radare2 icon indicating copy to clipboard operation
radare2 copied to clipboard

Published 20 hours ago verified publisher icon radareorg

dmhb and dmhf show corrupted bins in heap

Open b10s opened this issue 1 year ago • 5 comments

Environment

root@ubuntu-s-1vcpu-512mb-10gb-sfo3-01:~# date
r2 -v
uname -ms
Sat Dec 10 06:54:36 PM UTC 2022
radare2 5.7.8 1 @ linux-x86-64 git.5.7.8
commit: 8e965bef30457a12e07a32a9047a9620a944bc39 build: 2022-09-13__16:22:19
Linux x86_64

Description

dmhb shows corrupted bins:

 Bin 017:
  double linked list small bin {
    0x7f98107fd5b8->fd = 0x0Double linked list corrupted

  }

image

also dmhf:

[0x55bd63f26d20]> dmhf
fastbinY {
 Fastbin 01
  Empty bin  0x0
 Fastbin 02
  Empty bin  0x0
 Fastbin 03
  fastbin 3 @ 0x7f3bba5fd478 {
   0x10e162854fa0b86e Linked list corrupted

  }
..

image

I expect dmhb and dmhf commands to work properly.

Test

# r2 -d /bin/ls

[0x7f98108a0880]> dcu main
INFO: Continue until 0x56160b278d20 using 1 bpsize
hit breakpoint at: 0x56160b278d20

[0x56160b278d20]> dmhb

b10s avatar Dec 10 '22 18:12 b10s

Are you sure the bin is not really corrupted? Are you exploiting a buffer overflow or else?

gogo2464 avatar Dec 16 '22 13:12 gogo2464

Ehn.. its /bin/ls i doubt its corrupted or so. The problem is probably that glibc or musl or whatever lib is linking to is using a different heap data structures than the ones that was implemented in dmh

trufae avatar Dec 16 '22 14:12 trufae

Are you sure the bin is not really corrupted? Are you exploiting a buffer overflow or else?

@gogo2464 the bin must be not corrupted, since I tested the standard /bin/ls on a fresh VM.

I'm trying to explore heap via r2 - to look at bins, chunks, etc.

b10s avatar Dec 28 '22 15:12 b10s

@b10s /bin/ls does not have a heap setup at the start of main do 40 dso or something, works for me with latest version

~/code/r2heap >>> r2 -d /bin/ls 
WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
[0x7f5693918b60]> dcu main
INFO: Continue until 0x5579c6de2050 using 1 bpsize
INFO: hit breakpoint at: 0x5579c6de2050
[0x5579c6de2050]> 40 dso
INFO: hit breakpoint at: 0x5579c6de209a
INFO: hit breakpoint at: 0x5579c6de2109
[0x5579c6de211a]> dmhb
INFO: libc version 2.39 identified from .rodata banner
WARN: Could not find main_arena via symbol or relocations
WARN: Found main_arena offset with pattern matching
Bins {
 Bin 001:
  double linked list unsorted bin {
    0x7f56938aeb20->fd = 0x7f56938aeb20
    0x7f56938aeb20->bk = 0x7f56938aeb20
  }
 Bin 002:
  double linked list small bin {
    0x7f56938aeb30->fd = 0x7f56938aeb30
    0x7f56938aeb30->bk = 0x7f56938aeb30
  }
[...]

koyaan avatar Mar 23 '24 20:03 koyaan

Can we close this ticket? Maybe we can imrpove the parsing on corrupted heap chunks?

trufae avatar Apr 15 '24 22:04 trufae