hexdump and dereference start dumping from offset

[elklepo]

Your issue will be closed unless you confirm the following:

• Did you use the latest version of GEF from master branch?
• Did you read the documentation first?
• Did you check closed issues?

Step 1: Describe your environment

• Operating System: Ubuntu 14.04 4.4.0-137-generic
• Architecture: x64
• GDB version (including the Python library version): gdb 8.2, python 2.7.6

Step 2: Describe your problem

hexdump and dereference do not print dump of exact address but they apply offset to it that increments after every single call, e.g.

gef➤  hexdump dword 0xff8c6060
0xff8c6060│+0x0000   0x00000000
0xff8c6064│+0x0004   0x00000000
0xff8c6068│+0x0008   0x00000000
0xff8c606c│+0x000c   0xf7564af3
0xff8c6070│+0x0010   0x00000001
0xff8c6074│+0x0014   0xff8c6104
0xff8c6078│+0x0018   0xff8c610c
0xff8c607c│+0x001c   0xf7728e6a
0xff8c6080│+0x0020   0x00000001
0xff8c6084│+0x0024   0xff8c6104
0xff8c6088│+0x0028   0xff8c60a4
0xff8c608c│+0x002c   0x0804a014
0xff8c6090│+0x0030   0x0804825c
0xff8c6094│+0x0034   0xf76f8000
0xff8c6098│+0x0038   0x00000000
0xff8c609c│+0x003c   0x00000000
gef➤  hexdump dword 0xff8c6060
0xff8c60a0│+0x0040   0x00000000
0xff8c60a4│+0x0044   0x2e1c68e9
0xff8c60a8│+0x0048   0x9a49ecf8
0xff8c60ac│+0x004c   0x00000000
0xff8c60b0│+0x0050   0x00000000
0xff8c60b4│+0x0054   0x00000000
0xff8c60b8│+0x0058   0x00000001
0xff8c60bc│+0x005c   0x080483e0
0xff8c60c0│+0x0060   0x00000000
0xff8c60c4│+0x0064   0xf772e660
0xff8c60c8│+0x0068   0xf7564a09
0xff8c60cc│+0x006c   0xf773b000
0xff8c60d0│+0x0070   0x00000001
0xff8c60d4│+0x0074   0x080483e0
0xff8c60d8│+0x0078   0x00000000
0xff8c60dc│+0x007c   0x08048401
gef➤

This offset is also applied to hexdump and dereference calls to other address/register targets.

Steps to reproduce

Observed Results

Expected results

• hexdump and dereference print dump of exact address that is passed as argument.

Traces

Another example:

gef➤  hexdump dword 0xffb75d20
0xffb75d20│+0x0000   0x00000000
0xffb75d24│+0x0004   0x00000000
0xffb75d28│+0x0008   0x00000000
0xffb75d2c│+0x000c   0xf75c2af3
0xffb75d30│+0x0010   0x00000001
0xffb75d34│+0x0014   0xffb75dc4
0xffb75d38│+0x0018   0xffb75dcc
0xffb75d3c│+0x001c   0xf7786e6a
0xffb75d40│+0x0020   0x00000001
0xffb75d44│+0x0024   0xffb75dc4
0xffb75d48│+0x0028   0xffb75d64
0xffb75d4c│+0x002c   0x0804a014
0xffb75d50│+0x0030   0x0804825c
0xffb75d54│+0x0034   0xf7756000
0xffb75d58│+0x0038   0x00000000
0xffb75d5c│+0x003c   0x00000000
gef➤  print $edx
$1 = 0xffb75d54
gef➤  hexdump dword $edx
0xffb75d94│+0x0040   0x080483e0
0xffb75d98│+0x0044   0x00000000
0xffb75d9c│+0x0048   0x08048401
0xffb75da0│+0x004c   0x08048494
0xffb75da4│+0x0050   0x00000001
0xffb75da8│+0x0054   0xffb75dc4
0xffb75dac│+0x0058   0x08048560
0xffb75db0│+0x005c   0x080485d0
0xffb75db4│+0x0060   0xf7787300
0xffb75db8│+0x0064   0xffb75dbc
0xffb75dbc│+0x0068   0x0000001c
0xffb75dc0│+0x006c   0x00000001
0xffb75dc4│+0x0070   0xffb7684c
0xffb75dc8│+0x0074   0x00000000
0xffb75dcc│+0x0078   0xffb76869
0xffb75dd0│+0x007c   0xffb7687c

