rizinorg
Crash when connecting to qemu-aarch64-static GDB
Environment information
- Operating System: Ubuntu 18.04.3
- Cutter version: Cutter 2.0.2
- Obtained from: Cutter Releases, AppImage file
Cutter-v2.0.2-x64.Linux.AppImage- [ ] Built from source
- [x] Downloaded release from Cutter website or GitHub
- [ ] Distribution repository
- File format: AppImage
Describe the bug
Open a qemu debugging session using qemu-aarch64-static -g 12345 ./chal (version string below). I open the binary in question in cutter and select Debug > Connect to Remote Debugger. Upon connecting with 127.0.0.1 12345 Cutter crashes with "cutter has received a signal it cannot handle and will now close".
To Reproduce
Steps to reproduce the behavior:
- Open a qemu debugging session using
qemu-aarch64-static -g 12345 ./chal(version string below). - Open the binary in question in cutter and select Debug > Connect to Remote Debugger.
- Upon connecting with
127.0.0.112345Cutter crashes with "cutter has received a signal it cannot handle and will now close".
Expected behavior
I would generally expect debugging to work somewhat normally on a remote gdb server. mra.zip
Additional context
I think the issue here is that connecting to a different architecture remote gdb server on Ubuntu requires the use of gdb-multiarch. There is no selector that I can find in Cutter to select a different gdb binary, but I suspect that adding this and being able to use gdb-multiarch would solve the problem. Binary is attached.
Qemu version string:
❯ qemu-aarch64-static --version
qemu-aarch64 version 2.11.1(Debian 1:2.11+dfsg-1ubuntu7.36)
Copyright (c) 2003-2017 Fabrice Bellard and the QEMU Project developers
I think the issue here is that connecting to a different architecture remote gdb server on Ubuntu requires the use of gdb-multiarch.
That's not how rizin works. Rizin has it's own implementation for talking to a gdb server protocol and it does not depend on a gdb executable.
Issues like that are typically on rizin side. If you want to speedup this issue it would help if you or anyone else tried reproducing the issue using plain rizin without Cutter GUI.
That makes sense. I'm not a heavy Cutter user (yet), just jumped ship from Ghidra this weekend while playing OOOCtf.
I can try repro with plain rizin in a spare minute, the env isn't complicated. It'll give me an excuse to learn some of the cli anyway 😄
@karliss I used the same setup and connected using rizin -d gdb://localhost:12345 and went ahead and did a test of all the debugger commands specified here. Nothing broke in a way that makes sense given the Cutter crash, and I was able to do what I was trying to do in cutter through the Rizin CLI. Let me know if there are any further steps to take to try and repro that I didn't try here.
Retried with the latest Rizin and QEMU:
[i] ℤ qemu-aarch64 --version 15:56:03
qemu-aarch64 version 5.2.0 (qemu-5.2.0-8.fc34)
Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
[i] ℤ rizin -v 15:56:01
rizin 0.3.0-git @ linux-x86-64
commit: 09d5b01b67c640c1fafde9b3434ade342a225b32, build: 2021-09-18__12:22:59
