Radare2: IO plugins are initialized twice which may lead to memory leak

Created on 9 Jan 2018  Â·  15Comments  Â·  Source: radareorg/radare2

Work environment

| Questions | Answers
|------------------------------------------------------|--------------------
| OS/arch/bits (mandatory) | Ubuntu 16.04.3 LTS x86/64
| File format of the file you reverse (mandatory) | PE
| Architecture/bits of the file (mandatory) | x86
| r2 -v full output, not truncated (mandatory) | radare2 2.3.0-git 16987 @ linux-x86-64 git.2.2.0-176-g5402c59 commit: 5402c5938de925996a43b157994c6e5dfaec02c7 build: 2018-01-09__18:30:12 |
| r2 -V full output in a pastebin document (mandatory) | https://gist.github.com/Wenzel/2af7edc0d705045947d0a4a07cde642e

Expected behavior

r2 should not have printed the debug output twice

Actual behavior

r2 has printed the debug output twice, which means it has called the plugin __open method twice, leading to a memory leak the first time.

Steps to reproduce the behavior

Output from this IO plugin that i'm developing, same behavior:
~
$ r2 -D vmi vmi://nitro_win7x64:4
__open
VM: nitro_win7x64, PID: 4
Initializing LibVMI
xc: error: Could not obtain handle on privileged command interface (2 = No such file or directory): Internal error
VMI_ERROR: Failed to open libxc interface.
LibVMI Suggestion: set win_ntoskrnl=0x281d000 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdbg=0x1f10a0 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdvb=0xfffff80002a0e0a0 in libvmi.conf for faster startup.
__open
VM: nitro_win7x64, PID: 4
Initializing LibVMI
xc: error: Could not obtain handle on privileged command interface (2 = No such file or directory): Internal error
VMI_ERROR: Failed to open libxc interface.
Duplicate config for nitro_win7x64 found, using most recent
LibVMI Suggestion: set win_ntoskrnl=0x281d000 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdbg=0x1f10a0 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdvb=0xfffff80002a0e0a0 in libvmi.conf for faster startup.
__lseek, offset: 0
__lseek, offset: 0
__lseek, offset: 0
__system command: pid -1
__lseek, offset: 0
__lseek, offset: 0
__read, offset: 0
read: vmi_failure
__lseek, offset: 0
__lseek, offset: 0
__read, offset: 0
read: vmi_failure
-- Pass '-j' to rabin2 to get the information of the binary in JSON format.
[0x00000000]>
~

and __open function:
https://github.com/Wenzel/radare2-extras/blob/vmi/vmi/io_vmi.c#L87

Another example with the attachment, i tried to use the windbg plugin.

The printf is located here (Opened pipe....) : https://github.com/radare/radare2/blob/master/libr/io/p/io_windbg.c#L42
called twice.

Thanks for your support !

Most helpful comment

but the funny thing is that everything works if i remove this code.

so ill just commit this code commented, and will wait for complains

All 15 comments

windbg
Opened pipe... is printed twice.

As a side note you can do r2 -d vmi://...

Is the same as r2 -D vmi vmi://

On 9 Jan 2018, at 18:01, Mathieu Tarral notifications@github.com wrote:

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

Try with -n. My guess is that rbin is trying to open the same file twice. Just a blindnguess

On 9 Jan 2018, at 18:01, Mathieu Tarral notifications@github.com wrote:

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

@radare , i tried to disable rbin, but it's still the same:
radare2

Use r_sys_backtrace() in the open callback so we can see who calls that

On 10 Jan 2018, at 09:45, Mathieu Tarral notifications@github.com wrote:

@radare , i tried to disable rbin, but it's still the same:

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

I added the r_sys_backtrace() at the beginning of my __open implementation.
~C
static RIODesc *__open(RIO *io, const char *pathname, int flags, int mode) {
r_sys_backtrace();
printf("%s\n", __func__);
...
~

Sorry for the verbose output, i'm implementing the debug interface also.

