coredump when pdd

[Ruturaj4]

Work environment

Questions	Answers
OS/arch/bits (mandatory)	Ubuntu x86 64 (wsl)
File format of the file you reverse (mandatory)	ELF
Architecture/bits of the file (mandatory)	x86/64
r2 -v full output, not truncated (mandatory)	radare2 4.4.0-git 24020 @ linux-x86-64 git.4.3.1-78-g71d3709 commit: 71d3709 build: 2020-03-20__08:55:17

Expected behavior

Used command rdd to get the decompiled code (after of course aaa).

Actual behavior

coredump

Steps to reproduce the behavior

Binary (stripped - although it doesn't matter if it is stripped, it crashes all the time)-

#include <stdbool.h>
int do_decode(){}
int main()
{
  bool decode = false;
  char opt = getopt();
  switch (opt)
  {
    case 'd':
      decode =true;
      break;
    default:
      break;
  }
  if (decode) do_decode();
}

Additional Logs, screenshots, source-code, configuration dump, ...

Drag and drop zip archives containing the Additional info here, don't use external services or link.

pd command works, I am not sure what is the problem with pdd. I already installed r2dec.

[radare]

please build with asan and paste the crash log. cant reproduce

…

On 20 Mar 2020, at 15:14, Ruturaj ***@***.***> wrote: Work environment Questions Answers OS/arch/bits (mandatory) Ubuntu x86 64 (wsl) File format of the file you reverse (mandatory) ELF Architecture/bits of the file (mandatory) x86/64 r2 -v full output, not truncated (mandatory) radare2 4.4.0-git 24020 @ linux-x86-64 git.4.3.1-78-g71d3709 commit: 71d3709 <71d3709> build: 2020-03-20__08:55:17 Expected behavior Used command rdd to get the decompiled code (after of course aaa). Actual behavior coredump Steps to reproduce the behavior Binary (stripped)- #include <stdbool.h> int do_decode(){} int main() { bool decode = false; char opt = getopt(); switch (opt) { case 'd': decode =true; break; default: break; } if (decode) do_decode(); } Additional Logs, screenshots, source-code, configuration dump, ... Drag and drop zip archives containing the Additional info here, don't use external services or link. pd command works, I am not sure what is the problem with pdd. I already installed r2dec. <https://user-images.githubusercontent.com/17796905/77171748-e815df00-6a8a-11ea-9def-cc5ce32ef525.png> — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#16268>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAG75FSW5RBVUKT6MHUHKN3RIN23FANCNFSM4LQM3WHA>.

[Ruturaj4]

Backtrack using gdb. As I couldn't find asan.sh in ./sys/ directory. Thanks for reply. Note that I'm using win subsystem for linux (but I think it shouldn't matter).

(gdb) r ../../re_challenges/type_inference/a.out
Starting program: /usr/bin/r2 ../../re_challenges/type_inference/a.out
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
 -- Iaito became Cutter the same way Iai-giri became Cut.
[0x004003e0]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x004003e0]> pdd

