search

nowsecure / r2frida

Radare2 and Frida better together.
MIT License
1.18k stars 121 forks source link

r2core is null and r2frida aborts #96

Closed enovella closed 6 years ago

enovella commented 6 years ago

Radare2 version

edu@de11:~/radare2$ r2 -v radare2 2.8.0-git 18942 @ linux-x86-64 git.2.7.0-244-gc66112c13 commit: c66112c13bd59ecb1dcaaadea8106b6b44164f0c build: 2018-08-03__23:00:56

Installation r2frida after building r2 with ASAN

edu@de11:~/radare2$ r2pm -i r2frida

=================================================================
==21600==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 2544 byte(s) in 1 object(s) allocated from:
    #0 0x7f68abc7af40 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef40)
    #1 0x7f68ab516fcb in r_core_autocomplete_add /home/edu/radare2/libr/core/core.c:3105
    #2 0x7f689d771917 in r_cmd_pdd_init /home/edu/.local/share/radare2/r2pm/git/r2dec-js/p/core_pdd.c:237

Direct leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x7f68abc7af40 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef40)
    #1 0x7f68ab516fcb in r_core_autocomplete_add /home/edu/radare2/libr/core/core.c:3105
    #2 0x7f689d7719df in r_cmd_pdd_init /home/edu/.local/share/radare2/r2pm/git/r2dec-js/p/core_pdd.c:245

Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x7f68abc7af40 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef40)
    #1 0x7f68ab516fcb in r_core_autocomplete_add /home/edu/radare2/libr/core/core.c:3105
    #2 0x7f68ab50de2b in init_autocomplete /home/edu/radare2/libr/core/core.c:2001
    #3 0x7f68ab510927 in r_core_init /home/edu/radare2/libr/core/core.c:2215
    #4 0x55e7ce7e8f28 in main /home/edu/radare2/binr/radare2/radare2.c:499
    #5 0x7f68a57bfb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: 2616 byte(s) leaked in 3 allocation(s).
Already up-to-date.
Install Done For r2frida
[ "`readlink ext/frida`" = frida-linux-12.0.4 ] || \
    (cd ext && rm -f frida ; ln -fs frida-linux-12.0.4 frida)
make io_frida.so
make[1]: Entering directory '/home/edu/.local/share/radare2/r2pm/git/r2frida'
pkg-config --cflags r_core
-I/usr/include/libr
g++ src/io_frida.o -o io_frida.so -shared -fPIC -lr_core -lssl -lcrypto -lr_config -lr_debug -lr_bin -lr_anal -lr_bp -lr_egg -lr_asm -lr_lang -lr_parse -lr_flag -lr_cons -lr_reg -lr_search -lr_syscall -lr_fs -lr_magic -lr_crypto -lr_hash -lr_io -lr_socket -lr_util -ldl  ext/frida/libfrida-core.a -lresolv
make[1]: Leaving directory '/home/edu/.local/share/radare2/r2pm/git/r2frida'
mkdir -p /"/home/edu/.local/share/radare2/plugins"
cp -f io_frida.so /"/home/edu/.local/share/radare2/plugins"

Backtrace

edu@de11:~/radare2$ gdb -q --args r2 frida:///bin/ls
Reading symbols from r2...done.
(gdb) r
Starting program: /usr/bin/r2 frida:///bin/ls
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe891b700 (LWP 21583)]
**
ERROR:src/io_frida.c:77:r_io_frida_new: assertion failed: (rf->r2core != NULL)

Thread 1 "r2" received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff0a5c801 in __GI_abort () at abort.c:79
#2  0x00007fffe8e4de16 in g_default_assertion_handler (domain=<optimised out>, file=<optimised out>, line=<optimised out>,
    func=0x7fffeba10c88 <__func__.45263> "r_io_frida_new", message=<optimised out>, user_data=<optimised out>)
    at ../../../../glib/glib/gtestutils.c:2543
#3  0x00007fffe8e4b5dc in g_assertion_message_expr (domain=0x0, file=0x7fffeba0f9d4 "src/io_frida.c", line=77,
    func=0x7fffeba10c88 <__func__.45263> "r_io_frida_new", expr=<optimised out>) at ../../../../glib/glib/gtestutils.c:2576
#4  0x00007fffe8e47316 in r_io_frida_new () from /home/edu/.local/share/radare2/plugins/io_frida.so
#5  0x00007fffe8e474f9 in __open () from /home/edu/.local/share/radare2/plugins/io_frida.so
#6  0x00007ffff3b1f4f4 in r_io_desc_open (io=0x61a000000080, uri=0x7fffffffe1e6 "frida:///bin/ls", flags=5, mode=420) at desc.c:105
#7  0x00007ffff3b11da1 in r_io_open_nomap (io=0x61a000000080, uri=0x7fffffffe1e6 "frida:///bin/ls", flags=5, mode=420) at io.c:261
#8  0x00007ffff68ded1c in r_core_file_open (r=0x55555576b380 <r>, file=0x7fffffffe1e6 "frida:///bin/ls", flags=5, loadaddr=0) at file.c:745
#9  0x000055555555fea2 in main (argc=2, argv=0x7fffffffde38, envp=0x7fffffffde50) at radare2.c:1048
(gdb)

