search

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset
https://www.radare.org/
GNU Lesser General Public License v3.0
20.78k stars 3.01k forks source link

free(): invalid next size (normal): 0x0000000000e26390 *** #842

Closed zonkzonk closed 10 years ago

zonkzonk commented 10 years ago

morn,

buf can be found as base64 encoded attachment. in: 69921cd65b623e3a53a95ab12941cdef8e224946

,echo q| r2 -c "k `cat /tmp/buf`" /bin/ls
*** Error in `r2': free(): invalid next size (normal): 0x0000000000e26390 ***
======= Backtrace: =========
/usr/lib/libc.so.6(+0x731ff)[0x7f06f7afa1ff]
/usr/lib/libc.so.6(+0x789ae)[0x7f06f7aff9ae]
/usr/lib/libc.so.6(+0x796b6)[0x7f06f7b006b6]
/usr/local/lib/libr_core.so.0.9.8.git(+0x41a8e)[0x7f06fb98fa8e]
/usr/local/lib/libr_core.so.0.9.8.git(+0x41a69)[0x7f06fb98fa69]
/usr/local/lib/libr_core.so.0.9.8.git(r_core_cmd+0x275)[0x7f06fb991c44]
/usr/local/lib/libr_core.so.0.9.8.git(r_core_cmd0+0x28)[0x7f06fb9921dd]
r2(main+0x182f)[0x4043b5]
/usr/lib/libc.so.6(__libc_start_main+0xf5)[0x7f06f7aa8b05]
r2[0x4026d9]
======= Memory map: ========
00400000-00406000 r-xp 00000000 08:03 10660036                           /usr/local/bin/radare2
00606000-00607000 rw-p 00006000 08:03 10660036                           /usr/local/bin/radare2
00607000-00668000 rw-p 00000000 00:00 0 
00c10000-00e3f000 rw-p 00000000 00:00 0                                  [heap]
7f06f6942000-7f06f6957000 r-xp 00000000 08:03 17036383                   /usr/lib/libgcc_s.so.1
7f06f6957000-7f06f6b57000 ---p 00015000 08:03 17036383                   /usr/lib/libgcc_s.so.1
7f06f6b57000-7f06f6b58000 rw-p 00015000 08:03 17036383                   /usr/lib/libgcc_s.so.1
...

also with -d

greetings z.

buf

zonkzonk commented 10 years ago

for teh record: this now prints:

*** Error in `r2': malloc(): memory corruption: 0x0000000001382670 ***

valgrind here: http://sprunge.us/VXZE

radare commented 10 years ago

looks like a bug in SdbJSON. could you fuzz it? or test it more extensively? (open related bugs in sdb repo)

—pancake

On 06 May 2014, at 11:50, zonkzonk notifications@github.com wrote:

for teh record: this now prints:

* Error in `r2': malloc(): memory corruption: 0x0000000001382670 * valgrind here: http://sprunge.us/VXZE

— Reply to this email directly or view it on GitHub.

zonkzonk commented 10 years ago

here is some gdb mess:

[0x0040487f]>  k "`cat /tmp/buf`"
Breakpoint 1, 0x00007ffff50708b0 in sdb_json_set@plt () from /usr/local/lib/libr_db.so.0.9.8.git
(gdb) watch *0x00007ffff50708b0
Hardware watchpoint 2: *0x00007ffff50708b0
(gdb) reverse-continue
Target multi-thread does not support this command.
(gdb) si
0x00007ffff50708b6 in sdb_json_set@plt () from /usr/local/lib/libr_db.so.0.9.8.git
(gdb) c
Continuing.
*** Error in `/usr/local/bin/r2': free(): invalid next size (normal): 0x00000000007bc900 ***
*** Error in `/usr/local/bin/r2': malloc(): memory corruption: 0x00000000007bc9c0 ***
^C
Program received signal SIGINT, Interrupt.
0x00007ffff3725f88 in pthread_once () from /usr/lib/libpthread.so.0
(gdb) x/i *0x00007ffff50708b0
   0x1ffa25ff:  Cannot access memory at address 0x1ffa25ff
(gdb) i watch
Num     Type           Disp Enb Address            What
2       hw watchpoint  keep y                      *0x00007ffff50708b0
(gdb) x/i *0x00007ffff50708b6
   0x2e68:      Cannot access memory at address 0x2e68
(gdb) !date
Tue May  6 15:28:20 CEST 2014
zonkzonk commented 10 years ago

this is now an endless loop in r2 -v

radare2 0.9.8.git @ linux-little-x86-64 git.0.9.7-996-g34303f2
commit: 34303f266c5700d3fc28aad1ea5c857537f3a147 build: 2014-06-10

valgrind extract:


