heap commands no longer works properly when remote debugging

[amlamarra]

• Did you use the latest version of GEF from dev branch?
• Is your bug specific to GEF (not GDB)? - Try to reproduce it running gdb -nx
• Did you read the documentation first?
• Did you check issues (including
  the closed ones) - and the PR?

Step 1: Describe your environment

• Operating System / Distribution: Ubuntu 20.04.2 LTS
• Architecture: x86_64
• GEF version (including the Python library version) run version in GEF.

gef➤  version
GEF: (Standalone)
SHA1(/home/andrew/.gdbinit-gef.py): 3a1557190297912278671d27454d3d1fcda619e5
GDB: 9.2
GDB-Python: 3.8

• I'm working on an exploitation challenge from exploit.education (http://exploit.education/fusion/level05/). I haven't tried this any of the other binaries. I can upload it here if you'd like.

$ file level05
level05: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.15, BuildID[sha1]=2cf47809a1a841f6990910071c09e6053e9f57ac, with debug_info, not stripped

• The heap commands works with the 2021.01 release.

Step 2: Describe your problem

Steps to reproduce

1. Start a VM (no hard drive necessary) and boot to the Fusion ISO (https://github.com/ExploitEducation/Fusion/releases/download/v2.0.0/exploit-exercises-fusion-2.iso)
2. SSH to the VM (use root:godmode for creds) and run gdbserver to attach to process:

# gdbserver --attach :1234 $(pidof level05)

3. Start gdb & connect to the server:

$ gdb
GEF for linux ready, type `gef' to start, `gef config' to configure
92 commands loaded for GDB 9.2 using Python engine 3.8
gef➤  file level05
Reading symbols from level05...
gef➤  target remote fusion:1234
Remote debugging using fusion:1234
...

4. Use the heap chunks|arenas|bins commands:

gef➤  heap chunks
[!] Failed to get the main arena, heap commands may not work properly: There is no member named next_free.
[!] No valid arena
gef➤  heap arenas
[!] Could not find Glibc main arena
gef➤  heap bins
[+] No Tcache in this version of libc
[!] Failed to get the main arena, heap commands may not work properly: There is no member named next_free.
[!] Invalid Glibc arena
[!] Failed to get the main arena, heap commands may not work properly: There is no member named next_free.
[!] Invalid Glibc arena
[!] Failed to get the main arena, heap commands may not work properly: There is no member named next_free.
[!] Invalid Glibc arena
[!] Failed to get the main arena, heap commands may not work properly: There is no member named next_free.
[!] Invalid Glibc arena

5. Going back to release 2021.01, the heap chunks command works, but heap arenas does not:

gef➤  heap chunks
Chunk(addr=0xb7dfd008, size=0x108, flags=PREV_INUSE)
    [0xb7dfd008     08 50 53 b7 10 d1 df b7 b0 54 e0 b7 00 00 00 00    .PS......T......]
Chunk(addr=0xb7dfd110, size=0x83a0, flags=PREV_INUSE)
    [0xb7dfd110     66 64 74 61 73 6b 00 00 00 00 00 00 00 00 00 00    fdtask..........]
Chunk(addr=0xb7e054b0, size=0x18b58, flags=PREV_INUSE)  ←  top chunk
gef➤  heap arenas 
[!] Command 'heap arenas' failed to execute properly, reason: 'MallocStateStruct' object has no attribute 'nfree'
gef➤  heap bins
[+] No Tcache in this version of libc
───────────────────────────────────────────── Fastbins for arena 0xb76f0400 ─────────────────────────────────────────────
Fastbins[idx=0, size=0x10] 0x00
Fastbins[idx=1, size=0x18] 0x00
Fastbins[idx=2, size=0x20] 0x00
Fastbins[idx=3, size=0x28] 0x00
Fastbins[idx=4, size=0x30] 0x00
Fastbins[idx=5, size=0x38] 0x00
Fastbins[idx=6, size=0x40] 0x00
────────────────────────────────────────── Unsorted Bin for arena 'main_arena' ──────────────────────────────────────────
[+] Found 0 chunks in unsorted bin.
─────────────────────────────────────────── Small Bins for arena 'main_arena' ───────────────────────────────────────────
[+] Found 0 chunks in 0 small non-empty bins.
─────────────────────────────────────────── Large Bins for arena 'main_arena' ───────────────────────────────────────────
[+] Found 0 chunks in 0 large non-empty bins.

