x00007ffff7b8b55c in r_core_cmd_subst (core=0x606540 <r>, cmd=0x6c40d0 "/R") at cmd.c:921
#9  0x00007ffff7b8db5b in r_core_cmd (core=0x606540 <r>, cstr=0x8a4820 "/R", log=0x1) at cmd.c:1536
#10 0x00007ffff7b65326 in r_core_prompt_exec (r=0x606540 <r>) at core.c:712
#11 0x0000000000404956 in main (argc=0x2, argv=0x7fffffffe288, envp=0x7fffffffe2a0) at radare2.c:593

[radare]

Can you try setting 'b 0x1000' before /R?

On 17 Feb 2014, at 13:55, jvoisin [email protected] wrote:

gdb$ r 0x1d01ebcc
Starting program: /usr/bin/r2 0x1d01ebcc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Warning: read (init_offset)
Warning: read (main)
Warning: read (get_fini)
-- RADARE CUMS WITH ABSOLUTELY NO WARRANTY
[0x0040166a]> /R

Program received signal SIGSEGV, Segmentation fault.
-----------------------------------------------------------------------------------------------------------------------[regs]
RAX: 0x00007FFFEC563010 RBX: 0x0000000000693550 RBP: 0x00007FFFFFFFC210 RSP: 0x00007FFFFFFFC1A8 o d I t S z a p C
RDI: 0x00007FFFEC563F90 RSI: 0x00000000000000FF RDX: 0xFFFFFFFFFFFFFFFF RCX: 0x0000000000000000 RIP: 0x00007FFFF464D0BD
R8 : 0x0000000000000000 R9 : 0x0000000000100000 R10: 0x0000000000000000 R11: 0x00007FFFF464CB9A R12: 0x0000000000402790
R13: 0x00007FFFFFFFE280 R14: 0x0000000000000000 R15: 0x0000000000000000
CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B
[0x002B:0x00007FFFFFFFC1A8]-------------------------------------------------------------------------------------------[stack]
0x00007FFFFFFFC1F8 : 50 E2 89 00 00 00 00 00 - 50 C2 FF FF FF 7F 00 00 P.......P.......
0x00007FFFFFFFC1E8 : 10 05 69 00 00 00 00 00 - D0 E2 89 00 00 00 00 00 ..i.............
0x00007FFFFFFFC1D8 : 00 00 00 00 00 10 00 00 - 10 10 00 00 00 00 00 00 ................
0x00007FFFFFFFC1C8 : 10 05 69 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ..i.............
0x00007FFFFFFFC1B8 : 10 30 56 EC FF 7F 00 00 - 10 10 00 00 00 00 00 00 .0V.............
0x00007FFFFFFFC1A8 : 9C 0B 32 F6 FF 7F 00 00 - 00 00 00 00 00 10 00 00 ..2.............
-----------------------------------------------------------------------------------------------------------------------[code]
=> 0x7ffff464d0bd <__memset_sse2+2285>: movdqa XMMWORD PTR [rdi+0x70],xmm0
0x7ffff464d0c2 <__memset_sse2+2290>: lea rdi,[rdi+0x80]
0x7ffff464d0c9 <__memset_sse2+2297>: jae 0x7ffff464d090 <__memset_sse2+2240>
0x7ffff464d0cb <__memset_sse2+2299>: add rdi,r8
0x7ffff464d0ce <__memset_sse2+2302>: lea r11,[rip+0xfffffffffffffb38] # 0x7ffff464cc0d <__memset_sse2+1085>
0x7ffff464d0d5 <__memset_sse2+2309>: lea rcx,[rip+0xf1164] # 0x7ffff473e240
0x7ffff464d0dc <__memset_sse2+2316>: movsx rcx,WORD PTR [rcx+r8*2]

0x7ffff464d0e1 <__memset_sse2+2321>: lea r11,[rcx+r11*1]