[i] ℤ rizin -a arm -b 64 -d gdb://localhost:12345 15:52:57
WARNING: rz_file_exists: assertion '!RZ_STR_ISEMPTY(str)' failed (line 172)
Ignoring duplicated register definition 'DBGWVR'
Ignoring duplicated register definition 'DBGWVR'
Ignoring duplicated register definition 'DBGWCR'
Ignoring duplicated register definition 'DBGBVR'
Ignoring duplicated register definition 'DBGWCR'
Ignoring duplicated register definition 'DBGBVR'
Ignoring duplicated register definition 'DBGBCR'
Ignoring duplicated register definition 'DBGBCR'
Ignoring duplicated register definition 'DBGWVR'
Ignoring duplicated register definition 'DBGWVR'
Ignoring duplicated register definition 'DBGWCR'
Ignoring duplicated register definition 'DBGBVR'
Ignoring duplicated register definition 'DBGWCR'
Ignoring duplicated register definition 'DBGBVR'
Ignoring duplicated register definition 'DBGBCR'
Ignoring duplicated register definition 'DBGBCR'
= attach 1 172152
-- Find expanded AES keys in memory with '/ca'
[0x00400720]> dr
x0 = 0x00000000
x1 = 0x00000000
x2 = 0x00000000
x3 = 0x00000000
x4 = 0x00000000
x5 = 0x00000000
x6 = 0x00000000
x7 = 0x00000000
x8 = 0x00000000
x9 = 0x00000000
x10 = 0x00000000
x11 = 0x00000000
x12 = 0x00000000
x13 = 0x00000000
x14 = 0x00000000
x15 = 0x00000000
x16 = 0x00000000
x17 = 0x00000000
x18 = 0x00000000
x19 = 0x00000000
x20 = 0x00000000
x21 = 0x00000000
x22 = 0x00000000
x23 = 0x00000000
x24 = 0x00000000
x25 = 0x00000000
x26 = 0x00000000
x27 = 0x00000000
x28 = 0x00000000
x29 = 0x00000000
x30 = 0x00000000
sp = 0x55007ff420
pc = 0x00400720
MVFR6_EL1_RESERVED = 0x00000000
ID_AA64PFR0_EL1 = 0x00000000
ID_AA64PFR1_EL1 = 0x00000000
ID_AA64PFR3_EL1_RESERVED = 0x00000000
ID_AA64ZFR0_EL1 = 0x00000000
DACR32_EL2 = 0x00000000
CPACR = 0x00000000
FPEXC32_EL2 = 0x00000000
ID_AA64PFR7_EL1_RESERVED = 0x00000000
ID_AA64DFR0_EL1 = 0x00000000
ID_AA64DFR1_EL1 = 0x00000000
ID_AA64DFR2_EL1_RESERVED = 0x00000000
ID_AA64AFR0_EL1 = 0x00000000
ID_AA64AFR2_EL1_RESERVED = 0x00000000
ID_AA64AFR3_EL1_RESERVED = 0x00000000
ID_AA64ISAR0_EL1 = 0x00000000
ELR_EL1 = 0x00000000
PMEVTYPER0_EL0 = 0x00000000
ID_AA64ISAR2_EL1_RESERVED = 0x00000000
DBGWVR = 0x00000000
ZCR_EL1 = 0x00000000
RVBAR_EL1 = 0x00000000
PMEVTYPER2_EL0 = 0x00000000
MDCCSR_EL0 = 0x00000000
ID_AA64ISAR6_EL1_RESERVED = 0x00000000
ID_AA64ISAR7_EL1_RESERVED = 0x00000000
ID_AA64MMFR0_EL1 = 0x00000000
ID_AA64MMFR1_EL1 = 0x00000000
ID_AA64MMFR2_EL1 = 0x00000000
DBGWCR = 0x00000000
PMCNTENSET_EL0 = 0x00000000
PMCR_EL0 = 0x00000000
PMCNTENCLR_EL0 = 0x00000000
PMOVSCLR_EL0 = 0x00000000
MDSCR_EL1 = 0x00000000
PMMIR_EL1 = 0x00000000
DBGBVR = 0x00000000
DBGBCR = 0x00000000
TTBR0_EL1 = 0x00000000
TCR_EL1 = 0x00000000
TFSR_EL3 = 0x00000000
ZCR_EL2 = 0x00000000
APIAKEYLO_EL1 = 0x00000000
SP_EL1 = 0x00000000
APIBKEYLO_EL1 = 0x00000000
APDAKEYLO_EL1 = 0x00000000
CONTEXTIDR_EL1 = 0x00000000
CPUMERRSR_EL1 = 0x00000000
L2MERRSR_EL1 = 0x00000000
MAIR_EL1 = 0x00000000
AFSR0_EL1 = 0x00000000
AFSR1_EL1 = 0x00000000
CBAR_EL1 = 0x00000000
APGAKEYHI_EL1 = 0x00000000
MDCR_EL3 = 0x00000000
AMAIR0 = 0x00000000
FPCR = 0x00000000
ESR_EL1 = 0x00000000