Minimalist test case

// compile with gcc -fPIE -pic -o my_issue.out my_issue.c
int main(){ return 0; }

Not applicable as this is heap-related. I did, however, create my own test case.

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main() {
    char *name = malloc(32);
    strncpy(name, "Drew", 5);
    printf("Name = %s\n", name);

    return 0;
}

Compiled with gcc test.c -o test -g. This one does work.

$ gdb test 
GEF for linux ready, type `gef' to start, `gef config' to configure
92 commands loaded for GDB 9.2 using Python engine 3.8
Reading symbols from test...
gef➤  b test.c:7
Breakpoint 1 at 0x1183: file test.c, line 7.
gef➤  run
...
gef➤  heap chunks
Chunk(addr=0x555555559010, size=0x290, flags=PREV_INUSE)
    [0x0000555555559010     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................]
Chunk(addr=0x5555555592a0, size=0x30, flags=PREV_INUSE)
    [0x00005555555592a0     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................]
Chunk(addr=0x5555555592d0, size=0x20d40, flags=PREV_INUSE)  ←  top chunk
gef➤  heap arenas 
Arena (base=0x7ffff7fb0b80, top=0x5555555592c0, last_remainder=0x0, next=0x7ffff7fb0b80, next_free=0x0, system_mem=0x21000)
gef➤  heap bins
──────────────────────────────────────────────── Tcachebins for thread 1 ────────────────────────────────────────────────
All tcachebins are empty
─────────────────────────────────────────── Fastbins for arena 0x7ffff7fb0b80 ───────────────────────────────────────────
Fastbins[idx=0, size=0x20] 0x00
Fastbins[idx=1, size=0x30] 0x00
Fastbins[idx=2, size=0x40] 0x00
Fastbins[idx=3, size=0x50] 0x00
Fastbins[idx=4, size=0x60] 0x00
Fastbins[idx=5, size=0x70] 0x00
Fastbins[idx=6, size=0x80] 0x00
────────────────────────────────────────── Unsorted Bin for arena 'main_arena' ──────────────────────────────────────────
[+] Found 0 chunks in unsorted bin.
─────────────────────────────────────────── Small Bins for arena 'main_arena' ───────────────────────────────────────────
[+] Found 0 chunks in 0 small non-empty bins.
─────────────────────────────────────────── Large Bins for arena 'main_arena' ───────────────────────────────────────────
[+] Found 0 chunks in 0 large non-empty bins.

Observed Results

• What happened? This could be a description, log output, etc.

See above. Another thing to note is that when attaching to the "level05" process locally instead of remotely (using the latest dev version of GEF), nothing happens with the heap chunks command. Though heap arenas seems to work.

# gdb -p $(pidof level05)
GEF for linux ready, type `gef' to start, `gef config' to configure
92 commands loaded for GDB 9.2 using Python engine 3.8
Attaching to process 31642
...
gef➤  file /home/andrew/level05/level05
Reading symbols from /home/andrew/level05/level05...
gef➤  heap chunks
gef➤  heap arenas
Arena (base=0xf7f60740, top=0x57befe48, last_remainder=0x57bdf6f8, next=0xf7f60740, next_free=0x0, system_mem=0x22000)

Expected results

• What did you expect to happen?

The heap chunks and heap arenas commands display information on the heap.

Sorry, but I haven't tested this extensively with other binaries or architectures.

