| Questions | Answers
|------------------------------------------------------|--------------------
| OS/arch/bits (mandatory) | Ubuntu 16.04.3 LTS x86/64
| File format of the file you reverse (mandatory) | PE
| Architecture/bits of the file (mandatory) | x86
| r2 -v full output, not truncated (mandatory) | radare2 2.3.0-git 16987 @ linux-x86-64 git.2.2.0-176-g5402c59 commit: 5402c5938de925996a43b157994c6e5dfaec02c7 build: 2018-01-09__18:30:12 |
| r2 -V full output in a pastebin document (mandatory) | https://gist.github.com/Wenzel/2af7edc0d705045947d0a4a07cde642e
r2 should not have printed the debug output twice
r2 has printed the debug output twice, which means it has called the plugin __open method twice, leading to a memory leak the first time.
Output from this IO plugin that i'm developing, same behavior:
~
$ r2 -D vmi vmi://nitro_win7x64:4
__open
VM: nitro_win7x64, PID: 4
Initializing LibVMI
xc: error: Could not obtain handle on privileged command interface (2 = No such file or directory): Internal error
VMI_ERROR: Failed to open libxc interface.
LibVMI Suggestion: set win_ntoskrnl=0x281d000 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdbg=0x1f10a0 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdvb=0xfffff80002a0e0a0 in libvmi.conf for faster startup.
__open
VM: nitro_win7x64, PID: 4
Initializing LibVMI
xc: error: Could not obtain handle on privileged command interface (2 = No such file or directory): Internal error
VMI_ERROR: Failed to open libxc interface.
Duplicate config for nitro_win7x64 found, using most recent
LibVMI Suggestion: set win_ntoskrnl=0x281d000 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdbg=0x1f10a0 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdvb=0xfffff80002a0e0a0 in libvmi.conf for faster startup.
__lseek, offset: 0
__lseek, offset: 0
__lseek, offset: 0
__system command: pid -1
__lseek, offset: 0
__lseek, offset: 0
__read, offset: 0
read: vmi_failure
__lseek, offset: 0
__lseek, offset: 0
__read, offset: 0
read: vmi_failure
-- Pass '-j' to rabin2 to get the information of the binary in JSON format.
[0x00000000]>
~
and __open function:
https://github.com/Wenzel/radare2-extras/blob/vmi/vmi/io_vmi.c#L87
Another example with the attachment, i tried to use the windbg plugin.
The printf is located here (Opened pipe....) : https://github.com/radare/radare2/blob/master/libr/io/p/io_windbg.c#L42
called twice.
Thanks for your support !

Opened pipe... is printed twice.
As a side note you can do r2 -d vmi://...
Is the same as r2 -D vmi vmi://
On 9 Jan 2018, at 18:01, Mathieu Tarral notifications@github.com wrote:
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
Try with -n. My guess is that rbin is trying to open the same file twice. Just a blindnguess
On 9 Jan 2018, at 18:01, Mathieu Tarral notifications@github.com wrote:
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
@radare , i tried to disable rbin, but it's still the same:

Use r_sys_backtrace() in the open callback so we can see who calls that
On 10 Jan 2018, at 09:45, Mathieu Tarral notifications@github.com wrote:
@radare , i tried to disable rbin, but it's still the same:
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
I added the r_sys_backtrace() at the beginning of my __open implementation.
~C
static RIODesc *__open(RIO *io, const char *pathname, int flags, int mode) {
r_sys_backtrace();
printf("%s\n", __func__);
...
~
Sorry for the verbose output, i'm implementing the debug interface also.
~
$ r2 -d vmi://nitro_win7x64:4
r_debug_vmi_reg_profile
Backtrace 8 stack frames.
/usr/lib/libr_util.so(r_sys_backtrace+0x28)[0x7fae886d03ee]
/home/tarrma/.config/radare2/plugins/io_vmi.so(+0xe58)[0x7fae86f70e58]
/usr/lib/libr_io.so(r_io_desc_open+0x93)[0x7fae8a57fbf9]
/usr/lib/libr_io.so(r_io_open_nomap+0x3a)[0x7fae8a57a7ff]
/usr/lib/libr_core.so(r_core_file_open+0xc1)[0x7fae8c50875d]
r2(+0x5813)[0x563155029813]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fae880be830]
r2(+0x30f9)[0x5631550270f9]
__open
VM: nitro_win7x64, PID: 4
Initializing LibVMI
xc: error: Could not obtain handle on privileged command interface (2 = No such file or directory): Internal error
VMI_ERROR: Failed to open libxc interface.
