search

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset
https://www.radare.org/
GNU Lesser General Public License v3.0
19.85k stars 2.95k forks source link

r2 mips segfault #1305

Closed daniel-rome closed 9 years ago

daniel-rome commented 9 years ago

I have installed r2 in a mips system (debian) and always it crash with a segfault.

Git version: Executing a process with radare2 >> r2 /bin/ls Stable version (0.9.7): Attaching a process with radare2 >> r2 -p

radare commented 9 years ago

Its probably fixed in git. There's thousands of conmits since 0.9.7

On 06 Sep 2014, at 17:25, daniel-rome notifications@github.com wrote:

I have installed r2 in a mips system (debian) and always it crash with a segfault.

Git version: Executing a process with radare2 >> r2 /bin/ls Stable version (0.9.7): Attaching a process with radare2 >> r2 -p

— Reply to this email directly or view it on GitHub.

daniel-rome commented 9 years ago

I thought so, but I tested the git version and it crashed when I tried to open a binary.

Maijin commented 9 years ago

@daniel-rome any backtrace or more informations ?

radare commented 9 years ago

Can you share the binary?

On 06 Sep 2014, at 18:42, Maijin notifications@github.com wrote:

@daniel-rome any backtrace or more informations ?

— Reply to this email directly or view it on GitHub.

daniel-rome commented 9 years ago

I can't share the binary, sorry. But I have found another binary that it is also crashing.

I tested the binary with r2 (compiled in intel x64) and it is running properly. The binary is crashing if the r2 is compiled in mips.

Binary(aab1482a93acd9e548b3a85414a0f000): http://www.filedropper.com/busyboxtar

daniel-rome commented 9 years ago

btw, I am using the following images >> https://people.debian.org/~aurel32/qemu/mips/

radare commented 9 years ago

It’s not segfaulting here. How did you installed the version from git to test this? Can anyone else try to reproduce the crash? What do you do to reprodcue the crash? just open the file? i run full analysis and scrolled thru the fullbinary without any crash

On 07 Sep 2014, at 11:11, daniel-rome notifications@github.com wrote:

I can't share the binary, sorry. But I have found another binary that it is also crashing.

I tested the binary with r2 (compiled in intel x64) and it is running properly. The binary is crashing if the r2 is compiled in mips.

Binary(aab1482a93acd9e548b3a85414a0f000): http://www.filedropper.com/busyboxtar

— Reply to this email directly or view it on GitHub.

radare commented 9 years ago

Also, if you have a crash, please report the output of ‘r2 -V’ to see the version of r2 and all its libs, and also show us the gdb backtrace or valgrind crash log.

thanks

On 07 Sep 2014, at 11:13, daniel-rome notifications@github.com wrote:

btw, I am using the following images >> https://people.debian.org/~aurel32/qemu/mips/

— Reply to this email directly or view it on GitHub.

daniel-rome commented 9 years ago

The problem must be in the installation because if I try to debug r2 to itself, it is also crashing (r2 -d r2).

-- Crash:

root@debian-mips:~# r2 -d r2
Process with PID 25146 started...
PID = 25146
r_debug_select: 25146 25146
Invalid length 0
Invalid length 0
...
Invalid length 0
Segmentation fault
root@debian-mips:~# Usage: r2 [-dDwntLqv] [-P patch] [-p prj] [-a arch] [-b bits] [-i file]
          [-s addr] [-B blocksize] [-c cmd] [-e k=v] file|-

I installed r2 with a simple installation (configure & make & make symstall).

-- Versions:

root@debian-mips:~# r2 -V 
0.9.8.git  r2
0.9.8.git  r_anal
0.9.8.git  r_lib
0.9.8.git  r_egg
0.9.8.git  r_asm
0.9.8.git  r_bin
0.9.8.git  r_cons
0.9.8.git  r_flags
0.9.8.git  r_core
0.9.8.git  r_crypto
0.9.8.git  r_db
0.9.8.git  r_bp
0.9.8.git  r_debug
0.9.8.git  r_hash
0.9.8.git  r_diff
0.9.8.git  r_fs
0.9.8.git  r_io
0.9.8.git  r_magic
0.9.8.git  r_parse
0.9.8.git  r_reg
0.9.8.git  r_sign
0.9.8.git  r_search
0.9.8.git  r_syscall
0.9.8.git  r_util

root@debian-mips:~# r2 -v
radare2 0.9.8.git @ linux-big-mips-32 git.0.9.8.git
commit: 390345ea95b0f41decb27f36da0a5e9abbf260e8 build: 2014-09-06
radare commented 9 years ago

