Hi Jonatan, Jan,
On 05/24/2012 07:55 PM, Jonathan M. Foote wrote:
IIRC copying a python script into /usr/share/gdb/python and using the
'import' command did not work properly on all versions of GDB 7.2+ that I tried it
on -- I'm glad to see it works in 7.3 on Fedora.
I have not tried using the extension with a core dump-- in our fuzz testing campaigns we
run it on a live process just after it crashes. However, I believe your analysis is
correct. $_siginfo is used in many of the heuristics that the plugin applies to the
crashed application. As it is implemented, if $_siginfo is not available in the coredump
you are testing on, the plugin will not function correctly. That being said, I would like
the plugin to work on core dumps if possible. Do you happen to know if your coredumps
include siginfo, and if so, how it can be accessed via GDB? Regardless, you have found a
bug here -- the "exploitable" extension is essentially failing silently and
should give the user a more explicit failure message when $_siginfo is not available. I
plan to address this.
Please let me know about accessing siginfo in your coredumps if you get a chance.
I confirm that $_siginfo can't be read from coredump:
(gdb) core-file core.2466
Missing separate debuginfo for the main executable file
Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install
[New LWP 2466]
Core was generated by `md5sum'.
Program terminated with signal 6, Aborted.
#0 0x0804b756 in ?? ()
(gdb) print $_siginfo.si_signo
Unable to read siginfo
(gdb) print $_siginfo._sifields._sigfault.si_addr
Unable to read siginfo
Your gdb_wrapper.py code wants to know two values:
First one, the signal number, is present in coredump, here:
$ readelf -aW core.2466
Notes at offset 0x00000274 with length 0x00000814:
Owner Data size Description
CORE 0x00000090 NT_PRSTATUS (prstatus structure)
CORE 0x0000007c NT_PRPSINFO (prpsinfo structure)
CORE 0x000000a0 NT_AUXV (auxiliary vector)
CORE 0x0000006c NT_FPREGSET (floating point registers)
LINUX 0x00000200 NT_PRXFPREG (user_xfpregs structure)
LINUX 0x00000340 NT_X86_XSTATE (x86 XSAVE extended state)
LINUX 0x00000030 Unknown note type: (0x00000200)
int si_signo; /* Signal number. */
int si_code; /* Extra code. */
int si_errno; /* Errno. */
struct elf_siginfo pr_info; /* Info associated with signal. */
short int pr_cursig; /* Current signal. */
unsigned long int pr_sigpend; /* Set of pending signals. */
unsigned long int pr_sighold; /* Set of held signals. */
struct timeval pr_utime; /* User time. */
struct timeval pr_stime; /* System time. */
struct timeval pr_cutime; /* Cumulative user time. */
struct timeval pr_cstime; /* Cumulative system time. */
elf_gregset_t pr_reg; /* GP registers. */
int pr_fpvalid; /* True if math copro being used. */
Therefore, we probably can teach gdb to provide it on coredumps.
However, second value, $_siginfo._sifields._sigfault.si_addr,
is not available anywhere in coredump, as far as I can see.
Jan, what do you know about this?
How big this problem is for you, Jonathan?