==11026== Invalid read of size 1
==11026==    at 0x4E8CC41: bin_relocs (bin.c:546)
==11026==    by 0x4E8F411: r_core_bin_info (bin.c:1180)
==11026==    by 0x4E8AD4D: r_core_bin_set_env (bin.c:47)
==11026==    by 0x4E7B556: r_core_file_do_load_for_io_plugin (file.c:303)
==11026==    by 0x4E7B91E: r_core_bin_load (file.c:429)
==11026==    by 0x403D79: main (radare2.c:466)
==11026==  Address 0xabf4e30 is 0 bytes inside a block of size 2,584 free'd
==11026==    at 0x4C2999C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11026==    by 0x84E9AB9: r_list_delete (list.c:92)
==11026==    by 0x84E999C: r_list_purge (list.c:61)
==11026==    by 0x84E99E7: r_list_free (list.c:71)
==11026==    by 0x5981432: has_canary (bin_elf.c:429)
==11026==    by 0x59815CC: info (bin_elf.c:455)
==11026==    by 0x596275A: r_bin_object_set_items (bin.c:328)
==11026==    by 0x5963F78: r_bin_object_new (bin.c:807)
==11026==    by 0x59644F1: r_bin_file_new_from_bytes (bin.c:910)
==11026==    by 0x5963328: r_bin_load_io_at_offset_as_sz (bin.c:521)
==11026==    by 0x59633A6: r_bin_load_io_at_offset_as (bin.c:536)
==11026==    by 0x5962ED2: r_bin_load_io (bin.c:448)
==11026== 
==11026== Invalid read of size 1
==11026==    at 0x8D70AC7: vfprintf (in /usr/lib/libc-2.19.so)
==11026==    by 0x8D9B1A8: vsnprintf (in /usr/lib/libc-2.19.so)
==11026==    by 0x8D78281: snprintf (in /usr/lib/libc-2.19.so)
==11026==    by 0x4E8CC79: bin_relocs (bin.c:547)
==11026==    by 0x4E8F411: r_core_bin_info (bin.c:1180)
==11026==    by 0x4E8AD4D: r_core_bin_set_env (bin.c:47)
==11026==    by 0x4E7B556: r_core_file_do_load_for_io_plugin (file.c:303)
==11026==    by 0x4E7B91E: r_core_bin_load (file.c:429)
==11026==    by 0x403D79: main (radare2.c:466)
==11026==  Address 0xabf4e30 is 0 bytes inside a block of size 2,584 free'd
==11026==    at 0x4C2999C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11026==    by 0x84E9AB9: r_list_delete (list.c:92)
==11026==    by 0x84E999C: r_list_purge (list.c:61)
==11026==    by 0x84E99E7: r_list_free (list.c:71)
==11026==    by 0x5981432: has_canary (bin_elf.c:429)
==11026==    by 0x59815CC: info (bin_elf.c:455)
==11026==    by 0x596275A: r_bin_object_set_items (bin.c:328)
==11026==    by 0x5963F78: r_bin_object_new (bin.c:807)
==11026==    by 0x59644F1: r_bin_file_new_from_bytes (bin.c:910)
==11026==    by 0x5963328: r_bin_load_io_at_offset_as_sz (bin.c:521)
==11026==    by 0x59633A6: r_bin_load_io_at_offset_as (bin.c:536)
==11026==    by 0x5962ED2: r_bin_load_io (bin.c:448)
==11026== 
==11026== Invalid read of size 1
==11026==    at 0x8D9F118: _IO_default_xsputn (in /usr/lib/libc-2.19.so)
==11026==    by 0x8D70B9B: vfprintf (in /usr/lib/libc-2.19.so)
==11026==    by 0x8D9B1A8: vsnprintf (in /usr/lib/libc-2.19.so)
==11026==    by 0x8D78281: snprintf (in /usr/lib/libc-2.19.so)
==11026==    by 0x4E8CC79: bin_relocs (bin.c:547)
==11026==    by 0x4E8F411: r_core_bin_info (bin.c:1180)
==11026==    by 0x4E8AD4D: r_core_bin_set_env (bin.c:47)
==11026==    by 0x4E7B556: r_core_file_do_load_for_io_plugin (file.c:303)
==11026==    by 0x4E7B91E: r_core_bin_load (file.c:429)
==11026==    by 0x403D79: main (radare2.c:466)
==11026==  Address 0xabf4e30 is 0 bytes inside a block of size 2,584 free'd
==11026==    at 0x4C2999C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11026==    by 0x84E9AB9: r_list_delete (list.c:92)
==11026==    by 0x84E999C: r_list_purge (list.c:61)
==11026==    by 0x84E99E7: r_list_free (list.c:71)
==11026==    by 0x5981432: has_canary (bin_elf.c:429)
==11026==    by 0x59815CC: info (bin_elf.c:455)
==11026==    by 0x596275A: r_bin_object_set_items (bin.c:328)
==11026==    by 0x5963F78: r_bin_object_new (bin.c:807)
==11026==    by 0x59644F1: r_bin_file_new_from_bytes (bin.c:910)
==11026==    by 0x5963328: r_bin_load_io_at_offset_as_sz (bin.c:521)
==11026==    by 0x59633A6: r_bin_load_io_at_offset_as (bin.c:536)
==11026==    by 0x5962ED2: r_bin_load_io (bin.c:448)
==11026== 
==11026== Invalid read of size 1
==11026==    at 0x8D9F127: _IO_default_xsputn (in /usr/lib/libc-2.19.so)
==11026==    by 0x8D70B9B: vfprintf (in /usr/lib/libc-2.19.so)
==11026==    by 0x8D9B1A8: vsnprintf (in /usr/lib/libc-2.19.so)
==11026==    by 0x8D78281: snprintf (in /usr/lib/libc-2.19.so)
==11026==    by 0x4E8CC79: bin_relocs (bin.c:547)
==11026==    by 0x4E8F411: r_core_bin_info (bin.c:1180)
==11026==    by 0x4E8AD4D: r_core_bin_set_env (bin.c:47)
radare commented 10 years ago