Traces

[hugsy]

Using gef's latest from dev, with a simple bin:

$ cat > a.c  << EOF
void main()
{
printf("main=%p\n", &main);
char *a = malloc(0x20);
char *b = malloc(0x20);
char *c = malloc(0x20);
memcpy(a, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", 0x20);
printf("a=%s\n", a);
__asm__("int3");
}
EOF

gef works as expected:

$ cc a.c
$ gdbserver  --remote-debug 0.0.0.0:1338 ./a.out

[...]
[#0] Id 1, Name: "a.out", stopped 0x555555555208 in main (), reason: SIGTRAP
────────────────────────────────────────────────────────────────── trace ────
[#0] 0x555555555208 → main()
─────────────────────────────────────────────────────────────────────────────
0:000 ➤  heap chunks
Chunk(addr=0x555555559010, size=0x290, flags=PREV_INUSE)
    [0x0000555555559010     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................]
Chunk(addr=0x5555555592a0, size=0x410, flags=PREV_INUSE)
    [0x00005555555592a0     61 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41    a=AAAAAAAAAAAAAA]
Chunk(addr=0x5555555596b0, size=0x30, flags=PREV_INUSE)
    [0x00005555555596b0     41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA]
Chunk(addr=0x5555555596e0, size=0x30, flags=PREV_INUSE)
    [0x00005555555596e0     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................]
Chunk(addr=0x555555559710, size=0x30, flags=PREV_INUSE)
    [0x0000555555559710     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................]
Chunk(addr=0x555555559740, size=0x208d0, flags=PREV_INUSE)  ←  top chunk
0:000 ➤  heap arenas
Arena (base=0x7ffff7fa9b80, top=0x555555559730, last_remainder=0x0, next=0x7ffff7fa9b80, next_free=0x0, system_mem=0x21000)

[amlamarra]

Sorry for taking so long with this. Finally getting back it.

It seems this is only an issue when the binary is compiled for x86.

[theguy147]

@amlamarra
I just tried this with the current dev branch and level05 of the Fusion box and I don't have this issue. For me everything works fine when connecting to the gdbserver via

target remote <ip_address>:<port>

@hugsy
Kind of Off-topic:
While the target remote command works fine here strangely the gef-remote command does not. When connecting this way some commands, e.g. registers and dereference do not work anymore. I will investigate further when I have some time and I will open a new issue and/or PR when I did.

EDIT:
@amlamarra
I just searched through the git history to find the commit you were on based on your SHA1 file hash and found it (0ad5f99) and then I tried it again using that commit and it behaved like you described. So the solution is to just update gef ;) And BTW that commit was already old when you opened the issue.

I would suggest closing this issue.

EDIT2:
I somehow can't seem to reproduce the gef remote vs target remote issue I had earlier...

[amlamarra]

I'm still seeing the issue. I did get the latest version. All I'm doing to update is this:

16:12 ~ ❯ git clone https://github.com/hugsy/gef.git
Cloning into 'gef'...
remote: Enumerating objects: 7031, done.
remote: Counting objects: 100% (711/711), done.
remote: Compressing objects: 100% (309/309), done.
remote: Total 7031 (delta 444), reused 639 (delta 400), pack-reused 6320
Receiving objects: 100% (7031/7031), 4.52 MiB | 5.36 MiB/s, done.
Resolving deltas: 100% (4567/4567), done.

16:12 ~ ❯ cat .gdbinit
source ~/.gdbinit-gef.py

16:13 ~ ❯ cp gef/gef.py .gdbinit-gef.py
cp: overwrite '.gdbinit-gef.py'? y

16:13 ~ ❯ gdb
GEF for linux ready, type `gef' to start, `gef config' to configure
96 commands loaded for GDB 9.2 using Python engine 3.8
gef➤  version
GEF: (Standalone)
SHA1(/home/andrew/.gdbinit-gef.py): 848cdc87ba7c3e99e8129ad820c9fcc0973b1e99
GDB: 9.2
GDB-Python: 3.8

Does that look right?
I connect to the gdbserver on Fusion for the level05 binary and see the same error:

gef➤  heap chunks
[!] Failed to get the main arena, heap commands may not work properly: There is no member named next_free.
[!] No valid arena

Same thing with other binaries, not just level05.

