Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GEF doesn't print kernel symbol as well #920

Closed
1 of 9 tasks
0n3t04ll opened this issue Nov 19, 2022 · 3 comments
Closed
1 of 9 tasks

GEF doesn't print kernel symbol as well #920

0n3t04ll opened this issue Nov 19, 2022 · 3 comments
Labels
bug-in-gdb

Comments

@0n3t04ll
Copy link

0n3t04ll commented Nov 19, 2022
edited

GEF+GDB version

GEF: rev:4e8903400efa6abf3c80cd5a9d43420323936b35 (Git - clean)
SHA256(/root/gef/gef.py): a9a82de9b388b183dc4af94e4fd03c44a25cdee0fff070b1d73bd80e36855bb4
GDB: 9.2
GDB-Python: 3.8

Operating System

Ubuntu 20.04.3 LTS

Describe the issue you encountered

I tried to debug ubuntu which ran on the qemu, and I found that gdb with gef won't display detailed symbol when I typed "p f" when I set breakpoint on fs/read_write.c:619. In contrast, gef showed "No symbol "f" in current context."
It seems that gef can't get symbol f even if I run command "add-symbol-file [vmlinux with debug symbol] [address]" before.

I also tried to use gdb without any plugin, this time gdb print struct fd f properly, so I thought maybe this is a bug for gef

Do you read the docs and look at previously closed issues/PRs for similar cases?

Yes

Architecture impacted

  • X86
  • X64
  • ARM
  • ARM64
  • MIPS
  • MIPS64
  • PPC
  • PPC64
  • RISCV

Describe your issue. Without a proper reproduction step-by-step, your issue will be ignored.

Provide a step-by-step to reproduce your issue.

I tried to run ubuntu 22.04 on qemu and use gdb to debug it.
Here is the script I modified from askUbuntu

#!/bin/bash

set -eux

id=ubuntu-22.04.1-desktop-amd64
disk_img="${id}.img.qcow2"
disk_img_snapshot="${id}.snapshot.qcow2"
iso="${id}.iso"

if [ ! -f "$iso" ]; then
	wget "https://releases.ubuntu.com/22.04/${id}"
fi

#create base img
if [ ! -f "${disk_img}" ]; then
	qemu-img create -f qcow2 "$disk_img" 1T
	qemu-system-x86_64 				\
		-cdrom "${iso}"  			\
		-drive "file=${disk_img},format=qcow2" 	\
		-enable-kvm				\
		-m 2G					\
		-smp 2					\
		;

fi

# create snapshot base on disk_img
if [ ! -f "${disk_img_snapshot}" ]; then
	qemu-img create -b "${disk_img}" -f qcow2 "${disk_img_snapshot}" \
		;
fi

qemu-system-x86_64 \
	-drive "file=${disk_img_snapshot},format=qcow2" \
	-enable-kvm \
	-m 2G       \
	-smp 2		\
	-soundhw hda	\
	-vga virtio     \
	"$@" 		\
	;

I downloaded the vmlinux with symbol from this url and linux-source from this url

After downloaded these two files, I extracted both of them in host.

I installed ubuntu by following script I mentioned before then ran the qemu with this command qemu-system-x86_64 -drive file=ubuntu-22.04.1-desktop-amd64.snapshot.qcow2,format=qcow2 -enable-kvm -m 2G -smp 2 -soundhw hda -vga virtio -nic user,hostfwd=tcp::8888-:22 -s

To use gef-remote, I run gdb-gef in root: sudo gdb-gef and run following command

gef-remote --qemu-user --qemu-binary vmlinux-5.15.0-53-generic localhost 1234
add-symbol-file ./vmlinux-5.15.0-53-generic 0xffffffffa5600000
set substitute-path /build/linux-JjvoxS/linux-5.15.0 /tmp/extract/x/usr/src/linux-source-5.15.0/linux-source-5.15.0
b fs/read_write.c:619
c

During the debug, I didn't stop qemu guest so the text address 0xffffffffa5600000 won't change.

When gdb stop because of breakpoint, I treid to run command p f to print struct fd content, gdb showed

(remote) gef➤  p f
No symbol "f" in current context.

However, when I use gdb without any plugin and run following command:

target remote :1234
add-symbol-file ./vmlinux-5.15.0-53-generic 0xffffffffa5600000
set substitute-path /build/linux-JjvoxS/linux-5.15.0 /tmp/extract/x/usr/src/linux-source-5.15.0/linux-source-5.15.0
b fs/read_write.c:619
c

When gdb stop because of breakpoint, I treid to run command p f to print struct fd content, this time gdb work as fine

Thread 2 hit Breakpoint 1, ksys_read (fd=<optimized out>, buf=0x7ffcc25ca0a0 "\001", count=8) at /build/linux-JjvoxS/linux-5.15.0/fs/read_write.c:619
619		if (f.file) {
(gdb) p f
$1 = {file = 0xffff98a4027dd400, flags = <optimized out>}

Minimalist test case

Use this field for a minimal code to compile and spot the issue:

// compile with gcc -fPIE -pic -o my_issue.out my_issue.c
int main(){ return 0; }

You can also provide a Dockerfile if you prefer

Additional context?

  • Screenshots

gdb with gef
image

gdb without any plugin
image

  • Callstack
  • Coredumps
  • If possible and useful, please upload the binary
@hugsy
Copy link
Owner

hugsy commented Nov 19, 2022

p is a native GDB command, GEF doesn't do anything to it. Your issue must come from somewhere else.

@0n3t04ll
Copy link
Author

I finally know how to locate the issue. So every time run context command, it always print an exception:

image

This exception also appeared in gdb with or without other plugin(peda, pwndbg) so I thought this error is come from vmlinux which is provided by Ubuntu.

Since the exception always occured in backtrace window, I tried to disable backtrace window by running following command gef config context.layout "legend regs stack code args source memory threads -trace -extra

And it seems work fine!
image

@hugsy
Copy link
Owner

hugsy commented Nov 21, 2022

If you find the root cause of it in gdb, feel free to post it here, otherwise it's ok to close the issue I guess.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug-in-gdb
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hugsy @0n3t04ll