Yep. your installation is broken because the r2-git is dynamically linking to the system r2 libraries.

the way to go is:

the version number in r2 -V will show a commit hash:

$ r2 -V
0.9.8-rc3-583-g5c4a5ab  r2
0.9.8-rc3-583-g5c4a5ab  r_anal
0.9.8-rc3-583-g5c4a5ab  r_lib
0.9.8-rc3-583-g5c4a5ab  r_egg
0.9.8-rc3-583-g5c4a5ab  r_asm
0.9.8-rc3-583-g5c4a5ab  r_bin
0.9.8-rc3-583-g5c4a5ab  r_cons
0.9.8-rc3-583-g5c4a5ab  r_flags
0.9.8-rc3-583-g5c4a5ab  r_core
0.9.8-rc3-583-g5c4a5ab  r_crypto
0.9.8-rc3-583-g5c4a5ab  r_db
0.9.8-rc3-583-g5c4a5ab  r_bp
0.9.8-rc3-583-g5c4a5ab  r_debug
0.9.8-rc3-583-g5c4a5ab  r_hash
0.9.8-rc3-583-g5c4a5ab  r_diff
0.9.8-rc3-583-g5c4a5ab  r_fs
0.9.8-rc3-583-g5c4a5ab  r_io
0.9.8-rc3-583-g5c4a5ab  r_magic
0.9.8-rc3-583-g5c4a5ab  r_parse
0.9.8-rc3-583-g5c4a5ab  r_reg
0.9.8-rc3-583-g5c4a5ab  r_sign
0.9.8-rc3-583-g5c4a5ab  r_search
0.9.8-rc3-583-g5c4a5ab  r_syscall
0.9.8-rc3-583-g5c4a5ab  r_util

On 07 Sep 2014, at 12:02, daniel-rome notifications@github.com wrote:

The problem must be in the installation because if I try to debug r2 to itself, it is also crashing (r2 -d r2).

-- Crash: root@debian-mips:~# r2 -d r2 Process with PID 25146 started... PID = 25146 r_debug_select: 25146 25146 Invalid length 0 Invalid length 0 ... Invalid length 0 Segmentation fault root@debian-mips:~# Usage: r2 [-dDwntLqv] [-P patch] [-p prj] [-a arch] [-b bits] [-i file] [-s addr] [-B blocksize] [-c cmd] [-e k=v] file|-

I installed r2 with a simple installation (configure & make & make symstall).

-- Versions: root@debian-mips:~# r2 -V 0.9.8.git r2 0.9.8.git r_anal 0.9.8.git r_lib 0.9.8.git r_egg 0.9.8.git r_asm 0.9.8.git r_bin 0.9.8.git r_cons 0.9.8.git r_flags 0.9.8.git r_core 0.9.8.git r_crypto 0.9.8.git r_db 0.9.8.git r_bp 0.9.8.git r_debug 0.9.8.git r_hash 0.9.8.git r_diff 0.9.8.git r_fs 0.9.8.git r_io 0.9.8.git r_magic 0.9.8.git r_parse 0.9.8.git r_reg 0.9.8.git r_sign 0.9.8.git r_search 0.9.8.git r_syscall 0.9.8.git r_util

root@debian-mips:~# r2 -v radare2 0.9.8.git @ linux-big-mips-32 git.0.9.8.git commit: 390345e build: 2014-09-06

— Reply to this email directly or view it on GitHub.

radare commented 9 years ago

the sys/install.sh script does the following things:

if you want to make r2 live outside /usr you have to configure the ldconfig, using rpath is wrong and i had several distros telling me to not do it. another solution is to use a shellscript wrapper to configure the LD_LIBRARY_PATH before starting the program to tell him where to find the r2 libs.

also, for devs. there’s a script env.sh which setups all this stuff.