Can't reproduce it :?

jvoisin commented 10 years ago

Can't reproduce too.

zonkzonk commented 10 years ago

still in 

$ r2 -v
radare2 0.9.8.git @ linux-little-x86-64 git.0.9.7-1006-g63ae19c
commit: 63ae19c650b6d8d3780599ba4916f7e8421ee62b build: 2014-06-10

$ uname -sm
Linux x86_64

wat are you guys testing on? ;)

radare commented 10 years ago

i tested on linux32 and osx64

would be nice to address all those valgrind warns, but i cant reproduce them :P

On 10 Jun 2014, at 23:15, zonkzonk notifications@github.com wrote:

still in

$ r2 -v radare2 0.9.8.git @ linux-little-x86-64 git.0.9.7-1006-g63ae19c commit: 63ae19c650b6d8d3780599ba4916f7e8421ee62b build: 2014-06-10

$ uname -sm Linux x86_64 wat are you guys testing on? ;)

— Reply to this email directly or view it on GitHub.

radare commented 10 years ago

try again plz i did some changes. paste default valgrind output (no need for memleak checks)

On 10 Jun 2014, at 23:15, zonkzonk notifications@github.com wrote:

still in

$ r2 -v radare2 0.9.8.git @ linux-little-x86-64 git.0.9.7-1006-g63ae19c commit: 63ae19c650b6d8d3780599ba4916f7e8421ee62b build: 2014-06-10

$ uname -sm Linux x86_64 wat are you guys testing on? ;)

— Reply to this email directly or view it on GitHub.

