Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

On tour with r2 and sigbus :) #902

Closed
zonkzonk opened this issue May 8, 2014 · 3 comments
Closed

On tour with r2 and sigbus :) #902

zonkzonk opened this issue May 8, 2014 · 3 comments

Comments

@zonkzonk
Copy link
Contributor

zonkzonk commented May 8, 2014

morrn,

IN:

zzuf  r2 -c "`cat buf.core`,V!" ./cp

where buf.core is base64-encoded attached.

OUT:

zzuf[s=0,r=0.004]: signal 7 (SIGBUS)

Core was generated by `r2 -c �x3Д`�?��\�X��P7����yhv���G1[�E��jp�1���Z7%%+�u�X��s��|�'.
Program terminated with signal SIGBUS, Bus error.
#0  0x00007fcc05f43850 in __memcpy_sse2_unaligned () from /usr/lib/libc.so.6
(gdb) #0  0x00007fcc05f43850 in __memcpy_sse2_unaligned () from /usr/lib/libc.so.6
#1  0x00007fcc0a05ab78 in mmap (start=0x0, length=1024, prot=1, flags=1, fd=6, offset=0) at libzzuf/lib-mem.c:354
#2  0x00007fcc0688db9a in r_file_mmap_unix (m=0xebbec0, fd=6) at file.c:436
#3  0x00007fcc0688dd34 in r_file_mmap (file=0xebbe50 "/tmp/cp", rw=0, base=0) at file.c:519
#4  0x00007fcc06890c8c in r_buf_mmap (file=0xebbe50 "/tmp/cp", flags=4) at buf.c:34
#5  0x00007fcc0829e8a4 in r_io_def_mmap_refresh_def_mmap_buf (mmo=0xebbcc0) at p/io_default.c:43
#6  0x00007fcc0829ee76 in r_io_def_mmap_truncate (mmo=0xebbcc0, size=0) at p/io_default.c:174
#7  0x00007fcc0829ef22 in r_io_def_mmap_resize (io=0xe81710, fd=0xebc3e0, size=0) at p/io_default.c:188
#8  0x00007fcc0829f061 in __resize (io=0xe81710, fd=0xebc3e0, size=0) at p/io_default.c:217
#9  0x00007fcc082a67ed in r_io_resize (io=0xe81710, newsize=0) at io.c:393
#10 0x00007fcc09dd686e in cmd_resize (data=0x606940 <r>, 
    input=0xf37a01 "\303\061\206\301\211\225\"\343\236P\360,\002\243PE\256\247\017\344ި\307\356~", <incomplete sequence \326>) at cmd.c:621
#11 0x00007fcc09df30f2 in r_cmd_call (cmd=0xe85550, 
    input=0xf37a00 "r\303\061\206\301\211\225\"\343\236P\360,\002\243PE\256\247\017\344ި\307\356~", <incomplete sequence \326>) at cmd_api.c:173
#12 0x00007fcc09dd90db in r_core_cmd_subst_i (core=0x606940 <r>, 
    cmd=0xf37a00 "r\303\061\206\301\211\225\"\343\236P\360,\002\243PE\256\247\017\344ި\307\356~", <incomplete sequence \326>) at cmd.c:1416
#13 0x00007fcc09dd78ae in r_core_cmd_subst (core=0x606940 <r>, 
    cmd=0xf37a00 "r\303\061\206\301\211\225\"\343\236P\360,\002\243PE\256\247\017\344ި\307\356~", <incomplete sequence \326>) at cmd.c:976
#14 0x00007fcc09dd791c in r_core_cmd_subst (core=0x606940 <r>, 
    cmd=0xf378f0 "\232x3Д`\356\265\323?\343\370\336\036\\\361X\276\200P7\222\273\206\315y\027hv\023\265\373\030\336G1[\205E\262\323jp\343\351\061\350\273ނ\333\033\036\264Z7%\021%+\222u\252X\206\333s\025\204\355|\036\255KM\006\022f\276^*5\237\233\065=\250\253\260F\342_%$\035") at cmd.c:982
#15 0x00007fcc09dd9af1 in r_core_cmd (core=0x606940 <r>, 
    cstr=0x7fff2aca3ce6 "\232x3Д`\356\265\323?\343\370\336\036\\\361X\276\200P7\222\273\206\315y\027hv\023\265\373\030\336G1[\205E\262\323jp\343\351\061\350\273ނ\333\033\036\264Z7%\021%+\222u\252X\206\333s\025\204\355|\036\255KM\006\022f\276^*5\237\233\065=\250\253\260F\342_%$\035\026>*\246\215\252\004\004iַ\373\325\372\227\351\006\375\245\242\024\263\367\205\263!\220\216fK|\307\025$^\210\220\257\330\304\307b\353H\204\203\362\252\371y:\376\322MP\372JJ\354\215ƣa\250\340\275T54\273\200\341\061\321\370\323z\216S\037\211;r\303\061\206\301\211\225\"\343\236P\360,\002\243PE\256\247\017\344ި"..., log=0)
    at cmd.c:1601
#16 0x00007fcc09dda08a in r_core_cmd0 (user=0x606940 <r>, 
    cmd=0x7fff2aca3ce6 "\232x3Д`\356\265\323?\343\370\336\036\\\361X\276\200P7\222\273\206\315y\027hv\023\265\373\030\336G1[\205E\262\323jp\343\351\061\350\273ނ\333\033\036\264Z7%\021%+\222u\252X\206\333s\025\204\355|\036\255KM\006\022f\276^*5\237\233\065=\250\253\260F\342_%$\035\026>*\246\215\252\004\004iַ\373\325\372\227\351\006\375\245\242\024\263\367\205\263!\220\216fK|\307\025$^\210\220\257\330\304\307b\353H\204\203\362\252\371y:\376\322MP\372JJ\354\215ƣa\250\340\275T54\273\200\341\061\321\370\323z\216S\037\211;r\303\061\206\301\211\225\"\343\236P\360,\002\243PE\256\247\017\344ި"...)
    at cmd.c:1723
#17 0x000000000040441b in main (argc=4, argv=0x7fff2aca32f8, envp=0x7fff2aca3320) at radare2.c:562

