Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

0x00007fe404a4bb30 in r_list_split_iter #585

Closed
zonkzonk opened this Issue · 23 comments

2 participants

zonkzonk radare
zonkzonk

$ r2 -v
radare2 0.9.7git @ linux-little-x86-64 git.0.9.6-439-g70ef729
commit: 70ef729 build: 2014-01-29

$ echo 'af;q'|radare2 -d /lib/libavfilter.so.3.90.100
Process with PID 8938 started...
PID = 8938
r_debug_select: 8938 8938
Invalid length
 -- Enable the PAGER with e scr.pager=less -R
[0x7f2531916e50]> Do you want to quit? (Y/n)
Do you want to kill the process? (Y/n) 
Segmentation fault (core dumped) 


Reading symbols from /usr/local/bin/radare2...done.
[New LWP 8937] 

warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7fffdbdbd000
Core was generated by `radare2 -d /lib/libavfilter.so.3.90.100'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007fe404a4bb30 in r_list_split_iter (list=0x13966a0, iter=0x139a420) at list.c:88
88              if (iter->n) iter->n->p = iter->p;
(gdb) bt        
#0  0x00007fe404a4bb30 in r_list_split_iter (list=0x13966a0, iter=0x139a420) at list.c:88
#1  0x00007fe404a4bc2b in r_list_delete (list=0x13966a0, iter=0x139a420) at list.c:115
#2  0x00007fe404a4bd76 in r_list_destroy (list=0x13966a0) at list.c:158
#3  0x00007fe404a4bdc1 in r_list_free (list=0x13966a0) at list.c:169
#4  0x00007fe404c6d6b1 in r_flag_free (f=0xe0c850) at flags.c:38
#5  0x00007fe407b91788 in r_core_fini (c=0x6068e0 <r>) at core.c:623
#6  0x0000000000404814 in main (argc=3, argv=0x7fffdbc81038, envp=0x7fffdbc81058) at radare2.c:624
(gdb) x/i $pc
=> 0x7fe404a4bb30 <r_list_split_iter+132>:      mov    %rdx,0x10(%rax)

greetings
z.

-d bug is introduced with this commit:
commit 35d1452

radare
Owner
zonkzonk

removing a free in list.c fixes it for me, but:

169 R_API void r_list_free (RList *list) {
170     if (list) {
171         r_list_destroy (list);
172         //free (list);
173     }
174 }
radare
Owner
radare
Owner

Can you run again to verify that this bug is still open?

zonkzonk

$ echo 'af;q'|radare2 -d /lib/libavfilter.so.3.90.100
Process with PID 8542 started...
PID = 8542
r_debug_select: 8542 8542
-- Use the '[' and ']' keys in visual mode to adjust the screen width (scr.width)
[0x7f50a184de50]> Do you want to quit? (Y/n)
Do you want to kill the process? (Y/n)
Segmentation fault
$ r2 -v
radare2 0.9.7.rc2 @ linux-little-x86-64 git.0.9.6-587-g235307f
commit: 235307f build: 2014-02-21

it does not magically disappear :)

zonkzonk

again valgrind out: http://sprunge.us/LSZF

radare
Owner

Where can I get the /lib/libavfilter.so.3.90.100?

zonkzonk

/lib/libavfilter.so.3.90.100 is owned by ffmpeg 1:2.1.3-1 :)
also /lib/libclamav.so.6, /lib/libclang.so, /lib/libglib-2.0.so

radare radare added this to the 0.9.7 milestone
radare
Owner

Upload dat file somewhere plz :) i dont use (ubuntu?)

zonkzonk

libavfilter so 3 90 100 uu

file has png extension, is uuencode

radare
Owner
zonkzonk

yes

,r2 -d /lib/libavfilter.so.3.90.100 
Process with PID 5803 started...
PID = 5803
r_debug_select: 5803 5803
 -- I swear i didn't knew she had only 8bits!
[0x7ff3fab01e50]> af
[0x7ff3fab01e50]> pdf
   ;      [11] va=0x7ff3fab01e50 pa=0x0002be50 sz=512699 vsz=512699 rwx=-r-x .text
/ (fcn) rip 13
|          0x7ff3fab01e50    488b7f48     mov rdi, [rdi+0x48]
|          0x7ff3fab01e54    4883c718     add rdi, 0x18
|          ; CODE (CALL) XREF from 0x7ff3fab01b70 (sym.imp.av_expr_parse)
|          ; CODE (CALL) XREF from 0x7ff3fab01a30 (unk)
|          ; CODE (CALL) XREF from 0x7ff3fab01a50 (sym.imp.av_dict_copy)
|          ; CODE (CALL) XREF from 0x7ff3fab01ad0 (sym.imp.av_frame_get_channel_layout)
|          ; CODE (CALL) XREF from 0x7ff3fab01b60 (sym.imp.av_get_channel_layout)
|          ; CODE (CALL) XREF from 0x7ff3fab01ae0 (sym.imp.av_dict_get)
\          0x7ff3fab01e58    e9d3fbffff   jmp sym.imp.swr_free ; (fcn.7ff3fab01a36)
[0x7ff3fab01e50]> q
Do you want to quit? (Y/n)
Do you want to kill the process? (Y/n)
Segmentation fault
,date
Tue Feb 25 12:12:16 CET 2014
radare
Owner
zonkzonk