On 07 Sep 2014, at 12:04, pancake pancake@nopcode.org wrote:

Yep. your installation is broken because the r2-git is dynamically linking to the system r2 libraries.

the way to go is:

  • apt-get remove radare2
  • cd radare2 ; sudo make purge (uninstall current r2 from /usr/local)
  • run sys/install.sh

the version number in r2 -V will show a commit hash:

$ r2 -V
0.9.8-rc3-583-g5c4a5ab  r2
0.9.8-rc3-583-g5c4a5ab  r_anal
0.9.8-rc3-583-g5c4a5ab  r_lib
0.9.8-rc3-583-g5c4a5ab  r_egg
0.9.8-rc3-583-g5c4a5ab  r_asm
0.9.8-rc3-583-g5c4a5ab  r_bin
0.9.8-rc3-583-g5c4a5ab  r_cons
0.9.8-rc3-583-g5c4a5ab  r_flags
0.9.8-rc3-583-g5c4a5ab  r_core
0.9.8-rc3-583-g5c4a5ab  r_crypto
0.9.8-rc3-583-g5c4a5ab  r_db
0.9.8-rc3-583-g5c4a5ab  r_bp
0.9.8-rc3-583-g5c4a5ab  r_debug
0.9.8-rc3-583-g5c4a5ab  r_hash
0.9.8-rc3-583-g5c4a5ab  r_diff
0.9.8-rc3-583-g5c4a5ab  r_fs
0.9.8-rc3-583-g5c4a5ab  r_io
0.9.8-rc3-583-g5c4a5ab  r_magic
0.9.8-rc3-583-g5c4a5ab  r_parse
0.9.8-rc3-583-g5c4a5ab  r_reg
0.9.8-rc3-583-g5c4a5ab  r_sign
0.9.8-rc3-583-g5c4a5ab  r_search
0.9.8-rc3-583-g5c4a5ab  r_syscall
0.9.8-rc3-583-g5c4a5ab  r_util

On 07 Sep 2014, at 12:02, daniel-rome notifications@github.com wrote:

The problem must be in the installation because if I try to debug r2 to itself, it is also crashing (r2 -d r2).

-- Crash: root@debian-mips:~# r2 -d r2 Process with PID 25146 started... PID = 25146 r_debug_select: 25146 25146 Invalid length 0 Invalid length 0 ... Invalid length 0 Segmentation fault root@debian-mips:~# Usage: r2 [-dDwntLqv] [-P patch] [-p prj] [-a arch] [-b bits] [-i file] [-s addr] [-B blocksize] [-c cmd] [-e k=v] file|-

I installed r2 with a simple installation (configure & make & make symstall).

-- Versions: root@debian-mips:~# r2 -V 0.9.8.git r2 0.9.8.git r_anal 0.9.8.git r_lib 0.9.8.git r_egg 0.9.8.git r_asm 0.9.8.git r_bin 0.9.8.git r_cons 0.9.8.git r_flags 0.9.8.git r_core 0.9.8.git r_crypto 0.9.8.git r_db 0.9.8.git r_bp 0.9.8.git r_debug 0.9.8.git r_hash 0.9.8.git r_diff 0.9.8.git r_fs 0.9.8.git r_io 0.9.8.git r_magic 0.9.8.git r_parse 0.9.8.git r_reg 0.9.8.git r_sign 0.9.8.git r_search 0.9.8.git r_syscall 0.9.8.git r_util

root@debian-mips:~# r2 -v radare2 0.9.8.git @ linux-big-mips-32 git.0.9.8.git commit: 390345e build: 2014-09-06

— Reply to this email directly or view it on GitHub.

radare commented 9 years ago

You can install in /usr/local or whatever other path, but just remember to configure the ld.so.config file. also if you run make purge or make uninstall after ./configure —preifx=/path/to/remove/from you’ll get your system clean from previous r2 installs, so don’t be afraid to put it in /usr :)

running sys/install.sh is the easiest way to get r2 system-wide up to date from git.

On 07 Sep 2014, at 12:07, pancake pancake@nopcode.org wrote:

the sys/install.sh script does the following things:

  • make clean
  • git pull
  • configure —prefix=/usr
  • make
  • sudo make symstall

if you want to make r2 live outside /usr you have to configure the ldconfig, using rpath is wrong and i had several distros telling me to not do it. another solution is to use a shellscript wrapper to configure the LD_LIBRARY_PATH before starting the program to tell him where to find the r2 libs.

also, for devs. there’s a script env.sh which setups all this stuff.