~
$ r2 -d vmi://nitro_win7x64:4
r_debug_vmi_reg_profile
Backtrace 8 stack frames.
/usr/lib/libr_util.so(r_sys_backtrace+0x28)[0x7fae886d03ee]
/home/tarrma/.config/radare2/plugins/io_vmi.so(+0xe58)[0x7fae86f70e58]
/usr/lib/libr_io.so(r_io_desc_open+0x93)[0x7fae8a57fbf9]
/usr/lib/libr_io.so(r_io_open_nomap+0x3a)[0x7fae8a57a7ff]
/usr/lib/libr_core.so(r_core_file_open+0xc1)[0x7fae8c50875d]
r2(+0x5813)[0x563155029813]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fae880be830]
r2(+0x30f9)[0x5631550270f9]
__open
VM: nitro_win7x64, PID: 4
Initializing LibVMI
xc: error: Could not obtain handle on privileged command interface (2 = No such file or directory): Internal error
VMI_ERROR: Failed to open libxc interface.
LibVMI Suggestion: set win_ntoskrnl=0x281d000 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdbg=0x1f10a0 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdvb=0xfffff80002a0e0a0 in libvmi.conf for faster startup.
Backtrace 8 stack frames.
/usr/lib/libr_util.so(r_sys_backtrace+0x28)[0x7fae886d03ee]
/home/tarrma/.config/radare2/plugins/io_vmi.so(+0xe58)[0x7fae86f70e58]
/usr/lib/libr_io.so(r_io_desc_open+0x93)[0x7fae8a57fbf9]
/usr/lib/libr_io.so(r_io_open_nomap+0x3a)[0x7fae8a57a7ff]
/usr/lib/libr_core.so(r_core_file_open+0xc1)[0x7fae8c50875d]
r2(+0x62ce)[0x56315502a2ce]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fae880be830]
r2(+0x30f9)[0x5631550270f9]
__open
VM: nitro_win7x64, PID: 4
Initializing LibVMI
xc: error: Could not obtain handle on privileged command interface (2 = No such file or directory): Internal error
VMI_ERROR: Failed to open libxc interface.
Duplicate config for nitro_win7x64 found, using most recent
LibVMI Suggestion: set win_ntoskrnl=0x281d000 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdbg=0x1f10a0 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdvb=0xfffff80002a0e0a0 in libvmi.conf for faster startup.
__lseek, offset: 0
__lseek, offset: 0
__lseek, offset: 0
r_debug_vmi_reg_profile
__getpid
__getpid
...
~

Cant reproduce this behaviour with any of the io plugins i have in core..

On 10 Jan 2018, at 15:40, Mathieu Tarral notifications@github.com wrote:

I added the r_sys_backtrace() at the beginning of my __open implementation.

static RIODesc *__open(RIO *io, const char *pathname, int flags, int mode) {
r_sys_backtrace();
printf("%s\n", __func__);
...
Sorry for the verbose output, i'm implementing the debug interface also.

r_debug_vmi_reg_profile
Backtrace 8 stack frames.
/usr/lib/libr_util.so(r_sys_backtrace+0x28)[0x7fae886d03ee]
/home/tarrma/.config/radare2/plugins/io_vmi.so(+0xe58)[0x7fae86f70e58]
/usr/lib/libr_io.so(r_io_desc_open+0x93)[0x7fae8a57fbf9]
/usr/lib/libr_io.so(r_io_open_nomap+0x3a)[0x7fae8a57a7ff]
/usr/lib/libr_core.so(r_core_file_open+0xc1)[0x7fae8c50875d]
r2(+0x5813)[0x563155029813]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fae880be830]
r2(+0x30f9)[0x5631550270f9]
__open
VM: nitro_win7x64, PID: 4
Initializing LibVMI
xc: error: Could not obtain handle on privileged command interface (2 = No such file or directory): Internal error
VMI_ERROR: Failed to open libxc interface.
LibVMI Suggestion: set win_ntoskrnl=0x281d000 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdbg=0x1f10a0 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdvb=0xfffff80002a0e0a0 in libvmi.conf for faster startup.
Backtrace 8 stack frames.
/usr/lib/libr_util.so(r_sys_backtrace+0x28)[0x7fae886d03ee]
/home/tarrma/.config/radare2/plugins/io_vmi.so(+0xe58)[0x7fae86f70e58]
/usr/lib/libr_io.so(r_io_desc_open+0x93)[0x7fae8a57fbf9]
/usr/lib/libr_io.so(r_io_open_nomap+0x3a)[0x7fae8a57a7ff]
/usr/lib/libr_core.so(r_core_file_open+0xc1)[0x7fae8c50875d]
r2(+0x62ce)[0x56315502a2ce]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fae880be830]
r2(+0x30f9)[0x5631550270f9]
__open
VM: nitro_win7x64, PID: 4
Initializing LibVMI
xc: error: Could not obtain handle on privileged command interface (2 = No such file or directory): Internal error
VMI_ERROR: Failed to open libxc interface.
Duplicate config for nitro_win7x64 found, using most recent
LibVMI Suggestion: set win_ntoskrnl=0x281d000 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdbg=0x1f10a0 in libvmi.conf for faster startup.
LibVMI Suggestion: set win_kdvb=0xfffff80002a0e0a0 in libvmi.conf for faster startup.
__lseek, offset: 0
__lseek, offset: 0
__lseek, offset: 0
r_debug_vmi_reg_profile
__getpid
__getpid
...
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

I will try to provide a Dockerfile then.

