Error while debugging a MIPS binary remotely

officialcjunior commented 4 years ago

Work environment

Questions	Answers
OS/arch/bits (mandatory)	Ubuntu 18.04.4 LTS, 64 bit
File format of the file you reverse (mandatory)	ELF
Architecture/bits of the file (mandatory)	MIPS
r2 -v full output, not truncated (mandatory)	radare2 4.5.0-git 24411 @ linux-x86-64 git.4.4.0-23-gf549eb2a2 commit: f549eb2a28e387650bb7c2d277f891ecaba53c0a build: 2020-04-17__07:55:34

I've opened up a MIPS binary on QEMU : sudo chroot . ./qemu-mipsel-static -g 1337 ./pwnable/Intro/stack_bof_01 testinput123

I'm trying to debug it:

r2 -a mips -d -B 0x400630 gdb://127.0.0.1:1337 pwnable/Intro/stack_bof_01

Expected behavior

To be able to debug the binary remotely.

Actual behavior

It results in:
free(): invalid next size (fast) Aborted (core dumped)

Steps to reproduce the behavior

By enabling debug mode

Additional Logs, screenshots, source-code, configuration dump, ...

Backtrace:


#1  0x00007ffff72c0801 in __GI_abort () at abort.c:79
#2  0x00007ffff7309897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7436b9a "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff731090a in malloc_printerr (str=str@entry=0x7ffff7438800 "free(): invalid next size (fast)") at malloc.c:5350
#4  0x00007ffff7317f60 in _int_free (have_lock=0, p=0x55555585e900, av=0x7ffff766bc40 <main_arena>) at malloc.c:4213
#5  __GI___libc_free (mem=0x55555585e910) at malloc.c:3124
#6  0x00007ffff78f8528 in r_list_delete (list=0x55555585df00, iter=0x555555861c30) at list.c:106
#7  0x00007ffff78f8392 in r_list_purge (list=0x55555585df00) at list.c:72
#8  0x00007ffff78f83e8 in r_list_free (list=0x55555585df00) at list.c:82
#9  0x00007ffff66705c2 in arch_parse_reg_profile (
    reg_profile=0x555555845b40 "=PC\trip\n=SP\trsp\n=BP\trbp\n=A0\trax\n=A1\trbx\n=A2\trcx\n=A3\trdx\n=SN\torax\ngpr\tfake\t.64\t795\t0\ngpr\trax\t.64\t0\t0\ngpr\trbx\t.64\t8\t0\ngpr\trcx\t.64\t16\t0\ngpr\trdx\t.64\t24\t0\ngpr\trsi\t.64\t32\t0\ngpr\trdi\t.64\t40\t0\ngpr\trbp\t.64\t48\t0"...)
    at src/arch.c:132
#10 0x00007ffff666f194 in gdbr_set_reg_profile (g=0x555555861920, 
    str=0x555555845b40 "=PC\trip\n=SP\trsp\n=BP\trbp\n=A0\trax\n=A1\trbx\n=A2\trcx\n=A3\trdx\n=SN\torax\ngpr\tfake\t.64\t795\t0\ngpr\trax\t.64\t0\t0\ngpr\trbx\t.64\t8\t0\ngpr\trcx\t.64\t16\t0\ngpr\trdx\t.64\t24\t0\ngpr\trsi\t.64\t32\t0\ngpr\trdi\t.64\t40\t0\ngpr\trbp\t.64\t48\t0"...)
    at src/libgdbr.c:119
#11 0x00007ffff666efc2 in gdbr_set_architecture (g=0x555555861920, arch=1, bits=64) at src/libgdbr.c:64
#12 0x00007ffff4fc8909 in r_debug_gdb_attach (dbg=0x5555557eeda0, pid=-1) at p/debug_gdb.c:383
#13 0x00007ffff4fc7801 in check_connection (dbg=0x5555557eeda0) at p/debug_gdb.c:27
#14 0x00007ffff4fc89c3 in r_debug_gdb_reg_profile (dbg=0x5555557eeda0) at p/debug_gdb.c:406
#15 0x00007ffff4fbf6ee in r_debug_use (dbg=0x5555557eeda0, str=0x555555815320 "gdb") at plugin.c:34
#16 0x00007ffff5316a28 in r_core_file_open (r=0x7ffff7f5a010, file=0x5555558e46e0 "gdb://127.0.0.1:1337", flags=5, loadaddr=0) at cfile.c:945
#17 0x00007ffff768d876 in r_main_radare2 (argc=6, argv=0x7fffffffded8) at radare2.c:898
#18 0x0000555555554c77 in main (argc=6, argv=0x7fffffffded8) at radare2.c:96```

radare commented 4 years ago

this is not master. it's like 1 week old

can you please confirm the bug is still in master? because the errror line doesnt matches the source