Program received signal SIGSEGV, Segmentation fault.
0x00007ffffc9ac760 in r_core_cmd (core=0x7fff00000000, cstr=0x8820bd0 "ec*", log=0) at cmd.c:6150
6150            if (core->use_tree_sitter_r2cmd) {
(gdb) bt
#0  0x00007ffffc9ac760 in r_core_cmd (core=0x7fff00000000, cstr=0x8820bd0 "ec*", log=0) at cmd.c:6150
#1  0x00007ffffc9ad45d in r_core_cmd_str (core=0x7fff00000000, cmd=0x8820bd0 "ec*") at cmd.c:6452
#2  0x00007ffff98acb96 in duk_r2cmd (ctx=0x85e4760) at core_pdd.c:67
#3  0x00007ffff986ed48 in duk__handle_call_raw (thr=thr@entry=0x85e4760, idx_func=idx_func@entry=3,
    call_flags=call_flags@entry=8) at duk_js_call.c:2231
#4  0x00007ffff985f278 in duk_handle_call_unprotected (call_flags=8, idx_func=3, thr=0x85e4760)
    at duk_js_call.c:2385
#5  duk__executor_handle_call (call_flags=<optimized out>, nargs=1, idx=3, thr=0x85e4760)
    at duk_js_executor.c:2655
#6  duk__js_execute_bytecode_inner (entry_act=entry_act@entry=0x85f2dc0, entry_thread=0x85e4760)
    at duk_js_executor.c:4729
#7  0x00007ffff986e11e in duk_js_execute_bytecode (exec_thr=exec_thr@entry=0x85e4760)
    at duk_js_executor.c:2917
#8  0x00007ffff986ef51 in duk__handle_call_raw (thr=0x85e4760, idx_func=<optimized out>,
    call_flags=call_flags@entry=0) at duk_js_call.c:2203
#9  0x00007ffff9870429 in duk_handle_call_unprotected (call_flags=0, idx_func=<optimized out>,
    thr=<optimized out>) at duk_js_call.c:2385
#10 duk_call_method (thr=<optimized out>, nargs=<optimized out>) at duk_api_call.c:152
#11 0x00007ffff988c575 in duk_eval_raw (thr=thr@entry=0x85e4760,
    src_buffer=src_buffer@entry=0x7ffffffed1b0 "try{if(typeof r2dec_main == 'function'){r2dec_main([]);}else{console.log('Fatal error. Cannot use R2_HOME_DATADIR.');}}catch(_____e){console.log(_____e.stack||_____e);}",
    src_length=src_length@entry=0, flags=0, flags@entry=3848) at duk_api_compile.c:43
#12 0x00007ffff98ac7ae in duk_r2dec (core=core@entry=0x7fffff6a0010, input=input@entry=0x8533743 "")
    at core_pdd.c:171
#13 0x00007ffff98ac90c in _cmd_pdd (input=0x8533743 "", core=0x7fffff6a0010) at core_pdd.c:231
#14 r_cmd_pdd (user=0x7fffff6a0010, input=<optimized out>) at core_pdd.c:285
#15 0x00007ffffca00bd9 in r_cmd_call (cmd=0x8466680, input=0x8533740 "pdd") at cmd_api.c:236
#16 0x00007ffffc9a9c91 in r_core_cmd_subst_i (core=0x7fffff6a0010, cmd=0x8533740 "pdd", colon=0x0,
    tmpseek=0x7ffffffeda6a) at cmd.c:3762
#17 0x00007ffffc9a5d8f in r_core_cmd_subst (core=0x7fffff6a0010, cmd=0x8533740 "pdd") at cmd.c:2681
#18 0x00007ffffc9ac6da in run_cmd_depth (core=0x7fffff6a0010, cmd=0x85610e0 "pdd") at cmd.c:6135
#19 0x00007ffffc9aca84 in r_core_cmd (core=0x7fffff6a0010, cstr=0x85610c0 "pdd", log=1) at cmd.c:6215
#20 0x00007ffffc8f4b5c in r_core_prompt_exec (r=0x7fffff6a0010) at core.c:3046
#21 0x00007ffffc8f41f6 in r_core_prompt_loop (r=0x7fffff6a0010) at core.c:2897
#22 0x00007ffffecae6c6 in r_main_radare2 (argc=2, argv=0x7ffffffedf88) at radare2.c:1350
#23 0x0000000008000d0d in main (argc=2, argv=0x7ffffffedf88) at radare2.c:96

[enovella]

I also came across with this crash. Hopefully this crash can help you out:

[0x08000070]> pdd
file.c:351:8: runtime error: store to misaligned address 0x7fff27cff81c for type 'size_t', which requires 8 byte alignment
0x7fff27cff81c: note: pointer points here
  00 00 00 00 00 00 00 00  00 78 76 4b a4 7f 00 00  40 00 00 00 b0 60 00 00  00 00 00 00 00 00 00 00
              ^ 
file.c:393:8: runtime error: store to misaligned address 0x7fff27cff81c for type 'size_t', which requires 8 byte alignment
0x7fff27cff81c: note: pointer points here
  00 00 00 00 00 00 00 00  00 00 00 00 a4 7f 00 00  40 00 00 00 b0 60 00 00  00 00 00 00 00 00 00 00
              ^ 
ASAN:DEADLYSIGNAL
=================================================================
==11697==ERROR: AddressSanitizer: SEGV on unknown address 0x7fa400061078 (pc 0x7fa45617397b bp 0x7fff27cff340 sp 0x7fff27cff2f0 T0)
==11697==The signal is caused by a READ memory access.
    #0 0x7fa45617397a in r_core_cmd /home/edu/radare2/libr/core/cmd.c:6150
    #1 0x7fa4561756d5 in r_core_cmd_str /home/edu/radare2/libr/core/cmd.c:6452
    #2 0x7fa445986770 in duk_r2cmd /home/edu/.local/share/radare2/r2pm/git/r2dec-js/p/core_pdd.c:67
    #3 0x7fa4459477a2 in duk__handle_call_raw /home/edu/.local/share/radare2/r2pm/git/r2dec-js/p/duk_js_call.c:2231
    #4 0x7fa4459370a9 in duk_handle_call_unprotected /home/edu/.local/share/radare2/r2pm/git/r2dec-js/p/duk_js_call.c:2385
    #5 0x7fa4459370a9 in duk__executor_handle_call /home/edu/.local/share/radare2/r2pm/git/r2dec-js/p/duk_js_executor.c:2655
    #6 0x7fa4459370a9 in duk__js_execute_bytecode_inner /home/edu/.local/share/radare2/r2pm/git/r2dec-js/p/duk_js_executor.c:4729
    #7 0x7fa445946bfa in duk_js_execute_bytecode /home/edu/.local/share/radare2/r2pm/git/r2dec-js/p/duk_js_executor.c:2917
    #8 0x7fa4459479e3 in duk__handle_call_raw /home/edu/.local/share/radare2/r2pm/git/r2dec-js/p/duk_js_call.c:2203
    #9 0x7fa445971304 in duk_eval_raw /home/edu/.local/share/radare2/r2pm/git/r2dec-js/p/duk_api_compile.c:43
    #10 0x7fa445986372 in duk_r2dec /home/edu/.local/share/radare2/r2pm/git/r2dec-js/p/core_pdd.c:171
    #11 0x7fa4459864bb in _cmd_pdd /home/edu/.local/share/radare2/r2pm/git/r2dec-js/p/core_pdd.c:231
    #12 0x7fa4459864bb in r_cmd_pdd /home/edu/.local/share/radare2/r2pm/git/r2dec-js/p/core_pdd.c:285
    #13 0x7fa45628c2e4 in r_cmd_call /home/edu/radare2/libr/core/cmd_api.c:236
    #14 0x7fa45616b00e in r_core_cmd_subst_i /home/edu/radare2/libr/core/cmd.c:3762
    #15 0x7fa45615ec14 in r_core_cmd_subst /home/edu/radare2/libr/core/cmd.c:2681
    #16 0x7fa4561736df in run_cmd_depth /home/edu/radare2/libr/core/cmd.c:6135
    #17 0x7fa456174357 in r_core_cmd /home/edu/radare2/libr/core/cmd.c:6215
    #18 0x7fa455f3e587 in r_core_prompt_exec /home/edu/radare2/libr/core/core.c:3046
    #19 0x7fa455f3c5a9 in r_core_prompt_loop /home/edu/radare2/libr/core/core.c:2897
    #20 0x7fa45d45f033 in r_main_radare2 /home/edu/radare2/libr/main/radare2.c:1350
    #21 0x55ed362028f8 in main /home/edu/radare2/binr/radare2/radare2.c:96
    #22 0x7fa45c2edb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #23 0x55ed362023d9 in _start (/home/edu/radare2/binr/radare2/radare2+0x13d9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/edu/radare2/libr/core/cmd.c:6150 in r_core_cmd
==11697==ABORTING

[radare]

Did u built r2dec after building r2?