here you go:
Dockerfile
~~~Dockerfile
FROM ubuntu:latest

ARG DEBIAN_FRONTEND=noninteractive

WORKDIR /root
RUN apt-get update && \
apt-get install -y git make gcc gdb

RUN git clone https://github.com/Wenzel/radare2.git -b debug_io_plugin && \
cd radare2 && ./sys/install.sh
~~~

How to use it:
~
$ docker build -t radare2 .
$ docker run -ti --rm=true --cap-add=SYS_PTRACE --security-opt=apparmor:unconfined radare2
root@2a2b51a9582b:~# gdbserver localhost:4200 /bin/ls &
[1] 16
root@2a2b51a9582b:~# gdbserver: Error disabling address space randomization: Operation not permitted
Process /bin/ls created; pid = 20
Listening on port 4200
root@2a2b51a9582b:~# r2 -d gdb://localhost:4200
Backtrace 8 stack frames.
/usr/lib/libr_util.so(r_sys_backtrace+0x28)[0x7f0a6639643e]
/usr/lib/libr_io.so(+0x14b8c)[0x7f0a68230b8c]
/usr/lib/libr_io.so(r_io_desc_open+0x93)[0x7f0a68245b7c]
/usr/lib/libr_io.so(r_io_open_nomap+0x3a)[0x7f0a68240782]
/usr/lib/libr_core.so(r_core_file_open+0xc1)[0x7f0a6a1cf83f]
r2(+0x5813)[0x562f9e124813]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f0a65d84830]
r2(+0x30f9)[0x562f9e1220f9]
__open, p/io_gdb.c
Remote debugging from host 127.0.0.1
= attach 20 1
= attach 20 0
Backtrace 8 stack frames.
/usr/lib/libr_util.so(r_sys_backtrace+0x28)[0x7f0a6639643e]
/usr/lib/libr_io.so(+0x14b8c)[0x7f0a68230b8c]
/usr/lib/libr_io.so(r_io_desc_open+0x93)[0x7f0a68245b7c]
/usr/lib/libr_io.so(r_io_open_nomap+0x3a)[0x7f0a68240782]
/usr/lib/libr_core.so(r_core_file_open+0xc1)[0x7f0a6a1cf83f]
r2(+0x62ce)[0x562f9e1252ce]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f0a65d84830]
r2(+0x30f9)[0x562f9e1220f9]
__open, p/io_gdb.c
-- Use zoom.byte=entropy and press 'z' in visual mode to zoom out to see the entropy of the whole file
[0x7f004f7f1c30]>
~

The output that you see has been inserted into the __open function of io_gdb.c:
https://github.com/Wenzel/radare2/blob/debug_io_plugin/libr/io/p/io_gdb.c#L59

@radare can you reproduce the issue now with the Dockerfile ?

sorry i have absolutely no time , didnt had time to test this, my guess is that the file is opened twice because of the rbin thing, but didnt had time to test your docker image.

On 10 Jan 2018, at 16:59, Mathieu Tarral notifications@github.com wrote:

here you go:
Dockerfile

FROM ubuntu:latest

ARG DEBIAN_FRONTEND=noninteractive

WORKDIR /root
RUN apt-get update && \
apt-get install -y git make gcc gdb

RUN git clone https://github.com/Wenzel/radare2.git -b debug_io_plugin && \
cd radare2 && ./sys/install.sh
How to use it:

$ docker build -t radare2 .
$ docker run -ti --rm=true --cap-add=SYS_PTRACE --security-opt=apparmor:unconfined radare2
root@2a2b51a9582b:~# gdbserver localhost:4200 /bin/ls &
[1] 16
root@2a2b51a9582b:~# gdbserver: Error disabling address space randomization: Operation not permitted
Process /bin/ls created; pid = 20
Listening on port 4200
root@2a2b51a9582b:~# r2 -d gdb://localhost:4200
Backtrace 8 stack frames.
/usr/lib/libr_util.so(r_sys_backtrace+0x28)[0x7f0a6639643e]
/usr/lib/libr_io.so(+0x14b8c)[0x7f0a68230b8c]
/usr/lib/libr_io.so(r_io_desc_open+0x93)[0x7f0a68245b7c]
/usr/lib/libr_io.so(r_io_open_nomap+0x3a)[0x7f0a68240782]
/usr/lib/libr_core.so(r_core_file_open+0xc1)[0x7f0a6a1cf83f]
r2(+0x5813)[0x562f9e124813]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f0a65d84830]
r2(+0x30f9)[0x562f9e1220f9]
__open, p/io_gdb.c
Remote debugging from host 127.0.0.1
= attach 20 1
= attach 20 0
Backtrace 8 stack frames.
/usr/lib/libr_util.so(r_sys_backtrace+0x28)[0x7f0a6639643e]
/usr/lib/libr_io.so(+0x14b8c)[0x7f0a68230b8c]
/usr/lib/libr_io.so(r_io_desc_open+0x93)[0x7f0a68245b7c]
/usr/lib/libr_io.so(r_io_open_nomap+0x3a)[0x7f0a68240782]
/usr/lib/libr_core.so(r_core_file_open+0xc1)[0x7f0a6a1cf83f]
r2(+0x62ce)[0x562f9e1252ce]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f0a65d84830]
r2(+0x30f9)[0x562f9e1220f9]
__open, p/io_gdb.c
-- Use zoom.byte=entropy and press 'z' in visual mode to zoom out to see the entropy of the whole file
[0x7f004f7f1c30]>
The output that you see has been inserted into the __open function of io_gdb.c:
https://github.com/Wenzel/radare2/blob/debug_io_plugin/libr/io/p/io_gdb.c#L59 https://github.com/Wenzel/radare2/blob/debug_io_plugin/libr/io/p/io_gdb.c#L59
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/9159#issuecomment-356646258, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lvoMFwr97-MOL5UAgjBM9koB1ERGks5tJN5KgaJpZM4RYI8S.