On 22 Apr 2020, at 08:18, Aswin C notifications@github.com wrote:

Work environment

Questions Answers OS/arch/bits (mandatory) Ubuntu 18.04.4 LTS, 64 bit File format of the file you reverse (mandatory) ELF Architecture/bits of the file (mandatory) MIPS r2 -v full output, not truncated (mandatory) radare2 4.5.0-git 24411 @ linux-x86-64 git.4.4.0-23-gf549eb2a2 commit: f549eb2 https://github.com/radareorg/radare2/commit/f549eb2a28e387650bb7c2d277f891ecaba53c0a build: 2020-04-17__07:55:34 I've opened up a MIPS binary on QEMU : sudo chroot . ./qemu-mipsel-static -g 1337 ./pwnable/Intro/stack_bof_01 testinput123

I'm trying to debug it:

r2 -a mips -d -B 0x400630 gdb://127.0.0.1:1337 pwnable/Intro/stack_bof_01

Expected behavior

To be able to debug the binary remotely. Actual behavior

It results in: free(): invalid next size (fast) Aborted (core dumped) Steps to reproduce the behavior

By enabling debug mode Additional Logs, screenshots, source-code, configuration dump, ...

Backtrace:

1 0x00007ffff72c0801 in __GI_abort () at abort.c:79

2 0x00007ffff7309897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7436b9a "%s\n") at ../sysdeps/posix/libc_fatal.c:181

3 0x00007ffff731090a in malloc_printerr (str=str@entry=0x7ffff7438800 "free(): invalid next size (fast)") at malloc.c:5350

4 0x00007ffff7317f60 in _int_free (have_lock=0, p=0x55555585e900, av=0x7ffff766bc40 ) at malloc.c:4213

5 __GI___libc_free (mem=0x55555585e910) at malloc.c:3124

6 0x00007ffff78f8528 in r_list_delete (list=0x55555585df00, iter=0x555555861c30) at list.c:106

7 0x00007ffff78f8392 in r_list_purge (list=0x55555585df00) at list.c:72

8 0x00007ffff78f83e8 in r_list_free (list=0x55555585df00) at list.c:82

9 0x00007ffff66705c2 in arch_parse_reg_profile (
reg_profile=0x555555845b40 "=PC\trip\n=SP\trsp\n=BP\trbp\n=A0\trax\n=A1\trbx\n=A2\trcx\n=A3\trdx\n=SN\torax\ngpr\tfake\t.64\t795\t0\ngpr\trax\t.64\t0\t0\ngpr\trbx\t.64\t8\t0\ngpr\trcx\t.64\t16\t0\ngpr\trdx\t.64\t24\t0\ngpr\trsi\t.64\t32\t0\ngpr\trdi\t.64\t40\t0\ngpr\trbp\t.64\t48\t0"...)
at src/arch.c:132
10 0x00007ffff666f194 in gdbr_set_reg_profile (g=0x555555861920,
str=0x555555845b40 "=PC\trip\n=SP\trsp\n=BP\trbp\n=A0\trax\n=A1\trbx\n=A2\trcx\n=A3\trdx\n=SN\torax\ngpr\tfake\t.64\t795\t0\ngpr\trax\t.64\t0\t0\ngpr\trbx\t.64\t8\t0\ngpr\trcx\t.64\t16\t0\ngpr\trdx\t.64\t24\t0\ngpr\trsi\t.64\t32\t0\ngpr\trdi\t.64\t40\t0\ngpr\trbp\t.64\t48\t0"...)
at src/libgdbr.c:119
11 0x00007ffff666efc2 in gdbr_set_architecture (g=0x555555861920, arch=1, bits=64) at src/libgdbr.c:64

12 0x00007ffff4fc8909 in r_debug_gdb_attach (dbg=0x5555557eeda0, pid=-1) at p/debug_gdb.c:383

13 0x00007ffff4fc7801 in check_connection (dbg=0x5555557eeda0) at p/debug_gdb.c:27

14 0x00007ffff4fc89c3 in r_debug_gdb_reg_profile (dbg=0x5555557eeda0) at p/debug_gdb.c:406

15 0x00007ffff4fbf6ee in r_debug_use (dbg=0x5555557eeda0, str=0x555555815320 "gdb") at plugin.c:34

