another two cg issues #2037

zonkzonk · 2015-02-04T18:16:47Z

morn,

run teh following several times:

dd if=/dev/urandom of=/tmp/buf count=1 bs=64
r2 -q -c "af;pdf;cg `cat /tmp/buf`" /bin/ls

I got no reproducible buf at this time but:

Core was generated by `r2 -q -c af;pdf;cg �?P�
���-���:�ë����K�&�|���.|��
                          �'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f95d440cd8c in r_num_get (num=0x203f400, str=0x7fff5e40cebd "\371\023ë\351\216\023\225\351\004\036\311K\273&\016\200") at num.c:108
108                     ret = num->callback (num->userptr, str, &ok);
(gdb) bt
#0  0x00007f95d440cd8c in r_num_get (num=0x203f400, str=0x7fff5e40cebd "\371\023ë\351\216\023\225\351\004\036\311K\273&\016\200") at num.c:108
#1  0x00007f95d756beb9 in r_cons_grep (str=0x20a0826 "\351'\r\252\254\360-\236\021\342\017\257:\371\023ë\351\216\023\225\351\004\036\311K\273&\016\200")
    at grep.c:119
#2  0x00007f95d7c28b75 in r_core_cmd_subst_i (core=0x607980 <r>, cmd=0x20a0820 "\346\216\344\017\227", colon=0x0) at cmd.c:1311
#3  0x00007f95d7c279f4 in r_core_cmd_subst (core=0x607980 <r>, cmd=0x20a0820 "\346\216\344\017\227") at cmd.c:981
#4  0x00007f95d7c29c88 in r_core_cmd (core=0x607980 <r>, 
    cstr=0x203af10 "\346\216\344\017\227~\351'\r\252\254\360-\236\021\342\017\257:\371\023ë\351\216\023\225\351\004\036\311K\273&\016\200", log=0) at cmd.c:1624
#5  0x00007f95d7c2775c in r_core_cmd_pipe (core=0x607980 <r>, 
    radare_cmd=0x203af10 "\346\216\344\017\227~\351'\r\252\254\360-\236\021\342\017\257:\371\023ë\351\216\023\225\351\004\036\311K\273&\016\200", 
    shell_cmd=0x203af35 "\212\037\033\177~\366\275\213\340\366.") at cmd.c:921
#6  0x00007f95d7c2812d in r_core_cmd_subst_i (core=0x607980 <r>, 
    cmd=0x203af10 "\346\216\344\017\227~\351'\r\252\254\360-\236\021\342\017\257:\371\023ë\351\216\023\225\351\004\036\311K\273&\016\200", colon=0x0) at cmd.c:1126
#7  0x00007f95d7c279f4 in r_core_cmd_subst (core=0x607980 <r>, 
    cmd=0x203af10 "\346\216\344\017\227~\351'\r\252\254\360-\236\021\342\017\257:\371\023ë\351\216\023\225\351\004\036\311K\273&\016\200") at cmd.c:981
#8  0x00007f95d7c29c88 in r_core_cmd (core=0x607980 <r>, 
    cstr=0x2091850 "\346\216\344\017\227~\351'\r\252\254\360-\236\021\342\017\257:\371\023ë\351\216\023\225\351\004\036\311K\273&\016\200|\212\037\033\177~\366\275\213\340\366.", log=0) at cmd.c:1624
#9  0x00007f95d7c2775c in r_core_cmd_pipe (core=0x607980 <r>, 
    radare_cmd=0x2091850 "\346\216\344\017\227~\351'\r\252\254\360-\236\021\342\017\257:\371\023ë\351\216\023\225\351\004\036\311K\273&\016\200|\212\037\033\177~\366\275\213\340\366.", shell_cmd=0x2091881 "\243\302\v\236\357d3") at cmd.c:921
#10 0x00007f95d7c2812d in r_core_cmd_subst_i (core=0x607980 <r>, 
    cmd=0x2091850 "\346\216\344\017\227~\351'\r\252\254\360-\236\021\342\017\257:\371\023ë\351\216\023\225\351\004\036\311K\273&\016\200|\212\037\033\177~\366\275\213\340\366.", colon=0x0) at cmd.c:1126
#11 0x00007f95d7c279f4 in r_core_cmd_subst (core=0x607980 <r>, 
    cmd=0x2091850 "\346\216\344\017\227~\351'\r\252\254\360-\236\021\342\017\257:\371\023ë\351\216\023\225\351\004\036\311K\273&\016\200|\212\037\033\177~\366\275\213\340\366.") at cmd.c:981
#12 0x00007f95d7c29c88 in r_core_cmd (core=0x607980 <r>, 
    cstr=0x7fff5e40fdb8 "af;pdf;cg \305?P\031\301\364\n\346\216\344\017\227~\351'\r\252\254\360-\236\021\342\017\257:\371\023ë\351\216\023\225\351\004\036\311K\273&\016\200|\212\037\033\177~\366\275\213\340\366.|\243\302\v\236\357d3", log=0) at cmd.c:1624
#13 0x00007f95d7c2a229 in r_core_cmd0 (user=0x607980 <r>, 
    cmd=0x7fff5e40fdb8 "af;pdf;cg \305?P\031\301\364\n\346\216\344\017\227~\351'\r\252\254\360-\236\021\342\017\257:\371\023ë\351\216\023\225\351\004\036\311K\273&\016\200|\212\037\033\177~\366\275\213\340\366.|\243\302\v\236\357d3") at cmd.c:1747
#14 0x0000000000404cf4 in main (argc=5, argv=0x7fff5e40f958, envp=0x7fff5e40f988) at radare2.c:696