I also confirmed that going back to the 2021.01 release works as intended.

[theguy147]

Wow, there are two very weird things going on:

1. You are still not on the newest commit but almost and the missing commits only touch the documentation if I'm not wrong.

2. Now GEF is also completely failing me. It seems to work fine some times and other times not. Have you actually experienced these issues anywhere else but with the Fusion2 VM?

EDIT: sorry my mistake. you ARE on the newest commit

EDIT2: also with the 2021.01 I get the same behaviour: sometimes it works, sometimes it doesn't. This is hard to figure out. I already tried different GEF commits, I tried three different host machines (ubuntu, arch linux and fedora), I tried changing the VM's gdbserver with a statically compiled one etc but the behaviour is still the same: sometimes it works, sometimes it doesn't. I am wondering whether it's GEF or it's the VM because also some bash commands I execute in there are not working properly (sometimes)

[amlamarra]

What, exactly, is it that sometimes works and sometimes doesn't? I haven't noticed any other problems other than with the heap commands. I've also tried other versions of gdbserver, to include a version that matches GDB (9.2).

[theguy147]

What, exactly, is it that sometimes works and sometimes doesn't?
It ranges from just the heap command to basically everything (context, registers etc).

I think there are a few bugs I'm triggering in GEF combined with something fishy in the VM and I didn't consider them in the test setup I used for trying to understand your issue.

The ones that are related to this issue are

• heap chunks appears to have never worked with x86 (32bit) executables. I ran several git bisect run scripts back to the first commit and no tested commit worked with a simple test executable I compiled (not even locally, nevermind remotely)
• gef remote has some major issues like e.g. it is supposed to download the remote binary but instead on dev it downloads a textfile with invalid memory mappings and then handles it as if it were the binary (and therefore many other commands get "stress-tested" and start failing left and right)

I am not sure if you even used gef remote because your initial description was with target remote instead but I did use it in my tests.

[theguy147]

Here is my test setup for the not-working heap chunks command on x86 executables if somebody wants to follow along:

all of this is done inside the GEF working directory (so in the dir that is tracked with git):

heap.c

#include<stdlib.h>
#include<stdio.h>

int main() {
	int* ptr = malloc(0x100);
	printf("%p\n", ptr);
	return 0;
}

compile with

gcc -m32 -oheap32 heap.c

find malloc manually

debug file manually once to find first instruction after malloc. For me that was at main+46. Use this value in the following gdbscript to replace my value. (This is to make sure the heap is initialized when testing the heap chunks command).

gdbscript

break *main+46
r
heap chunks
q

bisect.sh

gdb -q -x ./gdbscript ./heap32 | grep -i "chunk"

start bisecting

git bisect start dev b93c1bd
git bisect run ./bisect.sh

This works because grep returns 0 if something was found and 1 else and this is exactly the information git bisect run needs to determine if a commit is good or bad.

[theguy147]

I think here is the problem with x86 heap chunks:

gef/gef.py

Lines 799 to 810 in 48a9fd7

	def __init__(self, addr, from_base=False):
	self.ptrsize = current_arch.ptrsize
	if from_base:
	self.chunk_base_address = addr
	self.address = addr + 2 * self.ptrsize
	else:
	self.chunk_base_address = int(addr - 2 * self.ptrsize)
	self.address = addr
	self.size_addr = int(self.address - self.ptrsize)
	self.prev_size_addr = self.chunk_base_address
	return

If I'm not mistaken (but I very well could be) on x86 line 803 should be self.address = addr + 4 * self.ptrsize instead

[Grazfather]

I love git bisect, but I have literally never used git bisect run in my 10+ years. TIL!