[hugsy]

Confirmed

[hugsy]

After 8deeafb

gef➤  dq $rsp l5
0x00007fffffffe020│+0x0000   0x0000000000000001   
0x00007fffffffe028│+0x0008   0x00007fffffffe378   
0x00007fffffffe030│+0x0010   0x0000000000000000   
0x00007fffffffe038│+0x0018   0x00007fffffffe380   
0x00007fffffffe040│+0x0020   0x00007fffffffe394   
gef➤  dq $rsp l5
0x00007fffffffe048│+0x0028   0x00007fffffffe3af   
0x00007fffffffe050│+0x0030   0x00007fffffffe3e5   
0x00007fffffffe058│+0x0038   0x00007fffffffe416   
0x00007fffffffe060│+0x0040   0x00007fffffffe42b   
0x00007fffffffe068│+0x0048   0x00007fffffffe438   

[hugsy]

@elklepo Please check and let us know.

[elklepo]

@hugsy Thank You very much. I can confirm that it works properly.

[hugsy]

Happy to read that.

[wbowling]

After 8deeafb

gef➤  dq $rsp l5
0x00007fffffffe020│+0x0000   0x0000000000000001   
0x00007fffffffe028│+0x0008   0x00007fffffffe378   
0x00007fffffffe030│+0x0010   0x0000000000000000   
0x00007fffffffe038│+0x0018   0x00007fffffffe380   
0x00007fffffffe040│+0x0020   0x00007fffffffe394   
gef➤  dq $rsp l5
0x00007fffffffe048│+0x0028   0x00007fffffffe3af   
0x00007fffffffe050│+0x0030   0x00007fffffffe3e5   
0x00007fffffffe058│+0x0038   0x00007fffffffe416   
0x00007fffffffe060│+0x0040   0x00007fffffffe42b   
0x00007fffffffe068│+0x0048   0x00007fffffffe438   

That doesn't look right, if you run deref $rsp l5 twice (as in dont just press enter) then it should print the same thing twice as it's not a continuation

[wbowling]

GDB version (including the Python library version): gdb 8.2, python 2.7.6

gdb 8.2 this is the issue I think, see https://sourceware.org/bugzilla/show_bug.cgi?id=23714 and https://sourceware.org/bugzilla/show_bug.cgi?id=23669

[elklepo]

gef➤ hexdump dword $esp l3
0xffffcfc0│+0x0000 0xf7fe59b0
0xffffcfc4│+0x0004 0xffffcfe0
0xffffcfc8│+0x0008 0x00000000
gef➤ hexdump dword $esp l3
0xffffcfcc│+0x000c 0xf7dece81
0xffffcfd0│+0x0010 0xf7fac000
0xffffcfd4│+0x0014 0xf7fac000
gef➤ hexdump dword $esp l2
0xffffcfc0│+0x0000 0xf7fe59b0
0xffffcfc4│+0x0004 0xffffcfe0
gef➤ hexdump dword $esp l3
0xffffcfc0│+0x0000 0xf7fe59b0
0xffffcfc4│+0x0004 0xffffcfe0
0xffffcfc8│+0x0008 0x00000000
gef➤ n
gef➤ hexdump dword $esp l3
0xffffcfcc│+0x000c 0xf7dece81
0xffffcfd0│+0x0010 0xf7fac000
0xffffcfd4│+0x0014 0xf7fac000

So it seems that if You follow one command by exact same command it dumps memory sequentially and applied offset is reset once different command is executed, in my opinion it is good behavior (for sure it is not an issue but a personal preference). The thing that is a problem, is that the next and contiune commands do not reset the offset, this is problematic if You would like to monitor address after every step and You don't want to create memory watch (what is quite common procedure).