and

Core was generated by `r2 -q -c af;pdf;cg �=��{!�J��km4�[;~��Q�Y��
                                                                  =5���am���(�0�Rě�
                                                                                   ����[�'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fa08fbdb338 in main_arena () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007fa08fbdb338 in main_arena () from /usr/lib/libc.so.6
#1  0x00007fa090004d8e in r_num_get (num=0xe44440, str=0x7fff3413d524 "\261\342V\300\207") at num.c:108
#2  0x00007fa093163db8 in r_cons_grep (
    str=0xe3fcf1 "\376\203Q\261\177Y\236\302\f=5\256\217\206am\261\334\311\347(\365\060\366\361Rě\333\301\v\272\202\254\357[\261\342V\300\207") at grep.c:104
#3  0x00007fa093820b75 in r_core_cmd_subst_i (core=0x607980 <r>, cmd=0xe3fcf0 "", colon=0x0) at cmd.c:1311
#4  0x00007fa09381f9f4 in r_core_cmd_subst (core=0x607980 <r>, cmd=0xe3fcf0 "") at cmd.c:981
#5  0x00007fa09381faac in r_core_cmd_subst (core=0x607980 <r>, cmd=0xe40180 "cg \035\002\253=\272\323{!\240J\322\364\316\342km4\032\234\034[") at cmd.c:996
#6  0x00007fa09381faac in r_core_cmd_subst (core=0x607980 <r>, cmd=0xe3fca0 "pdf") at cmd.c:996
#7  0x00007fa09381faac in r_core_cmd_subst (core=0x607980 <r>, cmd=0xe015c0 "af") at cmd.c:996
#8  0x00007fa093821c88 in r_core_cmd (core=0x607980 <r>, 
    cstr=0x7fff3413fdb7 "af;pdf;cg \035\002\253=\272\323{!\240J\322\364\316\342km4\032\234\034[;~\376\203Q\261\177Y\236\302\f=5\256\217\206am\261\334\311\347(\365\060\366\361Rě\333\301\v\272\202\254\357[\261\342V\300\207", log=0) at cmd.c:1624
#9  0x00007fa093822229 in r_core_cmd0 (user=0x607980 <r>, 
    cmd=0x7fff3413fdb7 "af;pdf;cg \035\002\253=\272\323{!\240J\322\364\316\342km4\032\234\034[;~\376\203Q\261\177Y\236\302\f=5\256\217\206am\261\334\311\347(\365\060\366\361Rě\333\301\v\272\202\254\357[\261\342V\300\207") at cmd.c:1747
#10 0x0000000000404cf4 in main (argc=5, argv=0x7fff3413f3f8, envp=0x7fff3413f428) at radare2.c:696

will try to reproduce harder later

Greetings
--zlul

The text was updated successfully, but these errors were encountered:

zonkzonk · 2015-02-07T11:26:26Z

this reproduces the first bug:

wget http://sprunge.us/CVVU
base64 -d CVVU | r2  -c "cg `cat -`" /bin/ls

this reproduces the second bug:

wget http://sprunge.us/BCXa
base64 -d BCXa | r2  -c "cg `cat -`" /bin/ls

both still in 8f7fcc9

radare · 2015-02-08T16:51:50Z

==26846== Invalid read of size 1
==26846== at 0x555F332: r_cons_flush (cons.c:359)
==26846== by 0x404CDD: main (radare2.c:697)
==26846== Address 0xba3ea70 is 0 bytes inside a block of size 1 free'd
==26846== at 0x4C29E50: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==26846== by 0x5770891: r_config_node_free (config.c:37)
==26846== by 0x829E7EF: r_list_delete (list.c:91)
==26846== by 0x829E6D2: r_list_purge (list.c:61)
==26846== by 0x829E71D: r_list_free (list.c:71)
==26846== by 0x5771D79: r_config_free (config.c:416)
==26846== by 0x4E6508C: r_core_fini (core.c:904)
==26846== by 0x4E65154: r_core_free (core.c:922)
==26846== by 0x4E77F7D: cmd_cmp (cmd_cmp.c:485)
==26846== by 0x4EBF549: r_cmd_call (cmd_api.c:179)
==26846== by 0x4E9E460: r_core_cmd_subst_i (cmd.c:1437)
==26846== by 0x4E9CB7B: r_core_cmd_subst (cmd.c:981)
==26846==
==26846== Invalid read of size 1
==26846== at 0x555F332: r_cons_flush (cons.c:359)
==26846== by 0x404DB8: main (radare2.c:706)
==26846== Address 0xba3ea70 is 0 bytes inside a block of size 1 free'd
==26846== at 0x4C29E50: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==26846== by 0x5770891: r_config_node_free (config.c:37)
==26846== by 0x829E7EF: r_list_delete (list.c:91)
==26846== by 0x829E6D2: r_list_purge (list.c:61)
==26846== by 0x829E71D: r_list_free (list.c:71)
==26846== by 0x5771D79: r_config_free (config.c:416)
==26846== by 0x4E6508C: r_core_fini (core.c:904)
==26846== by 0x4E65154: r_core_free (core.c:922)
==26846== by 0x4E77F7D: cmd_cmp (cmd_cmp.c:485)
==26846== by 0x4EBF549: r_cmd_call (cmd_api.c:179)
==26846== by 0x4E9E460: r_core_cmd_subst_i (cmd.c:1437)
==26846== by 0x4E9CB7B: r_core_cmd_subst (cmd.c:981)
==26846==
-- vm is like a small cow in ascii
|ERROR| Invalid command 'H��' (0x48)
==26846== Invalid read of size 1
==26846== at 0x555F332: r_cons_flush (cons.c:359)
==26846== by 0x4E655D3: r_core_prompt_exec (core.c:1014)
==26846== by 0x404F3C: main (radare2.c:741)
==26846== Address 0xba3ea70 is 0 bytes inside a block of size 1 free'd
==26846== at 0x4C29E50: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==26846== by 0x5770891: r_config_node_free (config.c:37)
==26846== by 0x829E7EF: r_list_delete (list.c:91)
==26846== by 0x829E6D2: r_list_purge (list.c:61)
==26846== by 0x829E71D: r_list_free (list.c:71)
==26846== by 0x5771D79: r_config_free (config.c:416)
==26846== by 0x4E6508C: r_core_fini (core.c:904)
==26846== by 0x4E65154: r_core_free (core.c:922)
==26846== by 0x4E77F7D: cmd_cmp (cmd_cmp.c:485)
==26846== by 0x4EBF549: r_cmd_call (cmd_api.c:179)
==26846== by 0x4E9E460: r_core_cmd_subst_i (cmd.c:1437)
==26846== by 0x4E9CB7B: r_core_cmd_subst (cmd.c:981)
==26846==

On 02/07/2015 12:26 PM, zonkzonk wrote:

this reproduces the second bug:

wget http://sprunge.us/BCXa
base64 -d BCXa | r2 -c "cg cat buf.core.arena" /bin/ls

Reply to this email directly or view it on GitHub:
#2037 (comment)

zonkzonk · 2015-02-10T13:42:08Z

hm, on archlinux 64bit I still get both segfaults :/

XVilka added the bug label Feb 7, 2015

radare closed this as completed in d8f61ab Feb 10, 2015

zonkzonk mentioned this issue May 5, 2015

#2037 follow up, cg vs. cgo #2496

Closed

crowell added a commit that referenced this issue May 5, 2015

fix #2037 fail if compared file size is 0

0c8837d

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

another two cg issues #2037

another two cg issues #2037

zonkzonk commented Feb 4, 2015

zonkzonk commented Feb 7, 2015

radare commented Feb 8, 2015

zonkzonk commented Feb 10, 2015

another two cg issues #2037

another two cg issues #2037

Comments

zonkzonk commented Feb 4, 2015

zonkzonk commented Feb 7, 2015

radare commented Feb 8, 2015

zonkzonk commented Feb 10, 2015