What was the culprit commit?

[theguy147]

git bisect run is the best if you don't want to go over 1000+ commits manually ;)

so, as I mentioned, I couldn't find a culprit commit for two reasons:

• my test setup was relying on gef-remote which was broken (the culprit for this commit can be seen in issue gef-remote broken #685 )
• heap chunks has never worked for x86 so far

[amlamarra]

• heap chunks has never worked for x86 so far

But it has. I was using it to work on the Fusion challenges. Then one day, I updated GEF and it stops working.

[theguy147]

Hm, then I don't understand. If i change the self.address line that I mentioned above then it works for me but without it not.
You mentioned before that it worked for you at release 2021.01 but it doesn't for me... :S Then I guess I also can't reproduce your specific issue at the moment. :(

[theguy147]

@amlamarra You could try to follow along my git bisect instructions above and report the results back to us to find your specific issue!

EDIT: i mean the whole post starting with

Here is my test setup for the not-working heap chunks command on x86 executables if somebody wants to follow along:

Also: If release 2021.01 works for you, you could replace b93c1bd in the second to last command with 2021.01

[amlamarra]

I'm starting to run through your test setup, but one thing I noticed that I wanted to mention. Using gef-remote I still had to run the file command to source the binary locally in order for the heap chunks command to work (on the 2021.01 release).

According to the official docs, I expect to see something like this:

$ gdb
gef➤ gef-remote 192.168.56.1:1234
[+] Connected to '192.168.56.1:1234'
[+] Downloading remote information
[+] Remote information loaded, remember to clean '/tmp/gef/10851' when your session is over

However, what I'm seeing is:

gef➤  gef-remote fusion:1234
warning: No executable has been specified and target does not support
determining executable automatically.  Try using the "file" command.
warning: Could not load vsyscall page because no executable was specified
0xb78a1424 in ?? ()
[+] Connected to 'fusion:1234'
[+] Targeting PID=1200
[+] Remote information loaded to temporary path '/tmp/gef/1200'

[theguy147]

yes, this part of the other issue I talked about above (I opened issue #685 for it). It should be fixed soon.

For now just use target remote like you did before. And if the problem also occurs without even remote debugging that would be preferable for the test setup. If it really only happens when you debug x86 remotely than I can help you with the adjustments needed for the setup.

[amlamarra]

Another oddity. When debugging (locally) your heap.c compiled for 32-bit and breaking right after the call to malloc(), the heap chunks command gives no output (this is on the 2021.01 release). However, it works fine when it's compiled for 64-bit. Yet, heap chunks works when debugging remotely...

Edit:
One question regarding your testing. Since GDB executes commands in ~/.gdbinit by default (and that's how gef.py is sourced), how is the test switching versions? Did you change your .gdbinit file to something like this?

source ~/gef/gef.py

[theguy147]

Yes, for me on x86 , so 32bit, the heap chunks command doesn't result in an error but just an empty output locally (this can be fixed with that one self.address line) and x86_64, so 64bit, works fine.

What do you mean by this?

Yet, heap chunk works when debugging remotely...

Does it also work for remotely debugging x86 binaries? on dev or on 2021.01? Please provide more information on that working case.

[theguy147]

no, you can just leave your .gdbinit as is. gdb can load more than one script. In my test setup I additionally load the gdbscript via the -x flag

EDIT:
oh, of course the .gdbinit should point to a git-tracked gef.py for this to work. I just assumed thats your setup. sorry

[Grazfather]

This sort of discussion would be better done on our discord.

[theguy147]

ok, so the culprit commit for your issue is 55c4a6c

I could only reproduce the issue with the Fusion 2 VM from exploit.education. This is my test setup to find that commit:

Setup

On the Fusion 2 VM

The VM can be downloaded here.