[wbowling]

So it seems that if You follow one command by exact same command it dumps memory sequentially and applied offset is reset once different command is executed, in my opinion it is good behavior

Yeah this is what is meant to happen if you press enter again, it should continue on from the current offset (just like vanilla gdb) as it's really handy:

gef➤   hexdump dword $rsp l3
0x00007fffffffe000│+0x0000   0x00000000
0x00007fffffffe004│+0x0004   0x00000000
0x00007fffffffe008│+0x0008   0xf7ba2704
gef➤
0x00007fffffffe00c│+0x000c   0x00007fff
0x00007fffffffe010│+0x0010   0x557a1ea0
0x00007fffffffe014│+0x0014   0x00005555
gef➤
0x00007fffffffe018│+0x0018   0x00000009
0x00007fffffffe01c│+0x001c   0x00000000
0x00007fffffffe020│+0x0020   0x00081298

But if you retype the same command then it should use the exact arguments. After 8deeafb the offset will never be reset:

gef➤  telescope $rsp l3
0x00007fffffffe018│+0x0018: 0x0000000000000008
0x00007fffffffe020│+0x0020: 0x00000000000815c4
0x00007fffffffe028│+0x0028: 0x00007ffff7b968ac  →  <curl_easy_perform+428> jmp 0x7ffff7b9680f <curl_easy_perform+271>
gef➤
0x00007fffffffe030│+0x0030: 0x00007fffffffe04c  →  0x0000000000000000
0x00007fffffffe038│+0x0038: 0x00007fffffffe054  →  0xa9fd250000007fff
0x00007fffffffe040│+0x0040: 0x0000000000000000
gef➤  hexdump dword $rsp l3
0x00007fffffffe000│+0x0000   0x00000000
0x00007fffffffe004│+0x0004   0x00000000
0x00007fffffffe008│+0x0008   0xf7ba2704
gef➤  telescope $rsp l3
0x00007fffffffe048│+0x0048: 0x0000000000000000
0x00007fffffffe050│+0x0050: 0x00007fff00000000	 ← $r12
0x00007fffffffe058│+0x0058: 0x4e7c3b34a9fd2500

[wbowling]

Yeah this is what is meant to happen if you press enter again

^ is what is currently broken in gdb 8.2 but will be fixed in 8.2.1 (see #398 (comment)). I've looked into a few workarounds but the combination of both of those bugs makes it really hard. cyrus-and/gdb-dashboard#128 is the same issue

[elklepo]

Thank you for the explanation, it makes sense.
But to be honest, I've also tried it on another platform with gdb 8.1.0.20180409-git and the problem was even then.
So We're waiting for next gdb release.

[hugsy]

Agreed, the patch is still in dev anyway. When GDB fixes this in a more permanent I can either update it or simply remove this code. It's more of a temporary workaround.

[wbowling]

It's more of a temporary workaround.

Is the anyway we can check if they are using gdb 8.2? The patch is a good work around for 8.2 but makes things worse on all other versions. Even when gdb fixes it 8.2 will always have the issue so might still need the workaround :(

[Grazfather]

Yeah, I don't like the fix. @wbowling gdb.VERSION could be tested.

[hugsy]

@wbowling Do you think it's simply better to revert the fix and wait for 8.2.1 ? I really don't mind doing that, but I kindda think that starting to test for specific versions of GDB for features is a slippery slope.

[elklepo]

@hugsy, maybe revert fix and make branch with fix for 8.2 with annotation in readme?

No worries, I'll do that.

[Grazfather]

I would rather revert the fix. The fix makes it worse, and it gets rid of one of the better features we added in the last release. Add a note and maybe config that lets people disable it.

[wbowling]

but I kindda think that starting to test for specific versions of GDB for features is a slippery slope.

Yeah I agree it’s probably not something we want to start doing, maybe just a warning on startup or a way to disable it.

[hugsy]

@wbowling Any idea on when 8.2.1 is due for release ? I mean, I don't the point in spending too much effort on our side if it's coming out soon, since it's a GDB issue.