Thanks for your reply, no worries, it's not urgent anyway.
About rbin, i did try to disable it with -n in a previous test, but the result was the same.

ok i can reproduce. lemme put some printfs

On 10 Jan 2018, at 16:59, Mathieu Tarral notifications@github.com wrote:

here you go:
Dockerfile

FROM ubuntu:latest

ARG DEBIAN_FRONTEND=noninteractive

WORKDIR /root
RUN apt-get update && \
apt-get install -y git make gcc gdb

RUN git clone https://github.com/Wenzel/radare2.git -b debug_io_plugin && \
cd radare2 && ./sys/install.sh
How to use it:

$ docker build -t radare2 .
$ docker run -ti --rm=true --cap-add=SYS_PTRACE --security-opt=apparmor:unconfined radare2
root@2a2b51a9582b:~# gdbserver localhost:4200 /bin/ls &
[1] 16
root@2a2b51a9582b:~# gdbserver: Error disabling address space randomization: Operation not permitted
Process /bin/ls created; pid = 20
Listening on port 4200
root@2a2b51a9582b:~# r2 -d gdb://localhost:4200
Backtrace 8 stack frames.
/usr/lib/libr_util.so(r_sys_backtrace+0x28)[0x7f0a6639643e]
/usr/lib/libr_io.so(+0x14b8c)[0x7f0a68230b8c]
/usr/lib/libr_io.so(r_io_desc_open+0x93)[0x7f0a68245b7c]
/usr/lib/libr_io.so(r_io_open_nomap+0x3a)[0x7f0a68240782]
/usr/lib/libr_core.so(r_core_file_open+0xc1)[0x7f0a6a1cf83f]
r2(+0x5813)[0x562f9e124813]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f0a65d84830]
r2(+0x30f9)[0x562f9e1220f9]
__open, p/io_gdb.c
Remote debugging from host 127.0.0.1
= attach 20 1
= attach 20 0
Backtrace 8 stack frames.
/usr/lib/libr_util.so(r_sys_backtrace+0x28)[0x7f0a6639643e]
/usr/lib/libr_io.so(+0x14b8c)[0x7f0a68230b8c]
/usr/lib/libr_io.so(r_io_desc_open+0x93)[0x7f0a68245b7c]
/usr/lib/libr_io.so(r_io_open_nomap+0x3a)[0x7f0a68240782]
/usr/lib/libr_core.so(r_core_file_open+0xc1)[0x7f0a6a1cf83f]
r2(+0x62ce)[0x562f9e1252ce]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f0a65d84830]
r2(+0x30f9)[0x562f9e1220f9]
__open, p/io_gdb.c
-- Use zoom.byte=entropy and press 'z' in visual mode to zoom out to see the entropy of the whole file
[0x7f004f7f1c30]>
The output that you see has been inserted into the __open function of io_gdb.c:
https://github.com/Wenzel/radare2/blob/debug_io_plugin/libr/io/p/io_gdb.c#L59 https://github.com/Wenzel/radare2/blob/debug_io_plugin/libr/io/p/io_gdb.c#L59
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/radare/radare2/issues/9159#issuecomment-356646258, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lvoMFwr97-MOL5UAgjBM9koB1ERGks5tJN5KgaJpZM4RYI8S.

well it was just a matter of reading, there's a comment on top of the 2nd call to file_open explaining the reason for that. probably a hack after SIOL to get gdb:// working

screen shot 2018-01-26 at 11 50 17

but the funny thing is that everything works if i remove this code.

so ill just commit this code commented, and will wait for complains

Was this page helpful?
0 / 5 - 0 ratings

Related issues

XVilka picture XVilka  Â·  3Comments

YugoCode picture YugoCode  Â·  6Comments

NotAFile picture NotAFile  Â·  6Comments

ret2libc picture ret2libc  Â·  6Comments

eagleoflqj picture eagleoflqj  Â·  7Comments