This script is used to automatically restart the gdbserver when it exits.

# filename: gdbserver.sh
#!/bin/bash
while true; do
    gdbserver --attach :1337 `pidof level05`

BTW: I would recommend to use a host-only network for the VM so it is not exposed to the network.

On the gdb machine

Copy the level05 binary from /opt/fusion/bin/level05 on the fusion vm to your gdb machine (e.g. using sshfs).
Now enter the GEF directory (needs to be tracked with git) and prepare a gdbscript like this:

file PATH_TO_LOCAL_LEVEL05
target remote HOST:PORT
heap chunks
q

Obviously replace the capitalized parts to match your environment. HOST:PORT should point to the fusion VM and the network should be setup so such a route does exist. PATH_TO_LOCAL_LEVEL05 should point to the previously download level05 executable

Now add this script (and make it executable with chmod +x ./bisect.sh):

# filename: bisect.sh
#!/bin/bash
gdb -q -x ./gdbscript | grep -i "chunk"

And finally you can start with the bisection:

git bisect start dev 2021.01
git bisect run ./bisect.sh

Result

The resulting culprit commit is 55c4a6c

Now we need to find out what in that commit caused the issue.

EDIT: reverting just that single commit on dev does the difference and it works again as previously but I cant seem to figure out why (for remote debugging of x86 - for local debugging of x86 that still does not fix it -> for that this snippet needs to be further investigated `

[theguy147]

In this specific testcase an exception is raised at

self.nfree = int(self.next_free)

T-he exception gets raised when trying to access eitherself.nfree or self.next_free which don't exist in that arena.

[theguy147]

gef/gef.py

Lines 739 to 759 in 77889d8

	class GlibcArena:
	"""Glibc arena class
	Ref: https://github.com/sploitfun/lsploits/blob/master/glibc/malloc/malloc.c#L1671"""
	def __init__(self, addr, name=None):
	self.__name = name or __gef_default_main_arena__
	try:
	arena = gdb.parse_and_eval(addr)
	malloc_state_t = cached_lookup_type("struct malloc_state")
	self.__arena = arena.cast(malloc_state_t)
	self.__addr = int(arena.address)
	except:
	self.__arena = MallocStateStruct(addr)
	self.__addr = self.__arena.addr
	finally:
	self.top = int(self.top)
	self.last_remainder = int(self.last_remainder)
	self.n = int(self.next)
	self.nfree = int(self.next_free)
	self.sysmem = int(self.system_mem)
	return

Changing the finally block to another try block "fixes" the issue. ( I also moved self.sysmem up in the list of commands because it doesn't create a problem):

class GlibcArena:
    """Glibc arena class
    Ref: https://github.com/sploitfun/lsploits/blob/master/glibc/malloc/malloc.c#L1671"""

    def __init__(self, addr, name=None):
        self.__name = name or __gef_default_main_arena__
        try:
            arena = gdb.parse_and_eval(addr)
            malloc_state_t = cached_lookup_type("struct malloc_state")
            self.__arena = arena.cast(malloc_state_t)
            self.__addr = int(arena.address)
        except:
            self.__arena = MallocStateStruct(addr)
            self.__addr = self.__arena.addr

        try:
            self.top             = int(self.top)
            self.last_remainder  = int(self.last_remainder)
            self.sysmem          = int(self.system_mem)
            self.n               = int(self.next)
            self.nfree           = int(self.next_free)
        except gdb.error as e:
            err(f"glibc arena: {e}")

        return

I am not sure if and how that error should be handled properly so in this snippet I just print it out. Any ideas @hugsy ?

This is how the error looks like at runtime:

[!] glibc arena: There is no member named next_free.

I can create a PR if this way of handling it is fine for now. (But I repeat: it does not solve all the problems with the heap command, like that heap chunks does not work locally on (many) x86 executables)

EDIT: sorry, I updated the comment to include some more context without marking them as edits