CLIDR = 0x00000000
ID_PFR0 = 0x00000000
GMID_EL1 = 0x00000000
ID_MMFR0 = 0x00000000
LORSA_EL1 = 0x00000000
AIDR = 0x00000000
LOREA_EL1 = 0x00000000
TPIDRRO_EL0 = 0x00000000
LORN_EL1 = 0x00000000
IFSR32_EL2 = 0x00000000
ID_ISAR0 = 0x00000000
PMEVCNTR0_EL0 = 0x00000000
PMEVCNTR1_EL0 = 0x00000000
CTR_EL0 = 0x00000000
PMEVCNTR2_EL0 = 0x00000000
PMEVCNTR3_EL0 = 0x00000000
ID_MMFR4 = 0x00000000
MVFR0_EL1 = 0x00000000
FAR_EL1 = 0x00000000
MVFR2_EL1 = 0x00000000
MVFR4_EL1_RESERVED = 0x00000000
[0x00400720]> ds
[0x00400720]> dr
x0 = 0x00000000
x1 = 0x00000000
x2 = 0x00000000
x3 = 0x00000000
x4 = 0x00000000
x5 = 0x00000000
x6 = 0x00000000
x7 = 0x00000000
x8 = 0x00000000
x9 = 0x00000000
x10 = 0x00000000
x11 = 0x00000000
x12 = 0x00000000
x13 = 0x00000000
x14 = 0x00000000
x15 = 0x00000000
x16 = 0x00000000
x17 = 0x00000000
x18 = 0x00000000
x19 = 0x00000000
x20 = 0x00000000
x21 = 0x00000000
x22 = 0x00000000
x23 = 0x00000000
x24 = 0x00000000
x25 = 0x00000000
x26 = 0x00000000
x27 = 0x00000000
x28 = 0x00000000
x29 = 0x00000000
x30 = 0x00000000
sp = 0x55007ff420
pc = 0x00400724
MVFR6_EL1_RESERVED = 0x00000000
ID_AA64PFR0_EL1 = 0x00000000
ID_AA64PFR1_EL1 = 0x00000000
ID_AA64PFR3_EL1_RESERVED = 0x00000000
ID_AA64ZFR0_EL1 = 0x00000000
DACR32_EL2 = 0x00000000
CPACR = 0x00000000
FPEXC32_EL2 = 0x00000000
ID_AA64PFR7_EL1_RESERVED = 0x00000000
ID_AA64DFR0_EL1 = 0x00000000
ID_AA64DFR1_EL1 = 0x00000000
ID_AA64DFR2_EL1_RESERVED = 0x00000000
ID_AA64AFR0_EL1 = 0x00000000
ID_AA64AFR2_EL1_RESERVED = 0x00000000
ID_AA64AFR3_EL1_RESERVED = 0x00000000
ID_AA64ISAR0_EL1 = 0x00000000
ELR_EL1 = 0x00000000
PMEVTYPER0_EL0 = 0x00000000
ID_AA64ISAR2_EL1_RESERVED = 0x00000000
DBGWVR = 0x00000000
ZCR_EL1 = 0x00000000
RVBAR_EL1 = 0x00000000
PMEVTYPER2_EL0 = 0x00000000
MDCCSR_EL0 = 0x00000000
ID_AA64ISAR6_EL1_RESERVED = 0x00000000
ID_AA64ISAR7_EL1_RESERVED = 0x00000000
ID_AA64MMFR0_EL1 = 0x00000000
ID_AA64MMFR1_EL1 = 0x00000000
ID_AA64MMFR2_EL1 = 0x00000000
DBGWCR = 0x00000000
PMCNTENSET_EL0 = 0x00000000
PMCR_EL0 = 0x00000000
PMCNTENCLR_EL0 = 0x00000000
PMOVSCLR_EL0 = 0x00000000
MDSCR_EL1 = 0x00000000
PMMIR_EL1 = 0x00000000
DBGBVR = 0x00000000
DBGBCR = 0x00000000
TTBR0_EL1 = 0x00000000
TCR_EL1 = 0x00000000
TFSR_EL3 = 0x00000000
ZCR_EL2 = 0x00000000
APIAKEYLO_EL1 = 0x00000000
SP_EL1 = 0x00000000
APIBKEYLO_EL1 = 0x00000000
APDAKEYLO_EL1 = 0x00000000
CONTEXTIDR_EL1 = 0x00000000
CPUMERRSR_EL1 = 0x00000000
L2MERRSR_EL1 = 0x00000000
MAIR_EL1 = 0x00000000
AFSR0_EL1 = 0x00000000
AFSR1_EL1 = 0x00000000
CBAR_EL1 = 0x00000000
APGAKEYHI_EL1 = 0x00000000
MDCR_EL3 = 0x00000000
AMAIR0 = 0x00000000
FPCR = 0x00000000
ESR_EL1 = 0x00000000
CLIDR = 0x00000000
ID_PFR0 = 0x00000000
GMID_EL1 = 0x00000000
ID_MMFR0 = 0x00000000
LORSA_EL1 = 0x00000000
AIDR = 0x00000000
LOREA_EL1 = 0x00000000
TPIDRRO_EL0 = 0x00000000
LORN_EL1 = 0x00000000
IFSR32_EL2 = 0x00000000
ID_ISAR0 = 0x00000000
PMEVCNTR0_EL0 = 0x00000000
PMEVCNTR1_EL0 = 0x00000000
CTR_EL0 = 0x00000000
PMEVCNTR2_EL0 = 0x00000000
PMEVCNTR3_EL0 = 0x00000000
ID_MMFR4 = 0x00000000
MVFR0_EL1 = 0x00000000
FAR_EL1 = 0x00000000
MVFR2_EL1 = 0x00000000
MVFR4_EL1_RESERVED = 0x00000000