__memset_sse2 () at ../sysdeps/x86_64/multiarch/../memset.S:880
880 ../sysdeps/x86_64/multiarch/../memset.S: No such file or directory.
gdb$ bt
#0 __memset_sse2 () at ../sysdeps/x86_64/multiarch/../memset.S:880
#1 0x00007ffff6320b9c in r_io_read_at (io=0x690510, addr=0x1010, buf=0x7fffec563010 '\377' <repeats 200 times>..., len=0x1000) at io.c:268
#2 0x00007ffff6320b2f in r_io_read (io=0x690510, buf=0x7fffec563010 '\377' <repeats 200 times>..., len=0x1000) at io.c:256
#3 0x00007ffff7b9a29d in r_core_read_at (core=0x606540 , addr=0x401010, buf=0x7fffec563010 '\377' <repeats 200 times>..., size=0x1000) at io.c:317
#4 0x00007ffff7b86eba in r_core_search_rop (core=0x606540 , from=0x28010, to=0x40166a, opt=0x0, grep=0x6c40d2 "") at cmd_search.c:262
#5 0x00007ffff7b875f3 in cmd_search (data=0x606540 , input=0x6c40d1 "R") at cmd_search.c:382
#6 0x00007ffff6109fc9 in r_cmd_call (cmd=0x694000, input=0x6c40d0 "/R") at cmd.c:172
#7 0x00007ffff7b8d02b in r_core_cmd_subst_i (core=0x606540 , cmd=0x6c40d0 "/R") at cmd.c:1353
#8 0x00007ffff7b8b55c in r_core_cmd_subst (core=0x606540 , cmd=0x6c40d0 "/R") at cmd.c:921
#9 0x00007ffff7b8db5b in r_core_cmd (core=0x606540 , cstr=0x8a4820 "/R", log=0x1) at cmd.c:1536
#10 0x00007ffff7b65326 in r_core_prompt_exec (r=0x606540 ) at core.c:712
#11 0x0000000000404956 in main (argc=0x2, argv=0x7fffffffe288, envp=0x7fffffffe2a0) at radare2.c:593
—
Reply to this email directly or view it on GitHub.

[jvoisin]

Still segfaulting.

[zonkzonk]

JFYI

$ echo '/R'| r2 /home/zlul/a.out.dwarf
-- May the segfault be with you
[0x100000f10]> ,

EDIT: of course segfaulting with /bin/ls

[radare]

Looks like its trying to memset after the limit of your system stack. Which OS are you using? We should identify those big stack buffers and use the heap. Freebsd is also famius for their small stacks.

Try configuring the kernel to assign more space for stack per thread

On 17 Feb 2014, at 16:24, zonkzonk [email protected] wrote:

JFYI

$ echo '/R'| r2 /home/zlul/a.out.dwarf
-- May the segfault be with you
[0x100000f10]> ,

—
Reply to this email directly or view it on GitHub.

[jvoisin]

"Please tweak your kernel settings to uses radare" 😃

[radare]

Well. it's just for a test, to ensure that my hypothesis

[jvoisin]

$ ulimit -s unlimited
$ r2 ./0x1d01ebcc
[0x0040166a]> /R
zsh: segmentation fault (core dumped)  r2 ./0x1d01ebcc

[radare]

This happens only on Linux

[radare]

Valgrind log:

==21612== Memcheck, a memory error detector
==21612== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==21612== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==21612== Command: r2 /usr/bin/touch
==21612== Parent PID: 391
==21612== 
==21612== Conditional jump or move depends on uninitialised value(s)
==21612==    at 0x4690326: vfprintf (in /usr/lib/libc-2.18.so)
==21612==    by 0x46B5F0A: vsnprintf (in /usr/lib/libc-2.18.so)
==21612==    by 0x4625FF6: r_strbuf_setf (strbuf.c:40)
==21612==    by 0x41E7237: __x86_leave_to_esil (esil_x86_udis.c:53)
==21612==    by 0x41E5B62: x86_udis86_op (anal_x86_udis.c:190)
==21612==    by 0x41F28A8: r_anal_op (op.c:56)
==21612==    by 0x406D51C: ??? (cmd_search.c:267)
==21612==    by 0x406DCBA: ??? (cmd_search.c:412)
==21612==    by 0x432A8DC: r_cmd_call (cmd.c:172)
==21612==    by 0x4072F5B: ??? (cmd.c:1310)
==21612==    by 0x4071A16: ??? (cmd.c:878)
==21612==    by 0x407385E: r_core_cmd (cmd.c:1493)
==21612== 
==21612== Conditional jump or move depends on uninitialised value(s)
==21612==    at 0x402AD67: strlen (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==21612==    by 0x4625F17: r_strbuf_set (strbuf.c:18)
==21612==    by 0x462607E: r_strbuf_setf (strbuf.c:47)
==21612==    by 0x41E7237: __x86_leave_to_esil (esil_x86_udis.c:53)
==21612==    by 0x41E5B62: x86_udis86_op (anal_x86_udis.c:190)
==21612==    by 0x41F28A8: r_anal_op (op.c:56)
==21612==    by 0x406D51C: ??? (cmd_search.c:267)
==21612==    by 0x406DCBA: ??? (cmd_search.c:412)
==21612==    by 0x432A8DC: r_cmd_call (cmd.c:172)
==21612==    by 0x4072F5B: ??? (cmd.c:1310)
==21612==    by 0x4071A16: ??? (cmd.c:878)
==21612==    by 0x407385E: r_core_cmd (cmd.c:1493)
==21612== 
==21612== Invalid read of size 4
==21612==    at 0x402C218: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==21612==    by 0x41FB891: r_anal_data_new (data.c:146)
==21612==    by 0x41FBBCD: r_anal_data (data.c:183)
==21612==    by 0x41FBCB5: r_anal_data_kind (data.c:196)
==21612==    by 0x409A834: ??? (disasm.c:1440)
==21612==    by 0x409B693: r_core_print_disasm (disasm.c:1693)
==21612==    by 0x4068BBB: ??? (cmd_print.c:1125)
==21612==    by 0x432A8DC: r_cmd_call (cmd.c:172)
==21612==    by 0x4072ED3: ??? (cmd.c:1297)
==21612==    by 0x4071A16: ??? (cmd.c:878)
==21612==    by 0x407385E: r_core_cmd (cmd.c:1493)
==21612==    by 0x4073D5E: r_core_cmdf (cmd.c:1607)
==21612==  Address 0x5b8c958 is 8 bytes inside a block of size 9 alloc'd
==21612==    at 0x402A4FC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==21612==    by 0x4068AEE: ??? (cmd_print.c:1119)
==21612==    by 0x432A8DC: r_cmd_call (cmd.c:172)
==21612==    by 0x4072ED3: ??? (cmd.c:1297)
==21612==    by 0x4071A16: ??? (cmd.c:878)
==21612==    by 0x407385E: r_core_cmd (cmd.c:1493)
==21612==    by 0x4073D5E: r_core_cmdf (cmd.c:1607)
==21612==    by 0x406D861: ??? (cmd_search.c:309)
==21612==    by 0x406DCBA: ??? (cmd_search.c:412)
==21612==    by 0x432A8DC: r_cmd_call (cmd.c:172)
==21612==    by 0x4072F5B: ??? (cmd.c:1310)
==21612==    by 0x4071A16: ??? (cmd.c:878)
==21612== 
==21612== Invalid read of size 4
==21612==    at 0x402D368: memmove (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==21612==    by 0x4606DA2: r_mem_copyendian (mem.c:157)
==21612==    by 0x4606C3E: r_mem_get_num (mem.c:121)
==21612==    by 0x41FB1C2: ??? (data.c:49)
==21612==    by 0x41FBAA7: r_anal_data (data.c:176)
==21612==    by 0x41FBCB5: r_anal_data_kind (data.c:196)
==21612==    by 0x409A834: ??? (disasm.c:1440)
==21612==    by 0x409B693: r_core_print_disasm (disasm.c:1693)
==21612==    by 0x4068BBB: ??? (cmd_print.c:1125)
==21612==    by 0x432A8DC: r_cmd_call (cmd.c:172)
==21612==    by 0x4072ED3: ??? (cmd.c:1297)
==21612==    by 0x4071A16: ??? (cmd.c:878)
==21612==  Address 0x5b8c958 is 8 bytes inside a block of size 9 alloc'd
==21612==    at 0x402A4FC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==21612==    by 0x4068AEE: ??? (cmd_print.c:1119)
==21612==    by 0x432A8DC: r_cmd_call (cmd.c:172)
==21612==    by 0x4072ED3: ??? (cmd.c:1297)
==21612==    by 0x4071A16: ??? (cmd.c:878)
==21612==    by 0x407385E: r_core_cmd (cmd.c:1493)
==21612==    by 0x4073D5E: r_core_cmdf (cmd.c:1607)
==21612==    by 0x406D861: ??? (cmd_search.c:309)
==21612==    by 0x406DCBA: ??? (cmd_search.c:412)
==21612==    by 0x432A8DC: r_cmd_call (cmd.c:172)
==21612==    by 0x4072F5B: ??? (cmd.c:1310)
==21612==    by 0x4071A16: ??? (cmd.c:878)
==21612== 
==21612== Invalid read of size 4
==21612==    at 0x402D368: memmove (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==21612==    by 0x4606DA2: r_mem_copyendian (mem.c:157)