buf core

r2 version: 773b033

greetings
z.
@radare
Copy link
Collaborator

radare commented May 9, 2014

it would be great if you could show some more feedback in your crashes, because reproducing them implies fuzzing command execution which can result in rm -rf / and i’m too lazy to be careful.

Please, provide ‘list’ of the 3 last items in the backtrace, then use ‘print ’ to identify the root cause of the crash. This is. a null deref, the length of the memcpy, the buffer of the command executed. etc

Also, it would be great if you could also provide non-fuzz-based reproducible crashes or the patch itself :)

On 08 May 2014, at 23:44, zonkzonk notifications@github.com wrote:

morrn,

IN:

zzuf r2 -c "cat buf.core,V!" ./cp
where buf.core is base64-encoded attached.

OUT:

zzuf[s=0,r=0.004]: signal 7 (SIGBUS)

Core was generated by r2 -c �x3�?��\�X��P7����yhv���G1[�E��jp�1���Z7%%+�u�X��s��|�'.
Program terminated with signal SIGBUS, Bus error.
#0 0x00007fcc05f43850 in __memcpy_sse2_unaligned () from /usr/lib/libc.so.6
(gdb) #0 0x00007fcc05f43850 in __memcpy_sse2_unaligned () from /usr/lib/libc.so.6
#1 0x00007fcc0a05ab78 in mmap (start=0x0, length=1024, prot=1, flags=1, fd=6, offset=0) at libzzuf/lib-mem.c:354
#2 0x00007fcc0688db9a in r_file_mmap_unix (m=0xebbec0, fd=6) at file.c:436
#3 0x00007fcc0688dd34 in r_file_mmap (file=0xebbe50 "/tmp/cp", rw=0, base=0) at file.c:519
#4 0x00007fcc06890c8c in r_buf_mmap (file=0xebbe50 "/tmp/cp", flags=4) at buf.c:34
#5 0x00007fcc0829e8a4 in r_io_def_mmap_refresh_def_mmap_buf (mmo=0xebbcc0) at p/io_default.c:43
#6 0x00007fcc0829ee76 in r_io_def_mmap_truncate (mmo=0xebbcc0, size=0) at p/io_default.c:174
#7 0x00007fcc0829ef22 in r_io_def_mmap_resize (io=0xe81710, fd=0xebc3e0, size=0) at p/io_default.c:188
#8 0x00007fcc0829f061 in __resize (io=0xe81710, fd=0xebc3e0, size=0) at p/io_default.c:217
#9 0x00007fcc082a67ed in r_io_resize (io=0xe81710, newsize=0) at io.c:393
#10 0x00007fcc09dd686e in cmd_resize (data=0x606940 ,
input=0xf37a01 "\303\061\206\301\211\225"\343\236P\360,\002\243PE\256\247\017\344ި\307\356~", <incomplete sequence \326>) at cmd.c:621
#11 0x00007fcc09df30f2 in r_cmd_call (cmd=0xe85550,
input=0xf37a00 "r\303\061\206\301\211\225"\343\236P\360,\002\243PE\256\247\017\344ި\307\356~", <incomplete sequence \326>) at cmd_api.c:173
#12 0x00007fcc09dd90db in r_core_cmd_subst_i (core=0x606940 ,
cmd=0xf37a00 "r\303\061\206\301\211\225"\343\236P\360,\002\243PE\256\247\017\344ި\307\356~", <incomplete sequence \326>) at cmd.c:1416
#13 0x00007fcc09dd78ae in r_core_cmd_subst (core=0x606940 ,