16 0x00007ffff5316a28 in r_core_file_open (r=0x7ffff7f5a010, file=0x5555558e46e0 "gdb://127.0.0.1:1337", flags=5, loadaddr=0) at cfile.c:945

17 0x00007ffff768d876 in r_main_radare2 (argc=6, argv=0x7fffffffded8) at radare2.c:898

18 0x0000555555554c77 in main (argc=6, argv=0x7fffffffded8) at radare2.c:96```

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/radareorg/radare2/issues/16680, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAG75FWPYW2D4BK4EP4KO2TRN2DZ7ANCNFSM4MN35W6A.

officialcjunior commented 4 years ago

Sorry, I've updated now, to:

radare2 4.5.0-git 24501 @ linux-x86-64 git.4.4.0-64-gd3ecd271c
commit: d3ecd271cf81cc21a8a43ff9b59474023def5ead build: 2020-04-22__20:06:08

Still, I'm facing:

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff72bf801 in __GI_abort () at abort.c:79
#2  0x00007ffff7308897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7435b9a "%s\n")
    at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff730f90a in malloc_printerr (str=str@entry=0x7ffff7433d88 "free(): invalid pointer") at malloc.c:5350
#4  0x00007ffff7316e1c in _int_free (have_lock=0, p=0x55555585f4f0, av=0x7ffff766ac40 <main_arena>) at malloc.c:4157
#5  __GI___libc_free (mem=0x55555585f500) at malloc.c:3124
#6  0x00007ffff78f75ef in r_list_delete (list=0x555555836a40, iter=0x55555585f500) at list.c:109
#7  0x00007ffff78f7442 in r_list_purge (list=0x555555836a40) at list.c:72
#8  0x00007ffff78f7498 in r_list_free (list=0x555555836a40) at list.c:82
#9  0x00007ffff666f617 in arch_parse_reg_profile (
    reg_profile=0x555555846020 "=PC\trip\n=SP\trsp\n=BP\trbp\n=A0\trax\n=A1\trbx\n=A2\trcx\n=A3\trdx\n=SN\torax\ngpr\tfake\t.64\t795\t0\ngpr\trax\t.64\t0\t0\ngpr\trbx\t.64\t8\t0\ngpr\trcx\t.64\t16\t0\ngpr\trdx\t.64\t24\t0\ngpr\trsi\t.64\t32\t0\ngpr\trdi\t.64\t40\t0\ngpr\trbp\t.64\t48\t0"...) at src/arch.c:135
#10 0x00007ffff666e1ac in gdbr_set_reg_profile (g=0x5555558487e0, 
    str=0x555555846020 "=PC\trip\n=SP\trsp\n=BP\trbp\n=A0\trax\n=A1\trbx\n=A2\trcx\n=A3\trdx\n=SN\torax\ngpr\tfake\t.64\t795\t0\ngpr\trax\t.64\t0\t0\ngpr\trbx\t.64\t8\t0\ngpr\trcx\t.64\t16\t0\ngpr\trdx\t.64\t24\t0\ngpr\trsi\t.64\t32\t0\ngpr\trdi\t.64\t40\t0\ngpr\trbp\t.64\t48\t0"...)
    at src/libgdbr.c:119
---Type <return> to continue, or q <return> to quit---
#11 0x00007ffff666dfda in gdbr_set_architecture (g=0x5555558487e0, arch=1, bits=64) at src/libgdbr.c:64
#12 0x00007ffff4f60909 in r_debug_gdb_attach (dbg=0x5555557eedb0, pid=-1) at p/debug_gdb.c:383
#13 0x00007ffff4f5f801 in check_connection (dbg=0x5555557eedb0) at p/debug_gdb.c:27
#14 0x00007ffff4f609c3 in r_debug_gdb_reg_profile (dbg=0x5555557eedb0) at p/debug_gdb.c:406
#15 0x00007ffff4f576ee in r_debug_use (dbg=0x5555557eedb0, str=0x555555815bc0 "gdb") at plugin.c:34
#16 0x00007ffff52c1173 in r_core_file_open (r=0x7ffff7f5a010, file=0x5555558e54f0 "gdb://127.0.0.1:1337", flags=5, loadaddr=0) at cfile.c:945
#17 0x00007ffff768c81c in r_main_radare2 (argc=8, argv=0x7fffffffdeb8) at radare2.c:898
#18 0x0000555555554c77 in main (argc=8, argv=0x7fffffffdeb8) at radare2.c:96

radareorg / radare2