jfoote
gdb.error: There is no member named _sifields. When running exploitable even though it exists.
Hi!
I wrote a map fuzzer for this: https://github.com/SwagSoftware/Kisak-Strike and found a couple of crashes.
When I try to use exploitable to analyze them I am getting these errors.
`GNU gdb (Ubuntu 9.2-0ubuntu1~20.04.1) 9.2 Copyright (C) 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/. Find the GDB manual and other documentation resources online at: http://www.gnu.org/software/gdb/documentation/.
For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from ./bspfuzz... (gdb) r test.bsp master01.bsp 27015 < outputs/master01/crashes/id:000000,sig:11,src:000001,time:41812685,execs:3059647,op:havoc,rep:4 Starting program: /home/cyberhacker/Finalcsgo/game/bspfuzz test.bsp master01.bsp 27015 < outputs/master01/crashes/id:000000,sig:11,src:000001,time:41812685,execs:3059647,op:havoc,rep:4 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". dedicated.so loaded at 0x7ffff77ec000 engine.so loaded at 0x7ffff5de1000 Reading from /home/cyberhacker/Finalcsgo/game/test.bsp [New Thread 0x7ffff5525700 (LWP 522991)] #Module /home/cyberhacker/Finalcsgo/game/bin/linux64/stdshader_dbg failed to load! Error: ((null)) #Module stdshader_dbg failed to load! Error: ((null))
#Console initialized. #Loading VPK file hashes for pure server operation. #Loading VPK file hashes for pure server operation. #Loading VPK file hashes for pure server operation. #Module /home/cyberhacker/Finalcsgo/game/csgo/bin/matchmaking_ds_client.so failed to load! Error: ((null)) #Module /home/cyberhacker/Finalcsgo/game/csgo/bin/server_valve failed to load! Error: ((null)) #Module /home/cyberhacker/Finalcsgo/game/csgo/bin/linux64/server_valve failed to load! Error: ((null)) #Module /home/cyberhacker/Finalcsgo/game/bin/csgo/bin/server_valve failed to load! Error: ((null)) #Module /home/cyberhacker/Finalcsgo/game/bin/csgo/bin/linux64/server_valve failed to load! Error: ((null)) #Module server_valve failed to load! Error: ((null)) #Module /home/cyberhacker/Finalcsgo/game/csgo/bin/server failed to load! Error: ((null)) #Game.dll loaded for "Counter-Strike: Global Offensive" #CGameEventManager::AddListener: event 'server_pre_shutdown' unknown. #CGameEventManager::AddListener: event 'game_newmap' unknown. #CGameEventManager::AddListener: event 'finale_start' unknown. #CGameEventManager::AddListener: event 'round_start' unknown. #CGameEventManager::AddListener: event 'round_end' unknown. #CGameEventManager::AddListener: event 'difficulty_changed' unknown. #CGameEventManager::AddListener: event 'player_connect' unknown. #CGameEventManager::AddListener: event 'player_disconnect' unknown. #GameTypes: missing mapgroupsSP entry for game type/mode (custom/custom). #GameTypes: missing mapgroupsSP entry for game type/mode (cooperative/cooperative). #GameTypes: missing mapgroupsSP entry for game type/mode (cooperative/coopmission). Failed to load gamerulescvars.txt, game rules cvars might not be reported to management tools. Server is hibernating [S_API] SteamAPI_Init(): SteamAPI_IsSteamRunning() did not locate a running instance of Steam. [S_API] SteamAPI_Init(): Loaded '/home/cyberhacker/.local/share/Steam/linux64/steamclient.so' OK. [S_API FAIL] SteamAPI_Init() failed; create pipe failed.Particles: Missing 'particles/money_fx.pcf' No web api auth key specified - workshop downloads will be disabled. maxplayers set to 64 Unknown command "cl_bobamt_vert" Unknown command "cl_bobamt_lat" Unknown command "cl_bob_lower_amt" Unknown command "cl_viewmodel_shift_left_amt" Unknown command "cl_viewmodel_shift_right_amt" Unknown command "cl_teamid_overhead" Unknown command "cl_teamid_overhead_maxdist" [Detaching after vfork from child process 522992] [New Thread 0x7fffe2f6b700 (LWP 522994)] [New Thread 0x7fffe2e6a700 (LWP 522995)] ---- Host_NewGame ---- Entering the loop bullshit.... Starting the loop. Waiting for user input: Got user input from terminal. Time to try to load the thing:
Thread 1 "bspfuzz" received signal SIGSEGV, Segmentation fault. CollisionBSPData_LoadTextures (pBSPData=0x7ffff72323e0 <g_BSPData>) at /home/cyberhacker/Finalcsgo/Kisak-Strike/engine/cmodel_bsp.cpp:352 352 out->name = &pBSPData->map_texturenames[index]; (gdb) source /home/cyberhacker/crashwalkshit/exploitable/exploitable/exploitable.py (gdb) exploitable -v /home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/classifier.py:197: UserWarning: Error while analyzing rule SegFaultOnPc (3/22): There is no member named _sifields. Traceback (most recent call last): File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/classifier.py", line 193, in getClassification match = rule.matches() File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/tools.py", line 80, in _wrapper res = func(tgt, *args) File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/analyzers/x86.py", line 96, in isSegFaultOnPcNotNearNull return self.isSegFaultOnPc() and not self.isFaNearNull() File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/tools.py", line 80, in _wrapper res = func(tgt, *args) File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/analyzers/x86.py", line 334, in isSegFaultOnPc self.faultingAddress() == self.target.pc() File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/tools.py", line 80, in _wrapper res = func(tgt, *args) File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/analyzers/x86.py", line 329, in faultingAddress return self.target.si_addr() File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/tools.py", line 80, in _wrapper res = func(tgt, *args) File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/gdb_wrapper/x86.py", line 572, in si_addr str(gdb.parse_and_eval("$_siginfo._sifields._sigfault.si_addr")) gdb.error: There is no member named _sifields.