More info

https://ghostbin.com/paste/6tq48

radare commented 6 years ago

Cant reproduce any crash, tested on linux-32,64 as well as in macOS building everything with asan :/

I changed the assert for an if+warning message, so you may get a more meaningful error, but i dont see why io->user should be NULL

can you try doing a clean rebuild of r2 and r2frida?, git clean -xdf or clone the r2frida repo again.

On 4 Aug 2018, at 00:18, Eduardo Novella notifications@github.com wrote:

Radare2 version

edu@de11:~/radare2$ r2 -v radare2 2.8.0-git 18942 @ linux-x86-64 git.2.7.0-244-gc66112c13 commit: c66112c13bd59ecb1dcaaadea8106b6b44164f0c build: 2018-08-03__23:00:56

Installation r2frida after building r2 with ASAN

edu@de11:~/radare2$ r2pm -i r2frida

================================================================= ==21600==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 2544 byte(s) in 1 object(s) allocated from:

0 0x7f68abc7af40 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef40)

#1 0x7f68ab516fcb in r_core_autocomplete_add /home/edu/radare2/libr/core/core.c:3105
#2 0x7f689d771917 in r_cmd_pdd_init /home/edu/.local/share/radare2/r2pm/git/r2dec-js/p/core_pdd.c:237

Direct leak of 64 byte(s) in 1 object(s) allocated from:

0 0x7f68abc7af40 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef40)

#1 0x7f68ab516fcb in r_core_autocomplete_add /home/edu/radare2/libr/core/core.c:3105
#2 0x7f689d7719df in r_cmd_pdd_init /home/edu/.local/share/radare2/r2pm/git/r2dec-js/p/core_pdd.c:245

Direct leak of 8 byte(s) in 1 object(s) allocated from:

0 0x7f68abc7af40 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef40)

#1 0x7f68ab516fcb in r_core_autocomplete_add /home/edu/radare2/libr/core/core.c:3105
#2 0x7f68ab50de2b in init_autocomplete /home/edu/radare2/libr/core/core.c:2001
#3 0x7f68ab510927 in r_core_init /home/edu/radare2/libr/core/core.c:2215
#4 0x55e7ce7e8f28 in main /home/edu/radare2/binr/radare2/radare2.c:499
#5 0x7f68a57bfb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: 2616 byte(s) leaked in 3 allocation(s). Already up-to-date. Install Done For r2frida [ "readlink ext/frida" = frida-linux-12.0.4 ] || \ (cd ext && rm -f frida ; ln -fs frida-linux-12.0.4 frida) make io_frida.so make[1]: Entering directory '/home/edu/.local/share/radare2/r2pm/git/r2frida' pkg-config --cflags r_core -I/usr/include/libr g++ src/io_frida.o -o io_frida.so -shared -fPIC -lr_core -lssl -lcrypto -lr_config -lr_debug -lr_bin -lr_anal -lr_bp -lr_egg -lr_asm -lr_lang -lr_parse -lr_flag -lr_cons -lr_reg -lr_search -lr_syscall -lr_fs -lr_magic -lr_crypto -lr_hash -lr_io -lr_socket -lr_util -ldl ext/frida/libfrida-core.a -lresolv make[1]: Leaving directory '/home/edu/.local/share/radare2/r2pm/git/r2frida' mkdir -p /"/home/edu/.local/share/radare2/plugins" cp -f io_frida.so /"/home/edu/.local/share/radare2/plugins" Backtrace

edu@de11:~/radare2$ gdb -q --args r2 frida:///bin/ls Reading symbols from r2...done. (gdb) r Starting program: /usr/bin/r2 frida:///bin/ls [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7fffe891b700 (LWP 21583)] ** ERROR:src/io_frida.c:77:r_io_frida_new: assertion failed: (rf->r2core != NULL)

Thread 1 "r2" received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt

0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51

1 0x00007ffff0a5c801 in __GI_abort () at abort.c:79

2 0x00007fffe8e4de16 in g_default_assertion_handler (domain=, file=, line=,

func=0x7fffeba10c88 <__func__.45263> "r_io_frida_new", message=<optimised out>, user_data=<optimised out>)
at ../../../../glib/glib/gtestutils.c:2543