nope :)

radare radare closed this in e5f534e
radare radare referenced this issue from a commit
radare ReFix for #585 issue f3d622a
zonkzonk

sorry, still there:

,gdb -q r2 core.10447 
Reading symbols from r2...done.

warning: core file may not match specified executable file.
[New LWP 10447]

warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Core was generated by `r2 -d /lib/libavfilter.so.3.90.100'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f90ca163d8b in r_list_split_iter (list=0x228d400, iter=0x228d410) at list.c:88
88              if (iter->n) iter->n->p = iter->p;
(gdb) bt
#0  0x00007f90ca163d8b in r_list_split_iter (list=0x228d400, iter=0x228d410) at list.c:88
#1  0x00007f90ca163e86 in r_list_delete (list=0x228d400, iter=0x228d410) at list.c:115
#2  0x00007f90ca163fd1 in r_list_destroy (list=0x228d400) at list.c:158
#3  0x00007f90ca16401c in r_list_free (list=0x228d400) at list.c:169
#4  0x00007f90ca3866e1 in r_flag_free (f=0x1ce0130) at flags.c:38
#5  0x00007f90cd40aa22 in r_core_fini (c=0x6068e0 <r>) at core.c:625
#6  0x0000000000404885 in main (argc=3, argv=0x7fff1466b3f8, envp=0x7fff1466b418) at radare2.c:628
(gdb) !r2 -v
radare2 0.9.7.rc3 @ linux-little-x86-64 git.0.9.7-4-g081e0b7
commit: 081e0b7b0db214adb407dae1e1eafed29b43d3bf build: 2014-02-27
zonkzonk