cmd=0xf37a00 "r\303\061\206\301\211\225"\343\236P\360,\002\243PE\256\247\017\344ި\307\356~", <incomplete sequence \326>) at cmd.c:976
#14 0x00007fcc09dd791c in r_core_cmd_subst (core=0x606940 ,
cmd=0xf378f0 "\232x3Д\356\265\323?\343\370\336\036\\\361X\276\200P7\222\273\206\315y\027hv\023\265\373\030\336G1[\205E\262\323jp\343\351\061\350\273ނ\333\033\036\264Z7%\021%+\222u\252X\206\333s\025\204\355|\036\255KM\006\022f\276^*5\237\233\065=\250\253\260F\342_%$\035") at cmd.c:982 #15 0x00007fcc09dd9af1 in r_core_cmd (core=0x606940 <r>, cstr=0x7fff2aca3ce6 "\232x3Д\356\265\323?\343\370\336\036\361X\276\200P7\222\273\206\315y\027hv\023\265\373\030\336G1[\205E\262\323jp\343\351\061\350\273ނ\333\033\036\264Z7%\021%+\222u\252X\206\333s\025\204\355|\036\255KM\006\022f\276^5\237\233\065=\250\253\260F\342%$\035\026>\246\215\252\004\004iַ\373\325\372\227\351\006\375\245\242\024\263\367\205\263!\220\216fK|\307\025$^\210\220\257\330\304\307b\353H\204\203\362\252\371y:\376\322MP\372JJ\354\215ƣa\250\340\275T54\273\200\341\061\321\370\323z\216S\037\211;r\303\061\206\301\211\225"\343\236P\360,\002\243PE\256\247\017\344ި"..., log=0)
at cmd.c:1601
#16 0x00007fcc09dda08a in r_core_cmd0 (user=0x606940 ,
cmd=0x7fff2aca3ce6 "\232x3Д`\356\265\323?\343\370\336\036\361X\276\200P7\222\273\206\315y\027hv\023\265\373\030\336G1[\205E\262\323jp\343\351\061\350\273ނ\333\033\036\264Z7%\021%+\222u\252X\206\333s\025\204\355|\036\255KM\006\022f\276^5\237\233\065=\250\253\260F\342%$\035\026>\246\215\252\004\004iַ\373\325\372\227\351\006\375\245\242\024\263\367\205\263!\220\216fK|\307\025$^\210\220\257\330\304\307b\353H\204\203\362\252\371y:\376\322MP\372JJ\354\215ƣa\250\340\275T54\273\200\341\061\321\370\323z\216S\037\211;r\303\061\206\301\211\225"\343\236P\360,\002\243PE\256\247\017\344ި"...)
at cmd.c:1723
#17 0x000000000040441b in main (argc=4, argv=0x7fff2aca32f8, envp=0x7fff2aca3320) at radare2.c:562

r2 version: 773b033

greetings
z.


Reply to this email directly or view it on GitHub.

@zonkzonk
Copy link
Contributor Author

zonkzonk commented May 9, 2014

Im very sorry, that you are "too lazy to be careful". Why not setup a dedicated Linux VM?
On list command I asked how to automate it and got no feedback. Also, other submit coredumps
too, with bt only.

On the last point: How about creating an automated fuzz environment to check from time to
time and not submitting it as issues anymore ?

I try to provide patch, if I can.

@jvoisin jvoisin changed the title on tour with r2 and sigbus :) On tour with r2 and sigbus :) May 14, 2014
@zonkzonk
Copy link
Contributor Author

can't reproduce in 0ecb57d
Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@XVilka @radare @zonkzonk