…

On 20 Mar 2020, at 16:48, Ruturaj ***@***.***> wrote:  Backtrack using gdb. As I couldn't find asan.sh in ./sys/ directory. Thanks for reply. (gdb) r ../../re_challenges/type_inference/a.out Starting program: /usr/bin/r2 ../../re_challenges/type_inference/a.out [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". -- Iaito became Cutter the same way Iai-giri became Cut. [0x004003e0]> aaa [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze function calls (aac) [x] Analyze len bytes of instructions for references (aar) [x] Check for objc references [x] Check for vtables [x] Type matching analysis for all functions (aaft) [x] Propagate noreturn information [x] Use -AA or aaaa to perform additional experimental analysis. [0x004003e0]> pdd Program received signal SIGSEGV, Segmentation fault. 0x00007ffffc9ac760 in r_core_cmd (core=0x7fff00000000, cstr=0x8820bd0 "ec*", log=0) at cmd.c:6150 6150 if (core->use_tree_sitter_r2cmd) { (gdb) bt #0 0x00007ffffc9ac760 in r_core_cmd (core=0x7fff00000000, cstr=0x8820bd0 "ec*", log=0) at cmd.c:6150 #1 0x00007ffffc9ad45d in r_core_cmd_str (core=0x7fff00000000, cmd=0x8820bd0 "ec*") at cmd.c:6452 #2 0x00007ffff98acb96 in duk_r2cmd (ctx=0x85e4760) at core_pdd.c:67 #3 0x00007ffff986ed48 in duk__handle_call_raw ***@***.***=0x85e4760, ***@***.***=3, ***@***.***=8) at duk_js_call.c:2231 #4 0x00007ffff985f278 in duk_handle_call_unprotected (call_flags=8, idx_func=3, thr=0x85e4760) at duk_js_call.c:2385 #5 duk__executor_handle_call (call_flags=<optimized out>, nargs=1, idx=3, thr=0x85e4760) at duk_js_executor.c:2655 #6 duk__js_execute_bytecode_inner ***@***.***=0x85f2dc0, entry_thread=0x85e4760) at duk_js_executor.c:4729 #7 0x00007ffff986e11e in duk_js_execute_bytecode ***@***.***=0x85e4760) at duk_js_executor.c:2917 #8 0x00007ffff986ef51 in duk__handle_call_raw (thr=0x85e4760, idx_func=<optimized out>, ***@***.***=0) at duk_js_call.c:2203 #9 0x00007ffff9870429 in duk_handle_call_unprotected (call_flags=0, idx_func=<optimized out>, thr=<optimized out>) at duk_js_call.c:2385 #10 duk_call_method (thr=<optimized out>, nargs=<optimized out>) at duk_api_call.c:152 #11 0x00007ffff988c575 in duk_eval_raw ***@***.***=0x85e4760, ***@***.***=0x7ffffffed1b0 "try{if(typeof r2dec_main == 'function'){r2dec_main([]);}else{console.log('Fatal error. Cannot use R2_HOME_DATADIR.');}}catch(_____e){console.log(_____e.stack||_____e);}", ***@***.***=0, flags=0, ***@***.***=3848) at duk_api_compile.c:43 #12 0x00007ffff98ac7ae in duk_r2dec ***@***.***=0x7fffff6a0010, ***@***.***=0x8533743 "") at core_pdd.c:171 #13 0x00007ffff98ac90c in _cmd_pdd (input=0x8533743 "", core=0x7fffff6a0010) at core_pdd.c:231 #14 r_cmd_pdd (user=0x7fffff6a0010, input=<optimized out>) at core_pdd.c:285 #15 0x00007ffffca00bd9 in r_cmd_call (cmd=0x8466680, input=0x8533740 "pdd") at cmd_api.c:236 #16 0x00007ffffc9a9c91 in r_core_cmd_subst_i (core=0x7fffff6a0010, cmd=0x8533740 "pdd", colon=0x0, tmpseek=0x7ffffffeda6a) at cmd.c:3762 #17 0x00007ffffc9a5d8f in r_core_cmd_subst (core=0x7fffff6a0010, cmd=0x8533740 "pdd") at cmd.c:2681 #18 0x00007ffffc9ac6da in run_cmd_depth (core=0x7fffff6a0010, cmd=0x85610e0 "pdd") at cmd.c:6135 #19 0x00007ffffc9aca84 in r_core_cmd (core=0x7fffff6a0010, cstr=0x85610c0 "pdd", log=1) at cmd.c:6215 #20 0x00007ffffc8f4b5c in r_core_prompt_exec (r=0x7fffff6a0010) at core.c:3046 #21 0x00007ffffc8f41f6 in r_core_prompt_loop (r=0x7fffff6a0010) at core.c:2897 #22 0x00007ffffecae6c6 in r_main_radare2 (argc=2, argv=0x7ffffffedf88) at radare2.c:1350 #23 0x0000000008000d0d in main (argc=2, argv=0x7ffffffedf88) at radare2.c:96 — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[Ruturaj4]

yes in my case.

[enovella]

as usual, so also yes on my end

[enovella]

From https://github.com/wargio/r2dec-js
   d6b59c9..46ecbc6  master     -> origin/master
Updating d6b59c9..46ecbc6
Fast-forward
 core_pdd.c   | 284 -------------------------------------------------------------------------------------------------------------------
 p/core_pdd.c |   5 ++-
 2 files changed, 4 insertions(+), 285 deletions(-)
 delete mode 100644 core_pdd.c
clean Done For r2dec

After this update got fixed I believe

[radare]

This commit just adds a pkgname. Its unrelated to the crashlog i assume the problem is having different r2 libs when compiling the plugin thats why i was asking to rebuild

…

On 21 Mar 2020, at 22:33, Eduardo Novella ***@***.***> wrote:  From https://github.com/wargio/r2dec-js d6b59c9..46ecbc6 master -> origin/master Updating d6b59c9..46ecbc6 Fast-forward core_pdd.c | 284 ------------------------------------------------------------------------------------------------------------------- p/core_pdd.c | 5 ++- 2 files changed, 4 insertions(+), 285 deletions(-) delete mode 100644 core_pdd.c clean Done For r2dec After this update got fixed I believe — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[Ruturaj4]

I reinstalled r2dec and it works fine now