valgrind

==10460== Memcheck, a memory error detector
==10460== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==10460== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==10460== Command: r2 -d /lib/libavfilter.so.3.90.100
==10460== Parent PID: 10439
==10460== 
==10460== Use of uninitialised value of size 8
==10460==    at 0x89BF381: _itoa_word (in /usr/lib/libc-2.19.so)
==10460==    by 0x89C2DF2: vfprintf (in /usr/lib/libc-2.19.so)
==10460==    by 0x89EB458: vsnprintf (in /usr/lib/libc-2.19.so)
==10460==    by 0x5500178: r_cons_printf (cons.c:454)
==10460==    by 0x5B9D252: r_debug_reg_list (reg.c:102)
==10460==    by 0x4E4E412: ??? (cmd_debug.c:593)
==10460==    by 0x4E5074B: ??? (cmd_debug.c:1241)
==10460==    by 0x6975F18: r_cmd_call (cmd.c:172)
==10460==    by 0x4E6EC2E: ??? (cmd.c:1319)
==10460==    by 0x4E6D3E7: ??? (cmd.c:879)
==10460==    by 0x4E6F62F: r_core_cmd (cmd.c:1502)
==10460==    by 0x4E6FE17: r_core_cmd_str (cmd.c:1672)
==10460== 
==10460== Conditional jump or move depends on uninitialised value(s)
==10460==    at 0x89BF388: _itoa_word (in /usr/lib/libc-2.19.so)
==10460==    by 0x89C2DF2: vfprintf (in /usr/lib/libc-2.19.so)
==10460==    by 0x89EB458: vsnprintf (in /usr/lib/libc-2.19.so)
==10460==    by 0x5500178: r_cons_printf (cons.c:454)
==10460==    by 0x5B9D252: r_debug_reg_list (reg.c:102)
==10460==    by 0x4E4E412: ??? (cmd_debug.c:593)
==10460==    by 0x4E5074B: ??? (cmd_debug.c:1241)
==10460==    by 0x6975F18: r_cmd_call (cmd.c:172)
==10460==    by 0x4E6EC2E: ??? (cmd.c:1319)
==10460==    by 0x4E6D3E7: ??? (cmd.c:879)
==10460==    by 0x4E6F62F: r_core_cmd (cmd.c:1502)
==10460==    by 0x4E6FE17: r_core_cmd_str (cmd.c:1672)
==10460== 
==10460== Conditional jump or move depends on uninitialised value(s)
==10460==    at 0x89C2E3E: vfprintf (in /usr/lib/libc-2.19.so)
==10460==    by 0x89EB458: vsnprintf (in /usr/lib/libc-2.19.so)
==10460==    by 0x5500178: r_cons_printf (cons.c:454)
==10460==    by 0x5B9D252: r_debug_reg_list (reg.c:102)
==10460==    by 0x4E4E412: ??? (cmd_debug.c:593)
==10460==    by 0x4E5074B: ??? (cmd_debug.c:1241)
==10460==    by 0x6975F18: r_cmd_call (cmd.c:172)
==10460==    by 0x4E6EC2E: ??? (cmd.c:1319)
==10460==    by 0x4E6D3E7: ??? (cmd.c:879)
==10460==    by 0x4E6F62F: r_core_cmd (cmd.c:1502)
==10460==    by 0x4E6FE17: r_core_cmd_str (cmd.c:1672)
==10460==    by 0x4E6BEC5: ??? (cmd.c:416)
==10460== 
==10460== Conditional jump or move depends on uninitialised value(s)
==10460==    at 0x89BFE49: vfprintf (in /usr/lib/libc-2.19.so)
==10460==    by 0x89EB458: vsnprintf (in /usr/lib/libc-2.19.so)
==10460==    by 0x5500178: r_cons_printf (cons.c:454)
==10460==    by 0x5B9D252: r_debug_reg_list (reg.c:102)
==10460==    by 0x4E4E412: ??? (cmd_debug.c:593)
==10460==    by 0x4E5074B: ??? (cmd_debug.c:1241)
==10460==    by 0x6975F18: r_cmd_call (cmd.c:172)
==10460==    by 0x4E6EC2E: ??? (cmd.c:1319)
==10460==    by 0x4E6D3E7: ??? (cmd.c:879)
==10460==    by 0x4E6F62F: r_core_cmd (cmd.c:1502)
==10460==    by 0x4E6FE17: r_core_cmd_str (cmd.c:1672)
==10460==    by 0x4E6BEC5: ??? (cmd.c:416)
==10460== 
==10460== Conditional jump or move depends on uninitialised value(s)
==10460==    at 0x89BFECC: vfprintf (in /usr/lib/libc-2.19.so)
==10460==    by 0x89EB458: vsnprintf (in /usr/lib/libc-2.19.so)
==10460==    by 0x5500178: r_cons_printf (cons.c:454)
==10460==    by 0x5B9D252: r_debug_reg_list (reg.c:102)
==10460==    by 0x4E4E412: ??? (cmd_debug.c:593)
==10460==    by 0x4E5074B: ??? (cmd_debug.c:1241)
==10460==    by 0x6975F18: r_cmd_call (cmd.c:172)
==10460==    by 0x4E6EC2E: ??? (cmd.c:1319)
==10460==    by 0x4E6D3E7: ??? (cmd.c:879)
==10460==    by 0x4E6F62F: r_core_cmd (cmd.c:1502)
==10460==    by 0x4E6FE17: r_core_cmd_str (cmd.c:1672)
==10460==    by 0x4E6BEC5: ??? (cmd.c:416)
==10460== 
==10460== Invalid read of size 8
==10460==    at 0x813CFA9: r_list_destroy (list.c:155)
==10460==    by 0x813D01B: r_list_free (list.c:169)
==10460==    by 0x7F246E0: r_flag_free (flags.c:38)
