segfault when running ds with windbg plugin

[scrapbird]

Work environment

Questions	Answers
OS/arch/bits (mandatory)	Ubuntu x86 64, OSX
File format of the file you reverse (mandatory)	Windows kernel, not a file
r2 -v full output, not truncated (mandatory)	radare2 2.7.0-git 18580 @ darwin-x86-64 -git.2.6.0-382-g2745486b1 commit: 2745486 build: 2018-06-27__09:22:22

Expected behavior

single step

Actual behavior

➜ radare2 git:(master) radare2 -a x86 -b 32 -D windbg windbg:///tmp/windbg
Opened pipe /tmp/windbg with fd 0x6
State64
Sync done! (4 cpus found)
Major : 15 Minor 7601
Protocol version : 6.0
Flags : 00000003
Machine : 0000014c
Module list : ffffffff8294fe30
Debug block : ffffffff82b7dfec
_KDDEBUGGER_DATA64 at 0x000000008292fc78
= attach 0 0
-- Follow the white rabbit
[0x8287ea38]> ds
State64
= attach 0 1
radare2(73689,0x7fffb3a51340) malloc: *** error for object 0x1: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug
[1] 73689 abort radare2 -a x86 -b 32 -D windbg windbg:///tmp/windbg

Steps to reproduce the behavior

• Connect to windbg: radare2 -a x86 -b 32 -D windbg windbg:///tmp/windbg
• Run ds

[scrapbird]

I'm working on the windbg backend anyway so I might take a look at this when I get a chance, just making an issue to track it.

[radare]

i dont have windbg setup, can you share a backtrace, register state, code involved, etc? or valgrind logs, or run it with asan.

[scrapbird]

@radare will grab one for you when I get home tonight.

[scrapbird]

Here you go @radare

Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x2) at malloc.c:2951
2951 malloc.c: No such file or directory.
(gdb) bt
#0 __GI___libc_free (mem=0x2) at malloc.c:2951
#1 0x00007ffff5d728bb in r_bp_item_free (b=0x5555558dbc30) at bp.c:16
#2 0x00007ffff3dc6d0e in r_list_delete (list=0x5555558b1090, iter=0x5555558dbcf0) at list.c:93
#3 0x00007ffff5d732ac in r_bp_del (bp=0x5555558b0e60, addr=18446735277657083972) at bp.c:227
#4 0x00007ffff6bcef44 in r_debug_step_soft (dbg=0x555555888c50) at debug.c:787
#5 0x00007ffff6bcf0e9 in r_debug_step (dbg=0x555555888c50, steps=1) at debug.c:849
#6 0x00007ffff7a60ad0 in cmd_debug_step (core=0x55555575e580 , input=0x5555558c9af1 "s") at cmd_debug.c:4041
#7 0x00007ffff7a6285e in cmd_debug (data=0x55555575e580 , input=0x5555558c9af1 "s") at cmd_debug.c:4502
#8 0x00007ffff7b1d24f in r_cmd_call (cmd=0x555555858930, input=0x5555558c9af0 "ds") at cmd_api.c:237
#9 0x00007ffff7ad447d in r_core_cmd_subst_i (core=0x55555575e580 , cmd=0x5555558c9af0 "ds", colon=0x0, tmpseek=0x7fffffffe0e6)
at cmd.c:2694
#10 0x00007ffff7ad0ff4 in r_core_cmd_subst (core=0x55555575e580 , cmd=0x5555558c9af0 "ds") at cmd.c:1723
#11 0x00007ffff7ad6b56 in r_core_cmd (core=0x55555575e580 , cstr=0x5555558dbe40 "ds", log=1) at cmd.c:3389
#12 0x00007ffff7a41ce2 in r_core_prompt_exec (r=0x55555575e580 ) at core.c:2230
#13 0x000055555555b687 in main (argc=8, argv=0x7fffffffe5e8, envp=0x7fffffffe630) at radare2.c:1371

[radare]

the .step callback is not implemented in the windbg plugin, so its using sw step based ones from r2.

the thing is... you are not using r2 from git. the linenumbers doesnt match the ones in code. please update

[radare]

for example:

#3 0x00007ffff5d732ac in r_bp_del (bp=0x5555558b0e60, addr=18446735277657083972) at bp.c:227

in bp.c:227 we have this:

227 R_API RBreakpointItem* r_bp_add_hw(RBreakpoint *bp, ut64 addr, int size, int rwx) {
228         return r_bp_add (bp, NULL, addr, size, R_BP_TYPE_HW, rwx);
229 }

so imho your installation is fuckedup somehow

[scrapbird]

I've been working in some of the windbg plugin files, unsure why the line numbers would be different in bp.c but I'll grab another backtrace from your master branch once I get home again (just got in to work and don't have a set up here for this).