zonkzonk commented 10 years ago

http://sprunge.us/KPAb

zonkzonk commented 10 years ago

changed to 

#0  0x00007f61ba1c0e92 in sdb_set_internal () from /usr/local/lib/libr_db.so.0.9.8.git
(gdb) 
(gdb) bt
#0  0x00007f61ba1c0e92 in sdb_set_internal () from /usr/local/lib/libr_db.so.0.9.8.git
#1  0x00007f61ba1c0f4d in sdb_set_owned () from /usr/local/lib/libr_db.so.0.9.8.git
#2  0x00007f61ba1baf18 in sdb_json_set () from /usr/local/lib/libr_db.so.0.9.8.git
#3  0x00007f61ba1bf6d8 in sdb_querys () from /usr/local/lib/libr_db.so.0.9.8.git
#4  0x00007f61bcdf3bc9 in cmd_kuery (data=0x606940 <r>, input=0x20e04b1 " \001Y") at cmd.c:396
#5  0x00007f61bce11bcd in r_cmd_call (cmd=0x1d97d10, input=0x20e04b0 "k \001Y") at cmd_api.c:179
#6  0x00007f61bcdf653f in r_core_cmd_subst_i (core=0x606940 <r>, cmd=0x20e04b0 "k \001Y") at cmd.c:1216
#7  0x00007f61bcdf4d09 in r_core_cmd_subst (core=0x606940 <r>, cmd=0x20e04b0 "k \001Y") at cmd.c:776
#8  0x00007f61bcdf6f81 in r_core_cmd (core=0x606940 <r>, 
    cstr=0x7fffa832366f "k \001Y:\216\225\256m\371\215\a'Z\213\315v\\K\207\274\020\263b\224є\022\177\217\217\207r\360z\257\237\260v\201s\204\335\065\016\237\367D\234lp\267taTݵd\201\262\353\061}F\330%x\342y3a\360y\332\370\004\273\357\362U(T6=,\035\266\267\333\v\312\r\303\002\vFد\232^\234\066u\236\263\204e\374\344\207\320äR\334MW\222\247\322z\330\307S\fL/\241#\353\062\342/\376y:4zvx\206\021\347\267y\177\244tAp\275 \001\300:\235qA\302\332E\022\326m2Z{\356\003p\327\030\211Ն\177\352\212p\354NO\361\361\320O\006/^\251\362\235\226[M)\251\203\242/"..., log=0) at cmd.c:1405
#9  0x00007f61bcdf7527 in r_core_cmd0 (user=0x606940 <r>, 
    cmd=0x7fffa832366f "k \001Y:\216\225\256m\371\215\a'Z\213\315v\\K\207\274\020\263b\224є\022\177\217\217\207r\360z\257\237\260v\201s\204\335\065\016\237\367D\234lp\267taTݵd\201\262\353\061}F\330%x\342y3a\360y\332\370\004\273\357\362U(T6=,\035\266\267\333\v\312\r\303\002\vFد\232^\234\066u\236\263\204e\374\344\207\320äR\334MW\222\247\322z\330\307S\fL/\241#\353\062\342/\376y:4zvx\206\021\347\267y\177\244tAp\275 \001\300:\235qA\302\332E\022\326m2Z{\356\003p\327\030\211Ն\177\352\212p\354NO\361\361\320O\006/^\251\362\235\226[M)\251\203\242/"...) at cmd.c:1528
#10 0x0000000000404421 in main (argc=4, argv=0x7fffa8321988, envp=0x7fffa83219b0) at radare2.c:564
(gdb)
radare commented 10 years ago

Details on how to reproduce?

On 05 Aug 2014, at 22:24, zonkzonk notifications@github.com wrote:

changed to

0 0x00007f61ba1c0e92 in sdb_set_internal () from /usr/local/lib/libr_db.so.0.9.8.git

(gdb) (gdb) bt

0 0x00007f61ba1c0e92 in sdb_set_internal () from /usr/local/lib/libr_db.so.0.9.8.git

1 0x00007f61ba1c0f4d in sdb_set_owned () from /usr/local/lib/libr_db.so.0.9.8.git

2 0x00007f61ba1baf18 in sdb_json_set () from /usr/local/lib/libr_db.so.0.9.8.git

3 0x00007f61ba1bf6d8 in sdb_querys () from /usr/local/lib/libr_db.so.0.9.8.git

4 0x00007f61bcdf3bc9 in cmd_kuery (data=0x606940 , input=0x20e04b1 " \001Y") at cmd.c:396