[wbowling]

Any idea on when 8.2.1 is due for release

It's a bit hard to tell from https://www.gnu.org/software/gdb/schedule/ but looks like 8.3 is scheduled for 2019-01-29 so hopefully before then. There is a thread about releasing 8.2.1 and only one bug left

[wbowling]

Gdb 8.2.1 is released https://www.gnu.org/software/gdb/download/ANNOUNCEMENT

[Grazfather]

What's the AI on this? This works for me on dev. What did the workaround break?

[wbowling]

There’s no way to tell if it’s a repeat command from an enter or if it’s been typed again.

[wbowling]

With 8.2.1 (any version except 8.2) it shouldn’t be needed

[Grazfather]

That's not the case for me.

gef➤  hexdump dword $rsp
0x00007fffffffe550│+0x0000   0x00400540
0x00007fffffffe554│+0x0004   0x00000000
0x00007fffffffe558│+0x0008   0xf7a2d830
0x00007fffffffe55c│+0x000c   0x00007fff
0x00007fffffffe560│+0x0010   0x00000000
0x00007fffffffe564│+0x0014   0x00000000
0x00007fffffffe568│+0x0018   0xffffe638
0x00007fffffffe56c│+0x001c   0x00007fff
0x00007fffffffe570│+0x0020   0x00000000
0x00007fffffffe574│+0x0024   0x00000001
0x00007fffffffe578│+0x0028   0x00400526
0x00007fffffffe57c│+0x002c   0x00000000
0x00007fffffffe580│+0x0030   0x00000000
0x00007fffffffe584│+0x0034   0x00000000
0x00007fffffffe588│+0x0038   0xa73ea6ba
0x00007fffffffe58c│+0x003c   0x60e691e4
gef➤
0x00007fffffffe590│+0x0040   0x00400430
0x00007fffffffe594│+0x0044   0x00000000
0x00007fffffffe598│+0x0048   0xffffe630
0x00007fffffffe59c│+0x004c   0x00007fff
0x00007fffffffe5a0│+0x0050   0x00000000
0x00007fffffffe5a4│+0x0054   0x00000000
0x00007fffffffe5a8│+0x0058   0x00000000
0x00007fffffffe5ac│+0x005c   0x00000000
0x00007fffffffe5b0│+0x0060   0x677ea6ba
0x00007fffffffe5b4│+0x0064   0x9f196e9b
0x00007fffffffe5b8│+0x0068   0x026ea6ba
0x00007fffffffe5bc│+0x006c   0x9f197e21
0x00007fffffffe5c0│+0x0070   0x00000000
0x00007fffffffe5c4│+0x0074   0x00000000
0x00007fffffffe5c8│+0x0078   0x00000000
0x00007fffffffe5cc│+0x007c   0x00000000
gef➤  hexdump dword $rsp
0x00007fffffffe550│+0x0000   0x00400540
0x00007fffffffe554│+0x0004   0x00000000
0x00007fffffffe558│+0x0008   0xf7a2d830
0x00007fffffffe55c│+0x000c   0x00007fff
0x00007fffffffe560│+0x0010   0x00000000
0x00007fffffffe564│+0x0014   0x00000000
0x00007fffffffe568│+0x0018   0xffffe638
0x00007fffffffe56c│+0x001c   0x00007fff
0x00007fffffffe570│+0x0020   0x00000000
0x00007fffffffe574│+0x0024   0x00000001
0x00007fffffffe578│+0x0028   0x00400526
0x00007fffffffe57c│+0x002c   0x00000000
0x00007fffffffe580│+0x0030   0x00000000
0x00007fffffffe584│+0x0034   0x00000000
0x00007fffffffe588│+0x0038   0xa73ea6ba
0x00007fffffffe58c│+0x003c   0x60e691e4

[wbowling]

I think it was reverted?

[Grazfather]

I seem to have the delta in dev. I don't care much, I just want to know if something has to be fixed or if we should close the ticket :)

[hugsy]

Cleanup