[scrapbird]

Here you go, this is from the current master branch:

radare2 2.7.0-git 18711 @ linux-x86-64 git.2.6.0-396-g79b898f
commit: 79b898f build: 2018-06-28__19:10:20

#0 __GI___libc_free (mem=0x2) at malloc.c:2951
#1 0x00007ffff5d6c8eb in r_bp_item_free (b=0x555555900430) at bp.c:16
#2 0x00007ffff3dc1d3e in r_list_delete (list=0x5555558b0fc0, iter=0x555555900510) at list.c:93
#3 0x00007ffff3dc1ca8 in r_list_delete_data (list=0x5555558b0fc0, ptr=0x555555900430) at list.c:82
#4 0x00007ffff5d6cfc1 in unlinkBreakpoint (bp=0x5555558b0d90, b=0x555555900430) at bp.c:154
#5 0x00007ffff5d6d3a3 in r_bp_del (bp=0x5555558b0d90, addr=18446735277657278933) at bp.c:245
#6 0x00007ffff6bc919f in r_debug_step_soft (dbg=0x555555888b60) at debug.c:833
#7 0x00007ffff6bc9344 in r_debug_step (dbg=0x555555888b60, steps=1) at debug.c:895
#8 0x00007ffff7a5e410 in cmd_debug_step (core=0x55555575e580 , input=0x5555558c9a31 "s") at cmd_debug.c:4143
#9 0x00007ffff7a6019e in cmd_debug (data=0x55555575e580 , input=0x5555558c9a31 "s") at cmd_debug.c:4604
#10 0x00007ffff7b1b610 in r_cmd_call (cmd=0x555555858840, input=0x5555558c9a30 "ds") at cmd_api.c:237
#11 0x00007ffff7ad271f in r_core_cmd_subst_i (core=0x55555575e580 , cmd=0x5555558c9a30 "ds", colon=0x0, tmpseek=0x7fffffffe0e6)
at cmd.c:2844
#12 0x00007ffff7acf296 in r_core_cmd_subst (core=0x55555575e580 , cmd=0x5555558c9a30 "ds") at cmd.c:1873
#13 0x00007ffff7ad4dfe in r_core_cmd (core=0x55555575e580 , cstr=0x5555558ff510 "ds", log=1) at cmd.c:3539
#14 0x00007ffff7a3eb0b in r_core_prompt_exec (r=0x55555575e580 ) at core.c:2427
#15 0x000055555555b687 in main (argc=8, argv=0x7fffffffe5e8, envp=0x7fffffffe630) at radare2.c:1371

[radare]

calling free(2) is obviously wrong. can you build with asan so we can get a more complete picture of the problem?

[s0i37]

I have similar:
#0 __GI___libc_free (mem=0x1) at malloc.c:3093
#1 0x00007ffff64cd2e0 in r_bp_item_free (b=0x5555556ff950) at bp.c:16
#2 0x00007ffff7c6b355 in r_list_delete (list=0x55555560e7b0, iter=0x5555556ffa10) at list.c:107
#3 0x00007ffff7c6b293 in r_list_delete_data (list=0x55555560e7b0, ptr=0x5555556ff950) at list.c:96
#4 0x00007ffff64cd9b7 in unlinkBreakpoint (bp=0x55555560f5e0, b=0x5555556ff950) at bp.c:154
#5 0x00007ffff64cdd99 in r_bp_del (bp=0x55555560f5e0, addr=0x82637585) at bp.c:245
#6 0x00007ffff6f67ee0 in r_debug_step_soft (dbg=0x5555555f2f10) at debug.c:838
#7 0x00007ffff6f68065 in r_debug_step (dbg=0x5555555f2f10, steps=0x1) at debug.c:900
#8 0x00007ffff7020e60 in cmd_debug_step (core=0x7ffff639c080 , input=0x5555556ff8c1 "s") at cmd_debug.c:4322
#9 0x00007ffff702302c in cmd_debug (data=0x7ffff639c080 , input=0x5555556ff8c1 "s") at cmd_debug.c:4852
#10 0x00007ffff70f6c39 in r_cmd_call (cmd=0x5555555c2a50, input=0x5555556ff8c0 "ds") at cmd_api.c:244
#11 0x00007ffff70a5b95 in r_core_cmd_subst_i (core=0x7ffff639c080 , cmd=0x5555556ff8c0 "ds", colon=0x0, tmpseek=0x7fffffffde87) at cmd.c:3419
#12 0x00007ffff70a2421 in r_core_cmd_subst (core=0x7ffff639c080 , cmd=0x5555556ff8c0 "ds") at cmd.c:2317
#13 0x00007ffff70a868c in r_core_cmd (core=0x7ffff639c080 , cstr=0x5555556ffe20 "ds", log=0x1) at cmd.c:4254
#14 0x00007ffff70003f7 in r_core_prompt_exec (r=0x7ffff639c080 ) at core.c:3073
#15 0x00007ffff638cc3a in r_main_radare2 (argc=0x8, argv=0x7fffffffe388) at radare2.c:1489
#16 0x000055555555540b in main (argc=0x8, argv=0x7fffffffe388) at radare2.c:95

kvm -hda images/win7_x32.qcow2 -m 1500M -net nic,model=rtl8139 -net tap -monitor stdio -usbdevice tablet -chardev socket,id=serial0,path=/tmp/serial0,nowait,server -serial chardev:serial0 -snapshot bcdedit /dbgsettings serial debugport:1 baudrate:115200 r2 -a x86 -b 32 -D windbg windbg:///tmp/serial0 ds