==21612==    by 0x4606C3E: r_mem_get_num (mem.c:121)
==21612==    by 0x41FB0C2: ??? (data.c:29)
==21612==    by 0x41FBB8C: r_anal_data (data.c:182)
==21612==    by 0x41FBCB5: r_anal_data_kind (data.c:196)
==21612==    by 0x409A834: ??? (disasm.c:1440)
==21612==    by 0x409B693: r_core_print_disasm (disasm.c:1693)
==21612==    by 0x4068BBB: ??? (cmd_print.c:1125)
==21612==    by 0x432A8DC: r_cmd_call (cmd.c:172)
==21612==    by 0x4072ED3: ??? (cmd.c:1297)
==21612==    by 0x4071A16: ??? (cmd.c:878)
==21612==  Address 0x5b8c958 is 8 bytes inside a block of size 9 alloc'd
==21612==    at 0x402A4FC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==21612==    by 0x4068AEE: ??? (cmd_print.c:1119)
==21612==    by 0x432A8DC: r_cmd_call (cmd.c:172)
==21612==    by 0x4072ED3: ??? (cmd.c:1297)
==21612==    by 0x4071A16: ??? (cmd.c:878)
==21612==    by 0x407385E: r_core_cmd (cmd.c:1493)
==21612==    by 0x4073D5E: r_core_cmdf (cmd.c:1607)
==21612==    by 0x406D861: ??? (cmd_search.c:309)
==21612==    by 0x406DCBA: ??? (cmd_search.c:412)
==21612==    by 0x432A8DC: r_cmd_call (cmd.c:172)
==21612==    by 0x4072F5B: ??? (cmd.c:1310)
==21612==    by 0x4071A16: ??? (cmd.c:878)
==21612== 
vex x86->IR: unhandled instruction bytes: 0x64 0x65 0x78 0x20
==21612== valgrind: Unrecognised instruction at address 0x422483d.
==21612==    at 0x422483D: ??? (in /home/pancake/radare2/libr/anal/libr_anal.so)
==21612==    by 0x41F28A8: r_anal_op (op.c:56)
==21612==    by 0x406D51C: ??? (cmd_search.c:267)
==21612==    by 0x406DCBA: ??? (cmd_search.c:412)
==21612==    by 0x432A8DC: r_cmd_call (cmd.c:172)
==21612==    by 0x4072F5B: ??? (cmd.c:1310)
==21612==    by 0x4071A16: ??? (cmd.c:878)
==21612==    by 0x407385E: r_core_cmd (cmd.c:1493)
==21612==    by 0x404D945: r_core_prompt_exec (core.c:712)
==21612==    by 0x804C1A2: main (radare2.c:596)
==21612== Your program just tried to execute an instruction that Valgrind
==21612== did not recognise.  There are two possible reasons for this.
==21612== 1. Your program has a bug and erroneously jumped to a non-code
==21612==    location.  If you are running Memcheck and you just saw a
==21612==    warning about a bad jump, it's probably your program's fault.
==21612== 2. The instruction is legitimate but Valgrind doesn't handle it,
==21612==    i.e. it's Valgrind's fault.  If you think this is the case or
==21612==    you are not sure, please let us know and we'll try to fix it.
==21612== Either way, Valgrind will now raise a SIGILL signal which will
==21612== probably kill your program.
==21612== 
==21612== Process terminating with default action of signal 4 (SIGILL)
==21612==  Illegal opcode at address 0x422483D
==21612==    at 0x422483D: ??? (in /home/pancake/radare2/libr/anal/libr_anal.so)
==21612==    by 0x41F28A8: r_anal_op (op.c:56)
==21612==    by 0x406D51C: ??? (cmd_search.c:267)
==21612==    by 0x406DCBA: ??? (cmd_search.c:412)
==21612==    by 0x432A8DC: r_cmd_call (cmd.c:172)
==21612==    by 0x4072F5B: ??? (cmd.c:1310)
==21612==    by 0x4071A16: ??? (cmd.c:878)
==21612==    by 0x407385E: r_core_cmd (cmd.c:1493)
==21612==    by 0x404D945: r_core_prompt_exec (core.c:712)
==21612==    by 0x804C1A2: main (radare2.c:596)
==21612== 
==21612== HEAP SUMMARY:
==21612==     in use at exit: 2,817,729 bytes in 21,474 blocks
==21612==   total heap usage: 40,352 allocs, 18,878 frees, 19,075,438 bytes allocated
==21612== 
==21612== LEAK SUMMARY:
==21612==    definitely lost: 1,519,619 bytes in 14,686 blocks
==21612==    indirectly lost: 25,302 bytes in 335 blocks
==21612==      possibly lost: 41,225 bytes in 86 blocks
==21612==    still reachable: 1,231,583 bytes in 6,367 blocks
==21612==         suppressed: 0 bytes in 0 blocks
==21612== Rerun with --leak-check=full to see details of leaked memory
==21612== 
==21612== For counts of detected and suppressed errors, rerun with: -v
==21612== Use --track-origins=yes to see where uninitialised values come from
==21612== ERROR SUMMARY: 977 errors from 5 contexts (suppressed: 0 from 0)

[zonkzonk]

,echo '/R'| r2 /tmp/cp
 -- The unix-like reverse engineering framework
Segmentation fault (core dumped)
,r2 /tmp/cp
 -- Use hasher to calculate hashes of portion blocks of a file
[0x00403609]> b 0x1000
[0x00403609]> /R
Do you want to print 171169 chars? (y/N)
^D
,r2 /tmp/cp
 -- Use rabin2 -rios to get the import/export/other symbols of any binary
[0x00403609]> af
[0x00403609]> /R
^D

[zonkzonk]

can you guys test this attempt, it fixed /R without aa/af or blocksize setting for linux for me :o -> http://sprunge.us/EPUf

night :)