==10460==    by 0x4E49A21: r_core_fini (core.c:625)
==10460==    by 0x404884: main (radare2.c:628)
==10460==  Address 0x120f3a30 is 0 bytes inside a block of size 24 free'd
==10460==    at 0x4C2999C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10460==    by 0x813D027: r_list_free (list.c:170)
==10460==    by 0x7F246E0: r_flag_free (flags.c:38)
==10460==    by 0x4E49A21: r_core_fini (core.c:625)
==10460==    by 0x404884: main (radare2.c:628)
==10460== 
==10460== Invalid write of size 8
==10460==    at 0x813CFE4: r_list_destroy (list.c:162)
==10460==    by 0x813D01B: r_list_free (list.c:169)
==10460==    by 0x7F246E0: r_flag_free (flags.c:38)
==10460==    by 0x4E49A21: r_core_fini (core.c:625)
==10460==    by 0x404884: main (radare2.c:628)
==10460==  Address 0x120f3a38 is 8 bytes inside a block of size 24 free'd
==10460==    at 0x4C2999C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10460==    by 0x813D027: r_list_free (list.c:170)
==10460==    by 0x7F246E0: r_flag_free (flags.c:38)
==10460==    by 0x4E49A21: r_core_fini (core.c:625)
==10460==    by 0x404884: main (radare2.c:628)
==10460== 
==10460== Invalid read of size 8
==10460==    at 0x813CFF0: r_list_destroy (list.c:162)
==10460==    by 0x813D01B: r_list_free (list.c:169)
==10460==    by 0x7F246E0: r_flag_free (flags.c:38)
==10460==    by 0x4E49A21: r_core_fini (core.c:625)
==10460==    by 0x404884: main (radare2.c:628)
==10460==  Address 0x120f3a38 is 8 bytes inside a block of size 24 free'd
==10460==    at 0x4C2999C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10460==    by 0x813D027: r_list_free (list.c:170)
==10460==    by 0x7F246E0: r_flag_free (flags.c:38)
==10460==    by 0x4E49A21: r_core_fini (core.c:625)
==10460==    by 0x404884: main (radare2.c:628)
==10460== 
==10460== Invalid write of size 8
==10460==    at 0x813CFF8: r_list_destroy (list.c:162)
==10460==    by 0x813D01B: r_list_free (list.c:169)
==10460==    by 0x7F246E0: r_flag_free (flags.c:38)
==10460==    by 0x4E49A21: r_core_fini (core.c:625)
==10460==    by 0x404884: main (radare2.c:628)
==10460==  Address 0x120f3a30 is 0 bytes inside a block of size 24 free'd
==10460==    at 0x4C2999C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10460==    by 0x813D027: r_list_free (list.c:170)
==10460==    by 0x7F246E0: r_flag_free (flags.c:38)
==10460==    by 0x4E49A21: r_core_fini (core.c:625)
==10460==    by 0x404884: main (radare2.c:628)
==10460== 
==10460== Invalid free() / delete / delete[] / realloc()
==10460==    at 0x4C2999C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10460==    by 0x813D027: r_list_free (list.c:170)
==10460==    by 0x7F246E0: r_flag_free (flags.c:38)
==10460==    by 0x4E49A21: r_core_fini (core.c:625)
==10460==    by 0x404884: main (radare2.c:628)
==10460==  Address 0x120f3a30 is 0 bytes inside a block of size 24 free'd
==10460==    at 0x4C2999C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==10460==    by 0x813D027: r_list_free (list.c:170)
==10460==    by 0x7F246E0: r_flag_free (flags.c:38)
==10460==    by 0x4E49A21: r_core_fini (core.c:625)
==10460==    by 0x404884: main (radare2.c:628)
==10460== 
==10460== 
==10460== HEAP SUMMARY:
==10460==     in use at exit: 1,488,491 bytes in 17,474 blocks
==10460==   total heap usage: 87,798 allocs, 70,329 frees, 159,563,885 bytes allocated
==10460== 
==10460== LEAK SUMMARY:
==10460==    definitely lost: 915,356 bytes in 12,610 blocks
==10460==    indirectly lost: 177,857 bytes in 4,480 blocks
==10460==      possibly lost: 13,132 bytes in 7 blocks
==10460==    still reachable: 382,146 bytes in 377 blocks
==10460==         suppressed: 0 bytes in 0 blocks
==10460== Rerun with --leak-check=full to see details of leaked memory
==10460== 
==10460== For counts of detected and suppressed errors, rerun with: -v
==10460== Use --track-origins=yes to see where uninitialised values come from
==10460== ERROR SUMMARY: 155 errors from 10 contexts (suppressed: 1 from 1)
zonkzonk