LibVMI Suggestion: set win_ntoskrnl=0x281d000 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdbg=0x1f10a0 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdvb=0xfffff80002a0e0a0 in libvmi.conf for faster startup.
Backtrace 8 stack frames.
/usr/lib/libr_util.so(r_sys_backtrace+0x28)[0x7fae886d03ee]
/home/tarrma/.config/radare2/plugins/io_vmi.so(+0xe58)[0x7fae86f70e58]
/usr/lib/libr_io.so(r_io_desc_open+0x93)[0x7fae8a57fbf9]
/usr/lib/libr_io.so(r_io_open_nomap+0x3a)[0x7fae8a57a7ff]
/usr/lib/libr_core.so(r_core_file_open+0xc1)[0x7fae8c50875d]
r2(+0x62ce)[0x56315502a2ce]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fae880be830]
r2(+0x30f9)[0x5631550270f9]
__open
VM: nitro_win7x64, PID: 4
Initializing LibVMI
xc: error: Could not obtain handle on privileged command interface (2 = No such file or directory): Internal error
VMI_ERROR: Failed to open libxc interface.
Duplicate config for nitro_win7x64 found, using most recent
LibVMI Suggestion: set win_ntoskrnl=0x281d000 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdbg=0x1f10a0 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdvb=0xfffff80002a0e0a0 in libvmi.conf for faster startup.
__lseek, offset: 0
__lseek, offset: 0
__lseek, offset: 0
r_debug_vmi_reg_profile
__getpid
__getpid
...
~
Cant reproduce this behaviour with any of the io plugins i have in core..
On 10 Jan 2018, at 15:40, Mathieu Tarral notifications@github.com wrote:
I added the r_sys_backtrace() at the beginning of my __open implementation.
static RIODesc *__open(RIO *io, const char *pathname, int flags, int mode) {
r_sys_backtrace();
printf("%s\n", __func__);
...
Sorry for the verbose output, i'm implementing the debug interface also.r_debug_vmi_reg_profile
Backtrace 8 stack frames.
/usr/lib/libr_util.so(r_sys_backtrace+0x28)[0x7fae886d03ee]
/home/tarrma/.config/radare2/plugins/io_vmi.so(+0xe58)[0x7fae86f70e58]
/usr/lib/libr_io.so(r_io_desc_open+0x93)[0x7fae8a57fbf9]
/usr/lib/libr_io.so(r_io_open_nomap+0x3a)[0x7fae8a57a7ff]
/usr/lib/libr_core.so(r_core_file_open+0xc1)[0x7fae8c50875d]
r2(+0x5813)[0x563155029813]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fae880be830]
r2(+0x30f9)[0x5631550270f9]
__open
VM: nitro_win7x64, PID: 4
Initializing LibVMI
xc: error: Could not obtain handle on privileged command interface (2 = No such file or directory): Internal error
VMI_ERROR: Failed to open libxc interface.
LibVMI Suggestion: set win_ntoskrnl=0x281d000 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdbg=0x1f10a0 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdvb=0xfffff80002a0e0a0 in libvmi.conf for faster startup.
Backtrace 8 stack frames.
/usr/lib/libr_util.so(r_sys_backtrace+0x28)[0x7fae886d03ee]
/home/tarrma/.config/radare2/plugins/io_vmi.so(+0xe58)[0x7fae86f70e58]
/usr/lib/libr_io.so(r_io_desc_open+0x93)[0x7fae8a57fbf9]
/usr/lib/libr_io.so(r_io_open_nomap+0x3a)[0x7fae8a57a7ff]
/usr/lib/libr_core.so(r_core_file_open+0xc1)[0x7fae8c50875d]
r2(+0x62ce)[0x56315502a2ce]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fae880be830]
r2(+0x30f9)[0x5631550270f9]
__open
VM: nitro_win7x64, PID: 4
Initializing LibVMI
xc: error: Could not obtain handle on privileged command interface (2 = No such file or directory): Internal error
VMI_ERROR: Failed to open libxc interface.
Duplicate config for nitro_win7x64 found, using most recent
LibVMI Suggestion: set win_ntoskrnl=0x281d000 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdbg=0x1f10a0 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdvb=0xfffff80002a0e0a0 in libvmi.conf for faster startup.
__lseek, offset: 0
__lseek, offset: 0
__lseek, offset: 0
r_debug_vmi_reg_profile
__getpid
__getpid
...
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
I will try to provide a Dockerfile then.
here you go:
Dockerfile
~~~Dockerfile
FROM ubuntu:latest
ARG DEBIAN_FRONTEND=noninteractive
WORKDIR /root
RUN apt-get update && \
apt-get install -y git make gcc gdb
RUN git clone https://github.com/Wenzel/radare2.git -b debug_io_plugin && \
cd radare2 && ./sys/install.sh
~~~
How to use it:
~
$ docker build -t radare2 .