On 07 Sep 2014, at 12:04, pancake pancake@nopcode.org wrote:

Yep. your installation is broken because the r2-git is dynamically linking to the system r2 libraries.

the way to go is:

  • apt-get remove radare2
  • cd radare2 ; sudo make purge (uninstall current r2 from /usr/local)
  • run sys/install.sh

the version number in r2 -V will show a commit hash:

$ r2 -V
0.9.8-rc3-583-g5c4a5ab  r2
0.9.8-rc3-583-g5c4a5ab  r_anal
0.9.8-rc3-583-g5c4a5ab  r_lib
0.9.8-rc3-583-g5c4a5ab  r_egg
0.9.8-rc3-583-g5c4a5ab  r_asm
0.9.8-rc3-583-g5c4a5ab  r_bin
0.9.8-rc3-583-g5c4a5ab  r_cons
0.9.8-rc3-583-g5c4a5ab  r_flags
0.9.8-rc3-583-g5c4a5ab  r_core
0.9.8-rc3-583-g5c4a5ab  r_crypto
0.9.8-rc3-583-g5c4a5ab  r_db
0.9.8-rc3-583-g5c4a5ab  r_bp
0.9.8-rc3-583-g5c4a5ab  r_debug
0.9.8-rc3-583-g5c4a5ab  r_hash
0.9.8-rc3-583-g5c4a5ab  r_diff
0.9.8-rc3-583-g5c4a5ab  r_fs
0.9.8-rc3-583-g5c4a5ab  r_io
0.9.8-rc3-583-g5c4a5ab  r_magic
0.9.8-rc3-583-g5c4a5ab  r_parse
0.9.8-rc3-583-g5c4a5ab  r_reg
0.9.8-rc3-583-g5c4a5ab  r_sign
0.9.8-rc3-583-g5c4a5ab  r_search
0.9.8-rc3-583-g5c4a5ab  r_syscall
0.9.8-rc3-583-g5c4a5ab  r_util

On 07 Sep 2014, at 12:02, daniel-rome notifications@github.com wrote:

The problem must be in the installation because if I try to debug r2 to itself, it is also crashing (r2 -d r2).

-- Crash: root@debian-mips:~# r2 -d r2 Process with PID 25146 started... PID = 25146 r_debug_select: 25146 25146 Invalid length 0 Invalid length 0 ... Invalid length 0 Segmentation fault root@debian-mips:~# Usage: r2 [-dDwntLqv] [-P patch] [-p prj] [-a arch] [-b bits] [-i file] [-s addr] [-B blocksize] [-c cmd] [-e k=v] file|-

I installed r2 with a simple installation (configure & make & make symstall).

-- Versions: root@debian-mips:~# r2 -V 0.9.8.git r2 0.9.8.git r_anal 0.9.8.git r_lib 0.9.8.git r_egg 0.9.8.git r_asm 0.9.8.git r_bin 0.9.8.git r_cons 0.9.8.git r_flags 0.9.8.git r_core 0.9.8.git r_crypto 0.9.8.git r_db 0.9.8.git r_bp 0.9.8.git r_debug 0.9.8.git r_hash 0.9.8.git r_diff 0.9.8.git r_fs 0.9.8.git r_io 0.9.8.git r_magic 0.9.8.git r_parse 0.9.8.git r_reg 0.9.8.git r_sign 0.9.8.git r_search 0.9.8.git r_syscall 0.9.8.git r_util

root@debian-mips:~# r2 -v radare2 0.9.8.git @ linux-big-mips-32 git.0.9.8.git commit: 390345e build: 2014-09-06

— Reply to this email directly or view it on GitHub.

daniel-rome commented 9 years ago

After I cleaning the installation and re-install r2, the version of the libraries is correct, but the results are similar:

-- Versions:

root@debian-mips:~/hg556-root/bin# r2 -v
radare2 0.9.8.git @ linux-big-mips-32 git.0.9.8-rc3-584-g6d06508
commit: 6d06508da1737db8b3bd945a195c046e4e8f949a build: 2014-09-07
root@debian-mips:~/hg556-root/bin# r2 -V
0.9.8-rc3-584-g6d06508  r2
0.9.8-rc3-584-g6d06508  r_anal
0.9.8-rc3-584-g6d06508  r_lib
0.9.8-rc3-584-g6d06508  r_egg
0.9.8-rc3-584-g6d06508  r_asm
0.9.8-rc3-584-g6d06508  r_bin
...

-- Crash:

root@debian-mips:~# r2 -d /usr/bin/id
Process with PID 1087 started...
PID = 1087
r_debug_select: 1087 1087
Segmentation fault
root@debian-mips:~# uid=0(root) gid=0(root) groups=0(root)

root@debian-mips:~#
Maijin commented 9 years ago

@daniel-rome can you provide the backtrace ?

gdb r2
r2 -d /usr/bin/ld
bt
daniel-rome commented 9 years ago

gdb does not return me the bt.