3 0x00007fffe8e4b5dc in g_assertion_message_expr (domain=0x0, file=0x7fffeba0f9d4 "src/io_frida.c", line=77,

func=0x7fffeba10c88 <__func__.45263> "r_io_frida_new", expr=<optimised out>) at ../../../../glib/glib/gtestutils.c:2576

4 0x00007fffe8e47316 in r_io_frida_new () from /home/edu/.local/share/radare2/plugins/io_frida.so

5 0x00007fffe8e474f9 in __open () from /home/edu/.local/share/radare2/plugins/io_frida.so

6 0x00007ffff3b1f4f4 in r_io_desc_open (io=0x61a000000080, uri=0x7fffffffe1e6 "frida:///bin/ls", flags=5, mode=420) at desc.c:105

7 0x00007ffff3b11da1 in r_io_open_nomap (io=0x61a000000080, uri=0x7fffffffe1e6 "frida:///bin/ls", flags=5, mode=420) at io.c:261

8 0x00007ffff68ded1c in r_core_file_open (r=0x55555576b380 , file=0x7fffffffe1e6 "frida:///bin/ls", flags=5, loadaddr=0) at file.c:745

9 0x000055555555fea2 in main (argc=2, argv=0x7fffffffde38, envp=0x7fffffffde50) at radare2.c:1048

(gdb) More info

https://ghostbin.com/paste/6tq48 https://ghostbin.com/paste/6tq48 — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/nowsecure/r2frida/issues/96, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lkKS3F_Ns6dfzF1B1I_9AkVaQkc4ks5uNMxPgaJpZM4Vurx1.

enovella commented 6 years ago

Hi @radare,

Apparently you upgraded frida from 12.0.4 to 12.0.8 so I don't know where the issue was coming from but after git clean and recompilation all works fine, also the commit https://github.com/nowsecure/r2frida/commit/08e63048db9ef7f22fee4c8d08b348fddff73878 seems that did the trick.

edu@de11:~/radare2$  r2 frida:///bin/ls
 -- Emulate the base address of a file with e file.baddr.
[0x00000000]> \?
r2frida commands available via =! or \ prefix
?                          Show this help
?V                         Show target Frida version
/[x][j] <string|hexpairs>  Search hex/string pattern in memory ranges (see search.in=?)
/w[j] string               Search wide string
/v[1248][j] value          Search for a value honoring `e cfg.bigendian` of given width
i                          Show target information
ii[*]                      List imports
il                         List libraries
is[*] <lib>                List symbols of lib (local and global ones)
isa[*] (<lib>) <sym>       Show address of symbol
iE[*] <lib>                Same as is, but only for the export global ones
ic <class>                 List Objective-C classes or methods of <class>
ip <protocol>              List Objective-C protocols or methods of <protocol>
fd[*j] <address>           Inverse symbol resolution
dd[-][fd] ([newfd])        List, dup2 or close filedescriptors
dm[.|j|*]                  Show memory regions
dma <size>                 Allocate <size> bytes on the heap, address is returned
dmas <string>              Allocate a string inited with <string> on the heap
dmad <addr> <size>         Allocate <size> bytes on the heap, copy contents from <addr>
dmal                       List live heap allocations created with dma[s]
dma- (<addr>...)           Kill the allocations at <addr> (or all of them without param)
dmp <addr> <size> <perms>  Change page at <address> with <size>, protection <perms> (rwx)
dmm                        List all named squashed maps
dmh                        List all heap allocated chunks
dmhj                       List all heap allocated chunks in JSON
dmh*                       Export heap chunks and regions as r2 flags
dmhm                       Show which maps are used to allocate heap chunks
dp                         Show current pid
dpt                        Show threads
dr                         Show thread registers (see dpt)
env [k[=v]]                Get/set environment variable
dl libname                 Dlopen a library
dl2 libname [main]         Inject library using Frida's >= 8.2 new API
dt <addr> ..               Trace list of addresses
dt-                        Clear all tracing
dtr <addr> (<regs>...)     Trace register values
dtf <addr> [fmt]           Trace address with format (^ixzO) (see dtf?)
dtSf[*j] [sym|addr]        Trace address or symbol using the stalker (Frida >= 10.3.13)
dtS[*j] seconds            Trace all threads for given seconds using the stalker
di[0,1,-1] [addr]          Intercept and replace return value of address
dx [hexpairs]              Inject code and execute it (TODO)
dxc [sym|addr] [args..]    Call the target symbol with given args
e[?] [a[=b]]               List/get/set config evaluable vars
. script                   Run script
<space> code..             Evaluate Cycript code
eval code..                Evaluate Javascript code in agent side
dc                         Continue
T[-*] [msg]                text-log console, useful to .\T
[0x00000000]>

Thanks

enovella commented 6 years ago

Fixed at commit https://github.com/nowsecure/r2frida/commit/08e63048db9ef7f22fee4c8d08b348fddff73878