warnings.warn("Error while analyzing rule {}: {}\n{}".format( /home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/classifier.py:197: UserWarning: Error while analyzing rule SegFaultOnPcNearNull (12/22): There is no member named _sifields. Traceback (most recent call last): File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/classifier.py", line 193, in getClassification match = rule.matches() File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/tools.py", line 80, in _wrapper res = func(tgt, *args) File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/analyzers/x86.py", line 194, in isSegFaultOnPcNearNull return self.isSegFaultOnPc() and self.isFaNearNull() File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/tools.py", line 80, in _wrapper res = func(tgt, *args) File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/analyzers/x86.py", line 334, in isSegFaultOnPc self.faultingAddress() == self.target.pc() File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/tools.py", line 80, in _wrapper res = func(tgt, *args) File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/analyzers/x86.py", line 329, in faultingAddress return self.target.si_addr() File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/tools.py", line 80, in _wrapper res = func(tgt, *args) File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/gdb_wrapper/x86.py", line 572, in si_addr str(gdb.parse_and_eval("$_siginfo._sifields._sigfault.si_addr")) gdb.error: There is no member named _sifields.
warnings.warn("Error while analyzing rule {}: {}\n{}".format( /home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/classifier.py:197: UserWarning: Error while analyzing rule SourceAvNearNull (16/22): There is no member named _sifields. Traceback (most recent call last): File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/classifier.py", line 193, in getClassification match = rule.matches() File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/tools.py", line 80, in _wrapper res = func(tgt, *args) File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/analyzers/x86.py", line 237, in isSourceAvNearNull return self.isSourceAv() and self.isFaNearNull() File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/tools.py", line 80, in _wrapper res = func(tgt, *args) File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/analyzers/x86.py", line 350, in isSourceAv source_op.eval() == self.faultingAddress() File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/tools.py", line 80, in _wrapper res = func(tgt, *args) File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/analyzers/x86.py", line 329, in faultingAddress return self.target.si_addr() File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/tools.py", line 80, in _wrapper res = func(tgt, *args) File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/gdb_wrapper/x86.py", line 572, in si_addr str(gdb.parse_and_eval("$_siginfo._sifields._sigfault.si_addr")) gdb.error: There is no member named _sifields.
warnings.warn("Error while analyzing rule {}: {}\n{}".format( /home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/classifier.py:197: UserWarning: Error while analyzing rule SourceAv (19/22): There is no member named _sifields. Traceback (most recent call last): File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/classifier.py", line 193, in getClassification match = rule.matches() File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/tools.py", line 80, in _wrapper res = func(tgt, *args) File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/analyzers/x86.py", line 226, in isSourceAvNotNearNull return self.isSourceAv() and not self.isFaNearNull() File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/tools.py", line 80, in _wrapper res = func(tgt, *args) File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/analyzers/x86.py", line 350, in isSourceAv source_op.eval() == self.faultingAddress() File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/tools.py", line 80, in _wrapper res = func(tgt, *args) File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/analyzers/x86.py", line 329, in faultingAddress return self.target.si_addr() File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/tools.py", line 80, in _wrapper res = func(tgt, *args) File "/home/cyberhacker/crashwalkshit/exploitable/exploitable/lib/gdb_wrapper/x86.py", line 572, in si_addr str(gdb.parse_and_eval("$_siginfo._sifields._sigfault.si_addr")) gdb.error: There is no member named _sifields.
warnings.warn("Error while analyzing rule {}: {}\n{}".format( 'exploitable' version 1.32 Linux cyberhacker-h8-1131sc 5.4.0-135-generic #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022 x86_64 Python Exception <class 'gdb.error'> There is no member named _sifields.: Error occurred in Python: There is no member named _sifields.`
I do not know why this happens.
When I run p $_siginfo in the debugger i get this output:
(gdb) p $_siginfo $1 = {si_signo = 11, si_errno = 0, si_code = 1, _sifields = {_pad = {0 <repeats 28 times>}, _kill = {si_pid = 0, si_uid = 0}, _timer = {si_tid = 0, si_overrun = 0, si_sigval = {sival_int = 0, sival_ptr = 0x0}}, _rt = { si_pid = 0, si_uid = 0, si_sigval = {sival_int = 0, sival_ptr = 0x0}}, _sigchld = {si_pid = 0, si_uid = 0, si_status = 0, si_utime = 0, si_stime = 0}, _sigfault = {si_addr = 0x0, _addr_lsb = 0, _addr_bnd = { _lower = 0x0, _upper = 0x0}}, _sigpoll = {si_band = 0, si_fd = 0}}}
also this command returns this:
(gdb) p $_siginfo._sifields._sigfault $9 = {si_addr = 0x0, _addr_lsb = 0, _addr_bnd = {_lower = 0x0, _upper = 0x0}}
but when I try to access the si_addr element I get the error:
(gdb) p $_siginfo._sifields._sigfault.si_addr There is no member named _sifields.
However this does not make sense. When I try to run the same commands in another binary it works perfectly:
(gdb) p $_siginfo._sifields._sigfault $3 = {si_addr = 0x0, _addr_lsb = 0, _addr_bnd = {_lower = 0x0, _upper = 0x0}} (gdb) p $_siginfo._sifields._sigfault.si_addr $4 = (void *) 0x0
The application I am trying to fuzz is multithreaded but I do not think that it has that much of an effect in this case.