[0x00400720]> ds 10
[0x00400720]> dr
x0 = 0x55007ff420
x1 = 0x00400000
x2 = 0x00000000
x3 = 0x00000000
x4 = 0x00000000
x5 = 0x00000000
x6 = 0x00000000
x7 = 0x00000000
x8 = 0x00000000
x9 = 0x00000000
x10 = 0x00000000
x11 = 0x00000000
x12 = 0x00000000
x13 = 0x00000000
x14 = 0x00000000
x15 = 0x00000000
x16 = 0x00000000
x17 = 0x00000000
x18 = 0x00000000
x19 = 0x00000000
x20 = 0x00000000
x21 = 0x00000000
x22 = 0x00000000
x23 = 0x00000000
x24 = 0x00000000
x25 = 0x00000000
x26 = 0x00000000
x27 = 0x00000000
x28 = 0x00000000
x29 = 0x550077f450
x30 = 0x00000000
sp = 0x550077f450
pc = 0x0040074c
MVFR6_EL1_RESERVED = 0x00000000
ID_AA64PFR0_EL1 = 0x00000000
ID_AA64PFR1_EL1 = 0x00000000
ID_AA64PFR3_EL1_RESERVED = 0x00000000
ID_AA64ZFR0_EL1 = 0x00000000
DACR32_EL2 = 0x00000000
CPACR = 0x00000000
FPEXC32_EL2 = 0x00000000
ID_AA64PFR7_EL1_RESERVED = 0x00000000
ID_AA64DFR0_EL1 = 0x00000000
ID_AA64DFR1_EL1 = 0x00000000
ID_AA64DFR2_EL1_RESERVED = 0x00000000
ID_AA64AFR0_EL1 = 0x00000000
ID_AA64AFR2_EL1_RESERVED = 0x00000000
ID_AA64AFR3_EL1_RESERVED = 0x00000000
ID_AA64ISAR0_EL1 = 0x00000000
ELR_EL1 = 0x00000000
PMEVTYPER0_EL0 = 0x00000000
ID_AA64ISAR2_EL1_RESERVED = 0x00000000
DBGWVR = 0x00000000
ZCR_EL1 = 0x00000000
RVBAR_EL1 = 0x00000000
PMEVTYPER2_EL0 = 0x00000000
MDCCSR_EL0 = 0x00000000
ID_AA64ISAR6_EL1_RESERVED = 0x00000000
ID_AA64ISAR7_EL1_RESERVED = 0x00000000
ID_AA64MMFR0_EL1 = 0x00000000
ID_AA64MMFR1_EL1 = 0x00000000
ID_AA64MMFR2_EL1 = 0x00000000
DBGWCR = 0x00000000
PMCNTENSET_EL0 = 0x00000000
PMCR_EL0 = 0x00000000
PMCNTENCLR_EL0 = 0x00000000
PMOVSCLR_EL0 = 0x00000000
MDSCR_EL1 = 0x00000000
PMMIR_EL1 = 0x00000000
DBGBVR = 0x00000000
DBGBCR = 0x00000000
TTBR0_EL1 = 0x00000000
TCR_EL1 = 0x00000000
TFSR_EL3 = 0x00000000
ZCR_EL2 = 0x00000000
APIAKEYLO_EL1 = 0x00000000
SP_EL1 = 0x00000000
APIBKEYLO_EL1 = 0x00000000
APDAKEYLO_EL1 = 0x00000000
CONTEXTIDR_EL1 = 0x00000000
CPUMERRSR_EL1 = 0x00000000
L2MERRSR_EL1 = 0x00000000
MAIR_EL1 = 0x00000000
AFSR0_EL1 = 0x00000000
AFSR1_EL1 = 0x00000000
CBAR_EL1 = 0x00000000
APGAKEYHI_EL1 = 0x00000000
MDCR_EL3 = 0x00000000
AMAIR0 = 0x00000000
FPCR = 0x00000000
ESR_EL1 = 0x00000000
CLIDR = 0x00000000
ID_PFR0 = 0x00000000
GMID_EL1 = 0x00000000
ID_MMFR0 = 0x00000000
LORSA_EL1 = 0x00000000
AIDR = 0x00000000
LOREA_EL1 = 0x00000000
TPIDRRO_EL0 = 0x00000000
LORN_EL1 = 0x00000000
IFSR32_EL2 = 0x00000000
ID_ISAR0 = 0x00000000
PMEVCNTR0_EL0 = 0x00000000
PMEVCNTR1_EL0 = 0x00000000
CTR_EL0 = 0x00000000
PMEVCNTR2_EL0 = 0x00000000
PMEVCNTR3_EL0 = 0x00000000
ID_MMFR4 = 0x00000000
MVFR0_EL1 = 0x00000000
FAR_EL1 = 0x00000000
MVFR2_EL1 = 0x00000000
MVFR4_EL1_RESERVED = 0x00000000
[0x00400720]>
@novafacing should be fixed, could you please retry with Cutter from the latest dev?
Now the reason of the crash is gone but a different problem appeared - once in the remote debug mode iVj shows error ERROR: No binary object currently selected:
rizin -a arm -b 64 -d gdb://localhost:12345
[0x00400720]> iVj
ERROR: No binary object currently selected
which makes sense for the message but obviously breaks the JSON parser of Cutter which doesn't expect this.