Segmentation fault when opening windows binaries
Closed this issue · 17 comments
Environment Details
QCommandLineParser: already having an option named "w"
iaito 5.2.2
Fri Nov 5 20:12:43 CET 2021
radare2 5.4.3 26997 @ linux-x86-64 git.5.4.2
commit: f0ffdde6b6f54f440f5a6920e88de46a60ca8f4f build: 2021-11-04__14:12:46
Linux x86_64iaito is installed from the master branch and is up to date.
Description
When trying to open a project iaito crashes with a Segmentation fault after the analysis is done.
Output (disabled analysis):
QCommandLineParser: already having an option named "w"
WARNING: r_event_hook: assertion 'ev' failed (line 59)
Plugins are loaded from "/home/****/.local/share/radareorg/iaito/plugins"
Loaded 0 plugin(s).
Plugins are loaded from "/usr/local/share/radareorg/iaito/plugins"
Plugins are loaded from "/usr/share/radareorg/iaito/plugins"
Segmentation fault (core dumped)
How to reproduce
Open iaito, open an executable, wait for the analysis to finish and it will crash.
This seems to only happens with Windows binaries, I didn't encounter it with ELF executables.
So is iaito built by you? If so, can you provide a backtrace from the debugger or recompile with asan to get some context here?
Yep, I build it myself, I'll try to debug it.
How do I build it with debug symbols?
you can use qtcreator, debug builds are made by default, otherwise you can specify the profile when building with cmake or qmake, in theory you can do qmake CONFIG+=debug to get a debug build with symbols and such. hope that works
qmake doesn't work, it doesn't find the qt project file, but I edited the build.sh script, it should now compile a debug build. Hopefully I'll be able to post the backtrace from gdb tomorrow.
Hmm... I'm still doing something wrong, and I can't find a CMakeLists.txt to build with cmake..
it's in src. the issue with qmake is usually related to use the one from the distro (debian?) instead of the official sdk. yeah, the whole qt ecosystem sucks
ah, ok, thanks. Yeah, qt kinda sucks, I tried to learn it a few times but I didn't find anything in the documentation 🤷♂️
Here is my gdb output: https://pastebin.com/LLvd5fEq The segmentation fault occured during analysis. It opened fine when disabling analysis
If you are not running iaito in debugger mode i dont see why it should be messing with breakpoints. i assume this is not an issue in r2.
the line affected is:
2243 if (auto bpi = core->dbg->bp->bps_idx[i]) {
From what i read in the code the bps_idx_count should be 16, and all the items inside this array of pointers should be NULL so it shouldnt be crashing, this if statement, looks wrong with my C eye because assignments in conditionals should have double parenthesis..
actually the bps_idx array is conceptually broken and should just use the API as the comment above say, as well as use the linked list instead of that fixed array 🤦
thanks for pointing out that error. So after this i would go for making this code less repulsive by using the following code instead in the getBreakpoints() function:
for (int i = 0;; i++) {
RBreakpointItem *bpi = r_bp_get_index(core->dbg->bp, i);
if (!bpi) break;
ret.push_back(breakpointDescriptionFromR2(i, bpi);
}
i will look into the debugger mess in the next release. but this code will probably wont compile in r2-5.6.
Can you test this change and report back if its fixed? if not, the other thing you can do is:
RListIter *iter;
RBreakpointItem *bpi;
r_list_foreach (core->dbg->bps, iter, bpi) {
ret.push_back(breakpointDescriptionFromR2(i, bpi);
}
thanks!
Ok, I'll try
any update here?
Didn't check, totally forgot that, sry, will test that as soon as I'm at home
Ok, I finally checked it,
for (int i = 0;; i++) {
RBreakpointItem *bpi = r_bp_get_index(core->dbg->bp, i);
if (!bpi) break;
ret.push_back(breakpointDescriptionFromR2(i, bpi);
}fixed the segfault
Please submit a pr. And i think it will be better to continue instead of break
By using continue you just made an endless loop.
Yes. My bad.. i fixed it later because neither this or the previous code is how breakpoints are suposed to be iterated and i wasnt expecting an unconditional loop there. O:)