5 0x00007f61bce11bcd in r_cmd_call (cmd=0x1d97d10, input=0x20e04b0 "k \001Y") at cmd_api.c:179

6 0x00007f61bcdf653f in r_core_cmd_subst_i (core=0x606940 , cmd=0x20e04b0 "k \001Y") at cmd.c:1216

7 0x00007f61bcdf4d09 in r_core_cmd_subst (core=0x606940 , cmd=0x20e04b0 "k \001Y") at cmd.c:776

8 0x00007f61bcdf6f81 in r_core_cmd (core=0x606940 ,

cstr=0x7fffa832366f "k \001Y:\216\225\256m\371\215\a'Z\213\315v\K\207\274\020\263b\224є\022\177\217\217\207r\360z\257\237\260v\201s\204\335\065\016\237\367D\234lp\267taTݵd\201\262\353\061}F\330%x\342y3a\360y\332\370\004\273\357\362U(T6=,\035\266\267\333\v\312\r\303\002\vFد\232^\234\066u\236\263\204e\374\344\207\320äR\334MW\222\247\322z\330\307S\fL/\241#\353\062\342/\376y:4zvx\206\021\347\267y\177\244tAp\275 \001\300:\235qA\302\332E\022\326m2Z{\356\003p\327\030\211Ն\177\352\212p\354NO\361\361\320O\006/^\251\362\235\226[M)\251\203\242/"..., log=0) at cmd.c:1405

9 0x00007f61bcdf7527 in r_core_cmd0 (user=0x606940 ,

cmd=0x7fffa832366f "k \001Y:\216\225\256m\371\215\a'Z\213\315v\K\207\274\020\263b\224є\022\177\217\217\207r\360z\257\237\260v\201s\204\335\065\016\237\367D\234lp\267taTݵd\201\262\353\061}F\330%x\342y3a\360y\332\370\004\273\357\362U(T6=,\035\266\267\333\v\312\r\303\002\vFد\232^\234\066u\236\263\204e\374\344\207\320äR\334MW\222\247\322z\330\307S\fL/\241#\353\062\342/\376y:4zvx\206\021\347\267y\177\244tAp\275 \001\300:\235qA\302\332E\022\326m2Z{\356\003p\327\030\211Ն\177\352\212p\354NO\361\361\320O\006/^\251\362\235\226[M)\251\203\242/"...) at cmd.c:1528

10 0x0000000000404421 in main (argc=4, argv=0x7fffa8321988, envp=0x7fffa83219b0) at radare2.c:564

(gdb) — Reply to this email directly or view it on GitHub.

zonkzonk commented 10 years ago

apply exact payload [https://cloud.githubusercontent.com/assets/5694980/2818944/a0d56e32-cee9-11e3-93f7-a7062c6f73b4.png] and command [echo q| r2 -c "k cat /tmp/buf" /bin/ls] from initial post. don't forget to base64 -d

radare commented 10 years ago

Was this the same issue as "sdb - :" ?

On 05 Aug 2014, at 22:24, zonkzonk notifications@github.com wrote:

changed to

0 0x00007f61ba1c0e92 in sdb_set_internal () from /usr/local/lib/libr_db.so.0.9.8.git

(gdb) (gdb) bt

0 0x00007f61ba1c0e92 in sdb_set_internal () from /usr/local/lib/libr_db.so.0.9.8.git

1 0x00007f61ba1c0f4d in sdb_set_owned () from /usr/local/lib/libr_db.so.0.9.8.git

2 0x00007f61ba1baf18 in sdb_json_set () from /usr/local/lib/libr_db.so.0.9.8.git

3 0x00007f61ba1bf6d8 in sdb_querys () from /usr/local/lib/libr_db.so.0.9.8.git

4 0x00007f61bcdf3bc9 in cmd_kuery (data=0x606940 , input=0x20e04b1 " \001Y") at cmd.c:396

5 0x00007f61bce11bcd in r_cmd_call (cmd=0x1d97d10, input=0x20e04b0 "k \001Y") at cmd_api.c:179