-- Crash:

root@debian-mips:~# gdb r2
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "mips-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/r2...done.
(gdb) r -d /usr/bin/id 
Starting program: /usr/bin/r2 -d /usr/bin/id
[Thread debugging using libthread_db enabled]
[New process 1117]
[Thread debugging using libthread_db enabled]
ptrace-traceme failed

Program exited with code 0173.
(gdb)
radare commented 9 years ago

gdb --args r2 ...

If the crash happens only in mips then it can be a big endian issue. I can setup a vm to test this issue tonight.

Can u try using r2 -a mips.cs ..

On 07 Sep 2014, at 18:58, daniel-rome notifications@github.com wrote:

gdb does not return me the bt.

-- Crash: root@debian-mips:~# gdb r2 GNU gdb (GDB) 7.0.1-debian Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "mips-linux-gnu". For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/bin/r2...done. (gdb) r -d /usr/bin/id Starting program: /usr/bin/r2 -d /usr/bin/id [Thread debugging using libthread_db enabled] [New process 1117] [Thread debugging using libthread_db enabled] ptrace-traceme failed

Program exited with code 0173. (gdb)

— Reply to this email directly or view it on GitHub.

daniel-rome commented 9 years ago

I have applied the patch and I have compiled the library, but the gdb result is the same.

radare commented 9 years ago

I know. Gdb should do the same but perror should report a more meaningful error right before the crash.Can you paste it?

On 11 Sep 2014, at 14:53, daniel-rome notifications@github.com wrote:

I have applied the patch and I have compiled the library, but the gdb result is the same.

— Reply to this email directly or view it on GitHub.

daniel-rome commented 9 years ago

Sorry, I didn't know the radare2 internal structure, I was only compiling the io_debug library, and I needed compile the libr_io library. I think ;)

The result is: p/io_debug.c:192 ptrace-traceme: Operation not permitted

is it possible?

crowell commented 9 years ago

this is from r2 -d /usr/bin/id on aurel32's wheezy vm.

It only takes 3.5 hours to build r2, so I can take a look into this tomorrow.

root@debian-mips:~# gdb r2 core
gdb r2 core
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "mips-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/r2...done.
[New LWP 14651]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/mips-linux-gnu/libthread_db.so.1".
Core was generated by `r2 -d /usr/bin/id'.
Program terminated with signal 11, Segmentation fault.
#0  0x76a439e8 in memcpy () from /lib/mips-linux-gnu/libc.so.6
(gdb) bt
#0  0x76a439e8 in memcpy () from /lib/mips-linux-gnu/libc.so.6
#1  0x773db588 in r_reg_set_bytes (reg=0x531080, type=0, buf=0x7ffc9644 "", 
    len=16384) at arena.c:86
#2  0x7798cc48 in r_debug_reg_sync (dbg=0x530f58, type=0, write=0) at reg.c:41
#3  0x77b381b8 in cmd_debug_reg (core=0x416658, str=0x5da9c2 "*")
    at cmd_debug.c:695
#4  0x77b3bc1c in cmd_debug (data=0x416658, input=0x5da9c1 "r*")
    at cmd_debug.c:1407
#5  0x77ba3530 in r_cmd_call (cmd=0x52d0b0, input=0x5da9c0 "dr*")
    at cmd_api.c:179
#6  0x77b74b9c in r_core_cmd_subst_i (core=0x416658, cmd=0x5da9c0 "dr*")
    at cmd.c:1236
#7  0x77b727ac in r_core_cmd_subst (core=0x416658, cmd=0x5da9c0 "dr*")
    at cmd.c:789
#8  0x77b75a08 in r_core_cmd (core=0x416658, cstr=0x5da9f0 "dr*", log=0)
    at cmd.c:1434
#9  0x77b766e4 in r_core_cmd_str (core=0x416658, cmd=0x5da9f0 "dr*")
    at cmd.c:1607
#10 0x77b70820 in cmd_interpret (data=0x416658, input=0x545699 "dr*")
    at cmd.c:372
#11 0x77ba3530 in r_cmd_call (cmd=0x52d0b0, input=0x545698 ".dr*")
    at cmd_api.c:179
#12 0x77b74b9c in r_core_cmd_subst_i (core=0x416658, cmd=0x545698 ".dr*")
    at cmd.c:1236
#13 0x77b727ac in r_core_cmd_subst (core=0x416658, cmd=0x545698 ".dr*")
    at cmd.c:789
#14 0x77b75a08 in r_core_cmd (core=0x416658, cstr=0x77bebf34 ".dr*", log=0)
    at cmd.c:1434
#15 0x77b8a6b0 in r_core_setup_debugger (r=0x416658, 
    debugbackend=0x405d84 "native") at io.c:22
#16 0x00403f50 in main (argc=3, argv=0x7ffcc164, envp=0x7ffcc174)
    at radare2.c:543
(gdb)
radare commented 9 years ago

Is this error coming from gdb —args r2 … or r2 directly?

maybe there’s a problem debugging a debugger on that platform.. but seems strange to me.