this fixes it for me http://sprunge.us/eibT

radare
Owner

This patch doesnt applies with the latest code in git. Are you sure that you test it with the newest code in the repo? This is how it looks right now:

        if (r->bin->minstrlen==0) {
                r->bin->minstrlen = r->bin->cur->curplugin->minstrlen;
                if (r->bin->minstrlen==0)
                        r->bin->minstrlen = MINSTR;
        }
        if (minstr>0 || r->bin->minstrlen <=0) {
                r->bin->minstrlen = R_MIN (minstr, MINSTR);
        }
radare radare referenced this issue from a commit
radare Minor change for #585 a5932a6
zonkzonk

yes, patch was against older revision, can you try this one instead (works with /bin/ls
and the lib):

,git diff
diff --git a/libr/core/bin.c b/libr/core/bin.c
index 1daeb81..680f8d8 100644
--- a/libr/core/bin.c
+++ b/libr/core/bin.c
@@ -52,15 +52,15 @@ static int bin_strings (RCore *r, int mode, ut64 baddr, int va) {
        }
        //if (r->bin->minstrlen == 0 && minstr>0) r->bin->minstrlen = minstr;
        //else if (r->bin->minstrlen > 0) r_config_set_i (r->config, "bin.minstr", r->bin->minstrlen);
+       if (r->bin->minstrlen <=0) {
+               r->bin->minstrlen = R_MIN (minstr, MINSTR);
+               return R_FALSE;
+       }
        if (r->bin->minstrlen==0) {
                r->bin->minstrlen = r->bin->cur->curplugin->minstrlen;
                if (r->bin->minstrlen==0)
                        r->bin->minstrlen = MINSTR;
        }
-       if (minstr>0 || r->bin->minstrlen <=0) {
-               r->bin->minstrlen = R_MIN (minstr, MINSTR);
-               //return R_FALSE;
-       }

        /* code */
        if (rawstr) {

,r2 -v
radare2 0.9.7.rc3 @ linux-little-x86-64 git.0.9.7-6-ga5932a6
commit: a5932a6 build: 2014-02-28

zonkzonk

,grep -B7 'Segmentation faul' /tmp/typescript |grep lib
---/lib/libavfilter.so---
---/lib/libavfilter.so.3---
---/lib/libavfilter.so.3.90.100---
---/lib/libboost_graph.so---
---/lib/libboost_graph.so.1.55.0---
---/lib/libboost_log_setup.so---
---/lib/libboost_log_setup.so.1.55.0---
---/lib/libboost_regex.so---
---/lib/libboost_regex.so.1.55.0---
---/lib/libboost_serialization.so---
---/lib/libboost_serialization.so.1.55.0---
---/lib/libboost_wave.so---
---/lib/libboost_wave.so.1.55.0---
---/lib/libboost_wserialization.so---
---/lib/libboost_wserialization.so.1.55.0---
---/lib/libclamav.so---
---/lib/libclamav.so.6---
---/lib/libclamav.so.6.1.20---
---/lib/libclang.so---
---/lib/libglib-2.0.so---
---/lib/libglib-2.0.so.0---
---/lib/libglib-2.0.so.0.3800.2---
---/lib/libicutu.so---
---/lib/libicutu.so.52---
---/lib/libicutu.so.52.1---
---/lib/libMagickCore-6.Q16HDRI.so---
---/lib/libMagickCore-6.Q16HDRI.so.2---
---/lib/libMagickCore-6.Q16HDRI.so.2.0.0---
---/lib/libmikmod.so---
---/lib/libmikmod.so.3---
---/lib/libmikmod.so.3.3.0---
---/lib/libnssckbi.so---
---/lib/libpcre16.so---
---/lib/libpcre16.so.0---
---/lib/libpcre16.so.0.2.2---
---/lib/libpcre32.so---
---/lib/libpcre32.so.0---
---/lib/libpcre32.so.0.0.2---
---/lib/libpcre.so---
---/lib/libpcre.so.1---
---/lib/libpcre.so.1.2.2---
---/lib/libpython3.3m.so---
---/lib/libpython3.3m.so.1.0---
---/lib/libQtCore.so---
---/lib/libQtCore.so.4---
---/lib/libQtCore.so.4.8---
---/lib/libQtCore.so.4.8.5---
---/lib/libQtHelp.so---
---/lib/libQtHelp.so.4---
---/lib/libQtHelp.so.4.8---
---/lib/libQtHelp.so.4.8.5---
---/lib/libr_anal.so---
---/lib/libr_anal.so.0.9.7.rc2---
---/lib/libr_asm.so---
---/lib/libr_asm.so.0.9.7.rc2---
---/lib/libSDL_mixer-1.2.so.0---
---/lib/libSDL_mixer-1.2.so.0.12.0---
---/lib/libSDL_mixer.so---

all are 64 bit:

,file /lib/libpcre16.so.0.2.2
/lib/libpcre16.so.0.2.2: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=8212b3ea50ced91c5e5436d7827ac5ac090cd38b, stripped

radare
Owner

Should be fixed now :) Thanks

zonkzonk

testing /lib/lib* again: looks good so far:

-- May the segfault be with you :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.