6 0x00007f61bcdf653f in r_core_cmd_subst_i (core=0x606940 , cmd=0x20e04b0 "k \001Y") at cmd.c:1216

7 0x00007f61bcdf4d09 in r_core_cmd_subst (core=0x606940 , cmd=0x20e04b0 "k \001Y") at cmd.c:776

8 0x00007f61bcdf6f81 in r_core_cmd (core=0x606940 ,

cstr=0x7fffa832366f "k \001Y:\216\225\256m\371\215\a'Z\213\315v\K\207\274\020\263b\224є\022\177\217\217\207r\360z\257\237\260v\201s\204\335\065\016\237\367D\234lp\267taTݵd\201\262\353\061}F\330%x\342y3a\360y\332\370\004\273\357\362U(T6=,\035\266\267\333\v\312\r\303\002\vFد\232^\234\066u\236\263\204e\374\344\207\320äR\334MW\222\247\322z\330\307S\fL/\241#\353\062\342/\376y:4zvx\206\021\347\267y\177\244tAp\275 \001\300:\235qA\302\332E\022\326m2Z{\356\003p\327\030\211Ն\177\352\212p\354NO\361\361\320O\006/^\251\362\235\226[M)\251\203\242/"..., log=0) at cmd.c:1405

9 0x00007f61bcdf7527 in r_core_cmd0 (user=0x606940 ,

cmd=0x7fffa832366f "k \001Y:\216\225\256m\371\215\a'Z\213\315v\K\207\274\020\263b\224є\022\177\217\217\207r\360z\257\237\260v\201s\204\335\065\016\237\367D\234lp\267taTݵd\201\262\353\061}F\330%x\342y3a\360y\332\370\004\273\357\362U(T6=,\035\266\267\333\v\312\r\303\002\vFد\232^\234\066u\236\263\204e\374\344\207\320äR\334MW\222\247\322z\330\307S\fL/\241#\353\062\342/\376y:4zvx\206\021\347\267y\177\244tAp\275 \001\300:\235qA\302\332E\022\326m2Z{\356\003p\327\030\211Ն\177\352\212p\354NO\361\361\320O\006/^\251\362\235\226[M)\251\203\242/"...) at cmd.c:1528

10 0x0000000000404421 in main (argc=4, argv=0x7fffa8321988, envp=0x7fffa83219b0) at radare2.c:564

(gdb) — Reply to this email directly or view it on GitHub.

zonkzonk commented 10 years ago

can't reproduce in 424e16626d635ee4deb6aca186ed0f915934f44c build: 2014-11-04:

,cd /tmp/
,echo q| r2 -c "k `cat /tmp/buf`" /bin/ls
TODO(eddyb): uninmplemented ELF/x64 reloc type 5
TODO(eddyb): uninmplemented ELF/x64 reloc type 5
TODO(eddyb): uninmplemented ELF/x64 reloc type 5
TODO(eddyb): uninmplemented ELF/x64 reloc type 5
TODO(eddyb): uninmplemented ELF/x64 reloc type 5
TODO(eddyb): uninmplemented ELF/x64 reloc type 5
|ERROR| Invalid command 'k Y:���m�'Z��v\K���b�є���r�z���v�s��5��D�lp�taTݵd���1}F�%x�y3a�y���U(T6=,���
�                                                                                                    �
 Fد�^�6u���e����R�MW���z�S
.Ka\}L�r_                 L/�#�2�/�y:4zvx��y�tAp� �:�qA�E�m2Z{�p��Ն�p�NO��O/^��[M)���/C�Tb�e�^M�ay!OB�
         ��Y�=�)=�K�bF�&&;�J�qzw~e���1_�B��������L$M��9/}&$�Gy�7f�����%U!�M.~�E�c�~��1˩z'�T'�J�]@U�?>�*�ۉp"��,Y``鷄���j���(��}��b�*c*���I��84&\�����R�3�՟㱫w�%^)��&����*�j&���G�Ɗ�9W��^�h,�r�   ' (0x6b)
 -- If you want to open the file in read-write mode, invoke r2 with '-w'
ahmedhusnainjohar commented 5 years ago

Kuch nahi hona tm logon sy soday