On 11 Sep 2014, at 15:29, daniel-rome notifications@github.com wrote:

Sorry, I didn't know the radare2 internal structure, I was only compiling the io_debug library, and I needed compile the libr_io library. I think ;)

The result is: p/io_debug.c:192 ptrace-traceme: Operation not permitted

is it possible?

— Reply to this email directly or view it on GitHub.

crowell commented 9 years ago

@radare this is coming from r2 directly. I do 

root@debian-mips:~# ulimit -c unlimited
root@debian-mips:~# r2 -d /usr/bin/id
Process with PID 15154 started...
PID = 15154
r_debug_select: 15154 15154
TODO(eddyb): uninmplemented ELF reloc_convert for MIPS R3000 big-endian
Segmentation fault (core dumped)
root@debian-mips:~# uid=0(root) gid=0(root) groups=0(root)

If I do not pass -d to r2 I don't get the segfault.

radare commented 9 years ago

Maybe this crash is related to the @lemonboy reg profile parser patch which calculated arena size.

Can you share that core file or reproduce it on x86? So we can properly test it?

On 12 Sep 2014, at 05:13, Jeffrey Crowell notifications@github.com wrote:

@radare this is coming from r2 directly. I do

root@debian-mips:~# ulimit -c unlimited ulimit -c unlimited root@debian-mips:~# r2 -d /usr/bin/id r2 -d /usr/bin/id Process with PID 15154 started... PID = 15154 r_debug_select: 15154 15154 TODO(eddyb): uninmplemented ELF reloc_convert for MIPS R3000 big-endian Segmentation fault (core dumped) root@debian-mips:~# uid=0(root) gid=0(root) groups=0(root) — Reply to this email directly or view it on GitHub.

LemonBoy commented 9 years ago

The arena size isn't used at all (at least .right now) Try strace'ing the process so see if it fucks up after some ptrace syscall

radare commented 9 years ago

The crash happens at memset (arena->bytes, 0, arena->size); .. so arena->size is there

LemonBoy commented 9 years ago

Put your glasses on and notice that the reg parser sets the size field in RReg.

radare commented 9 years ago

This line can only fail if arena->bytes is smaller than arena->size . this is. there's somewhere in the code where the size or the buffer is not updated together. I know that the size is set in the parser. but it is done right? can you imagine another reason for this line to fail? As long as i cant reproduce it i can only throw conspiracies.

crowell commented 9 years ago

I'll share the core file when I get home tonight.

radare commented 9 years ago

can you print arena->size and arena->bytes values? also can you track the reallocs on arena->bytes to see why this memcpy is crashing? Thanks!

crowell commented 9 years ago 
(gdb) p arena->bytes
$1 = (unsigned char *) 0xd0ff48 ""
(gdb) x/x arena->bytes
0xd0ff48:       0x00000000
(gdb) p arena->size
$2 = 16384

unfortunately debugging is impossible in this vm, it just becomes unresponsive if I try to debug r2

crowell commented 9 years ago

http://raxcity.com/r2-mips-core for the core

crowell commented 9 years ago

after pulling in change 1117fd8c4c8d3d2657189f8e674a0e3fdec2954b r2 now just hangs instead of crashing. The vm just becomes unresponsive entirely.

radare commented 9 years ago

For some reason the arena buffer is null, besides having buffer size !=0. We need to review the reg parser more carefully. Could you try to run a build of r2 previous to the reg profile refactoring to verify if it was working fine before?

On 13 Sep 2014, at 05:07, Jeffrey Crowell notifications@github.com wrote:

after pulling in change 1117fd8 r2 now just hangs instead of crashing.

— Reply to this email directly or view it on GitHub.

daniel-rome commented 9 years ago

What is the commit? I can to try it.

LemonBoy commented 9 years ago

7833b0427d37398da8b9f8f93de1f8dea2e84b88

radare commented 9 years ago

Should be fixed now :)

On 13 Sep 2014, at 11:05, Giuseppe notifications@github.com wrote:

7833b04

— Reply to this email directly or view it on GitHub.

daniel-rome commented 9 years ago

The problem was fixed, sorry I did not notice before.

Thanks ;D

radare commented 9 years ago

Cool!