search

bata24 / gef

GEF - GDB Enhanced Features for exploit devs & reversers
Other
356 stars 28 forks source link

stuck on infinite breakpoint on remote i386 #72

Closed unvariant closed 7 months ago

unvariant commented 7 months ago

When connecting to a remote gdbserver under i386 or using pwntools gdb.debug, if a breakpoint is hit gdb gets stuck at that address and continue/nexti/stepi all fail to properly go to the next instruction.

    def get_gs(self):
        # fastest path
        gs = get_register("$gs_base")
        if gs is not None:
            return gs
        # fast path
        if not is_remote_debug() and not is_in_kernel() and not is_qiling() and not is_rr():
            PTRACE_ARCH_PRCTL = 30
            ARCH_GET_GS = 0x1004
            pid, lwpid, tid = gdb.selected_thread().ptid
            ppvoid = ctypes.POINTER(ctypes.c_void_p)
            value = ppvoid(ctypes.c_void_p())
            value.contents.value = 0
            libc = ctypes.CDLL("libc.so.6")
            ret = libc.ptrace(PTRACE_ARCH_PRCTL, lwpid, value, ARCH_GET_GS)
            if ret == 0: # success
                return value.contents.value or 0
        # slow path
        if not is_kvm_enabled() and not is_qiling() and not is_rr():
            codes = [b"\x65\xa1\x00\x00\x00\x00"] # mov eax, dword ptr gs:[0x0]
            ret = ExecAsm(codes).exec_code()
            return ret["reg"]["$eax"]
        return None

The issue seems to be the slow path of the get_gs() function which retriggers the breakpoint when attempting to read the gs base address to show as part of the registers context pane. Removing the slow path fixes the issue in my testing.

bata24 commented 7 months ago

Thank you for your report. It was fixed. See 34bed12bfe7f234a7398f0f4ef92864240460673.

I don't know the cause, but it seems that a memory reference error occurred when executing a step inside ExecAsm(...).exec_code() (called from get_gs()). This memory reference error was occurring on the gdb side and was not a GEF problem. I think it's probably failing to trace the frame from ebp. I thought this error could be ignored, so I wrapped it in try-except and the problem seems to be resolved.

unvariant commented 7 months ago

Thanks! I love your fork of gef, it is pretty amazing.