$ docker run -ti --rm=true --cap-add=SYS_PTRACE --security-opt=apparmor:unconfined radare2
root@2a2b51a9582b:~# gdbserver localhost:4200 /bin/ls &
[1] 16
root@2a2b51a9582b:~# gdbserver: Error disabling address space randomization: Operation not permitted
Process /bin/ls created; pid = 20
Listening on port 4200
root@2a2b51a9582b:~# r2 -d gdb://localhost:4200
Backtrace 8 stack frames.
/usr/lib/libr_util.so(r_sys_backtrace+0x28)[0x7f0a6639643e]
/usr/lib/libr_io.so(+0x14b8c)[0x7f0a68230b8c]
/usr/lib/libr_io.so(r_io_desc_open+0x93)[0x7f0a68245b7c]
/usr/lib/libr_io.so(r_io_open_nomap+0x3a)[0x7f0a68240782]
/usr/lib/libr_core.so(r_core_file_open+0xc1)[0x7f0a6a1cf83f]
r2(+0x5813)[0x562f9e124813]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f0a65d84830]
r2(+0x30f9)[0x562f9e1220f9]
__open, p/io_gdb.c
Remote debugging from host 127.0.0.1
= attach 20 1
= attach 20 0
Backtrace 8 stack frames.
/usr/lib/libr_util.so(r_sys_backtrace+0x28)[0x7f0a6639643e]
/usr/lib/libr_io.so(+0x14b8c)[0x7f0a68230b8c]
/usr/lib/libr_io.so(r_io_desc_open+0x93)[0x7f0a68245b7c]
/usr/lib/libr_io.so(r_io_open_nomap+0x3a)[0x7f0a68240782]
/usr/lib/libr_core.so(r_core_file_open+0xc1)[0x7f0a6a1cf83f]
r2(+0x62ce)[0x562f9e1252ce]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f0a65d84830]
r2(+0x30f9)[0x562f9e1220f9]
__open, p/io_gdb.c
-- Use zoom.byte=entropy and press 'z' in visual mode to zoom out to see the entropy of the whole file
[0x7f004f7f1c30]>
~
The output that you see has been inserted into the __open function of io_gdb.c:
https://github.com/Wenzel/radare2/blob/debug_io_plugin/libr/io/p/io_gdb.c#L59
@radare can you reproduce the issue now with the Dockerfile ?
sorry i have absolutely no time , didnt had time to test this, my guess is that the file is opened twice because of the rbin thing, but didnt had time to test your docker image.
On 10 Jan 2018, at 16:59, Mathieu Tarral notifications@github.com wrote:
here you go:
DockerfileFROM ubuntu:latest
ARG DEBIAN_FRONTEND=noninteractive
WORKDIR /root
RUN apt-get update && \
apt-get install -y git make gcc gdbRUN git clone https://github.com/Wenzel/radare2.git -b debug_io_plugin && \
cd radare2 && ./sys/install.sh
How to use it:$ docker build -t radare2 .
$ docker run -ti --rm=true --cap-add=SYS_PTRACE --security-opt=apparmor:unconfined radare2
root@2a2b51a9582b:~# gdbserver localhost:4200 /bin/ls &
[1] 16
root@2a2b51a9582b:~# gdbserver: Error disabling address space randomization: Operation not permitted
Process /bin/ls created; pid = 20
Listening on port 4200
root@2a2b51a9582b:~# r2 -d gdb://localhost:4200
Backtrace 8 stack frames.
/usr/lib/libr_util.so(r_sys_backtrace+0x28)[0x7f0a6639643e]
/usr/lib/libr_io.so(+0x14b8c)[0x7f0a68230b8c]
/usr/lib/libr_io.so(r_io_desc_open+0x93)[0x7f0a68245b7c]
/usr/lib/libr_io.so(r_io_open_nomap+0x3a)[0x7f0a68240782]
/usr/lib/libr_core.so(r_core_file_open+0xc1)[0x7f0a6a1cf83f]
r2(+0x5813)[0x562f9e124813]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f0a65d84830]
r2(+0x30f9)[0x562f9e1220f9]
__open, p/io_gdb.c
Remote debugging from host 127.0.0.1
= attach 20 1
= attach 20 0
Backtrace 8 stack frames.
/usr/lib/libr_util.so(r_sys_backtrace+0x28)[0x7f0a6639643e]
/usr/lib/libr_io.so(+0x14b8c)[0x7f0a68230b8c]
/usr/lib/libr_io.so(r_io_desc_open+0x93)[0x7f0a68245b7c]
/usr/lib/libr_io.so(r_io_open_nomap+0x3a)[0x7f0a68240782]
/usr/lib/libr_core.so(r_core_file_open+0xc1)[0x7f0a6a1cf83f]
r2(+0x62ce)[0x562f9e1252ce]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f0a65d84830]
r2(+0x30f9)[0x562f9e1220f9]
__open, p/io_gdb.c
-- Use zoom.byte=entropy and press 'z' in visual mode to zoom out to see the entropy of the whole file
[0x7f004f7f1c30]>
The output that you see has been inserted into the __open function of io_gdb.c:
https://github.com/Wenzel/radare2/blob/debug_io_plugin/libr/io/p/io_gdb.c#L59 https://github.com/Wenzel/radare2/blob/debug_io_plugin/libr/io/p/io_gdb.c#L59
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/9159#issuecomment-356646258, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lvoMFwr97-MOL5UAgjBM9koB1ERGks5tJN5KgaJpZM4RYI8S.
Thanks for your reply, no worries, it's not urgent anyway.
About rbin, i did try to disable it with -n in a previous test, but the result was the same.
ok i can reproduce. lemme put some printfs
On 10 Jan 2018, at 16:59, Mathieu Tarral notifications@github.com wrote:
here you go:
DockerfileFROM ubuntu:latest
ARG DEBIAN_FRONTEND=noninteractive
WORKDIR /root
RUN apt-get update && \
apt-get install -y git make gcc gdbRUN git clone https://github.com/Wenzel/radare2.git -b debug_io_plugin && \
cd radare2 && ./sys/install.sh
How to use it:$ docker build -t radare2 .
$ docker run -ti --rm=true --cap-add=SYS_PTRACE --security-opt=apparmor:unconfined radare2
root@2a2b51a9582b:~# gdbserver localhost:4200 /bin/ls &
[1] 16
root@2a2b51a9582b:~# gdbserver: Error disabling address space randomization: Operation not permitted
Process /bin/ls created; pid = 20
Listening on port 4200
root@2a2b51a9582b:~# r2 -d gdb://localhost:4200
Backtrace 8 stack frames.
/usr/lib/libr_util.so(r_sys_backtrace+0x28)[0x7f0a6639643e]
/usr/lib/libr_io.so(+0x14b8c)[0x7f0a68230b8c]
/usr/lib/libr_io.so(r_io_desc_open+0x93)[0x7f0a68245b7c]
/usr/lib/libr_io.so(r_io_open_nomap+0x3a)[0x7f0a68240782]
/usr/lib/libr_core.so(r_core_file_open+0xc1)[0x7f0a6a1cf83f]
r2(+0x5813)[0x562f9e124813]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f0a65d84830]
r2(+0x30f9)[0x562f9e1220f9]
__open, p/io_gdb.c
Remote debugging from host 127.0.0.1
= attach 20 1
= attach 20 0
Backtrace 8 stack frames.
/usr/lib/libr_util.so(r_sys_backtrace+0x28)[0x7f0a6639643e]
/usr/lib/libr_io.so(+0x14b8c)[0x7f0a68230b8c]
/usr/lib/libr_io.so(r_io_desc_open+0x93)[0x7f0a68245b7c]
/usr/lib/libr_io.so(r_io_open_nomap+0x3a)[0x7f0a68240782]
/usr/lib/libr_core.so(r_core_file_open+0xc1)[0x7f0a6a1cf83f]
r2(+0x62ce)[0x562f9e1252ce]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f0a65d84830]
r2(+0x30f9)[0x562f9e1220f9]
__open, p/io_gdb.c
-- Use zoom.byte=entropy and press 'z' in visual mode to zoom out to see the entropy of the whole file
[0x7f004f7f1c30]>
The output that you see has been inserted into the __open function of io_gdb.c:
https://github.com/Wenzel/radare2/blob/debug_io_plugin/libr/io/p/io_gdb.c#L59 https://github.com/Wenzel/radare2/blob/debug_io_plugin/libr/io/p/io_gdb.c#L59
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/9159#issuecomment-356646258, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lvoMFwr97-MOL5UAgjBM9koB1ERGks5tJN5KgaJpZM4RYI8S.
well it was just a matter of reading, there's a comment on top of the 2nd call to file_open explaining the reason for that. probably a hack after SIOL to get gdb:// working

but the funny thing is that everything works if i remove this code.
so ill just commit this code commented, and will wait for complains
Most helpful comment
but the funny thing is that everything works if i remove this code.
so ill just commit this code commented, and will wait for complains