Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Double free with aa on Oreo #1699

Closed
jvoisin opened this issue Nov 18, 2014 · 2 comments
Closed

Double free with aa on Oreo #1699

jvoisin opened this issue Nov 18, 2014 · 2 comments
Labels
blocker RAnal

Comments

@jvoisin
Copy link
Contributor

jvoisin commented Nov 18, 2014

This is what I've got on this binary:

jvoisin@kaa 17:51 ~/download/OREO gdb r2
Reading symbols from r2...done.
gdb-peda$ r ./oreo_35f118d90a7790bbd1eb6d4549993ef0
Starting program: /usr/local/bin/r2 ./oreo_35f118d90a7790bbd1eb6d4549993ef0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
 -- How about a nice game of chess?
[0x08048500]> aa
*** Error in `/usr/local/bin/r2': double free or corruption (out): 0x0000000000781810 ***

Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x5a (b'Z')
RCX: 0xffffffffffffffff 
RDX: 0x6 (b'\x06')
RSI: 0x5350 (b'PS')
RDI: 0x5350 (b'PS')
RBP: 0x7fffffff9cb0 --> 0x7ffff40f7b70 ("double free or corruption (out)")
RSP: 0x7fffffff9918 --> 0x7ffff3fae418 (<__GI_abort+328>:   mov    rdx,QWORD PTR fs:0x10)
RIP: 0x7ffff3facd27 (<__GI_raise+55>:   cmp    rax,0xfffffffffffff000)
R8 : 0x3031383138373030 (b'00781810')
R9 : 0x0 
R10: 0x8 (b'\x08')
R11: 0x206 (b'\x06\x02')
R12: 0x7fffffff9ac0 --> 0xffffffffffffffff 
R13: 0x7 (b'\x07')
R14: 0x5a (b'Z')
R15: 0x7 (b'\x07')
[-------------------------------------code-------------------------------------]
   0x7ffff3facd1d <__GI_raise+45>:  movsxd rdi,ecx
   0x7ffff3facd20 <__GI_raise+48>:  mov    eax,0xea
   0x7ffff3facd25 <__GI_raise+53>:  syscall 
=> 0x7ffff3facd27 <__GI_raise+55>:  cmp    rax,0xfffffffffffff000
   0x7ffff3facd2d <__GI_raise+61>:  ja     0x7ffff3facd4d <__GI_raise+93>
   0x7ffff3facd2f <__GI_raise+63>:  repz ret 
   0x7ffff3facd31 <__GI_raise+65>:  nop    DWORD PTR [rax+0x0]
   0x7ffff3facd38 <__GI_raise+72>:  test   ecx,ecx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff9918 --> 0x7ffff3fae418 (<__GI_abort+328>:  mov    rdx,QWORD PTR fs:0x10)
0008| 0x7fffffff9920 (" ")
0016| 0x7fffffff9928 ("")
0024| 0x7fffffff9930 ("")
0032| 0x7fffffff9938 ("")
0040| 0x7fffffff9940 ("")
0048| 0x7fffffff9948 ("")
0056| 0x7fffffff9950 ("")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
0x00007ffff3facd27 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56  ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  0x00007ffff3facd27 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff3fae418 in __GI_abort () at abort.c:89
#2  0x00007ffff3fee9f4 in __libc_message (do_abort=do_abort@entry=0x1, 
    fmt=fmt@entry=0x7ffff40f7a40 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff3ff6006 in malloc_printerr (ptr=<optimized out>, str=0x7ffff40f7b70 "double free or corruption (out)", action=0x1)
    at malloc.c:4996
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0x0) at malloc.c:3840
#5  0x00007ffff67dd551 in cs_close (handle=0x7fffffff9dc0) at cs.c:241
#6  0x00007ffff67b4a05 in analop (a=0x680ef0, op=0x7fffffff9ef0, addr=0x8048896, buf=0x780800 "U\211\345\203\354He\241\024", 
    len=0x1000) at /home/jvoisin/dev/r2/radare2/libr/..//libr/anal/p/anal_x86_cs.c:329
#7  0x00007ffff67c41a6 in r_anal_op (anal=0x680ef0, op=0x7fffffff9ef0, addr=0x8048896, data=0x780800 "U\211\345\203\354He\241\024", 
    len=0x1000) at op.c:46
#8  0x00007ffff67c6228 in fcn_recurse (anal=0x680ef0, fcn=0x77bc70, addr=0x8048896, buf=0x780800 "U\211\345\203\354He\241\024", 
    len=0x1000, depth=0x10) at fcn.c:254
#9  0x00007ffff67c6fa3 in r_anal_fcn (anal=0x680ef0, fcn=0x77bc70, addr=0x8048896, buf=0x780800 "U\211\345\203\354He\241\024", 
    len=0x1000, reftype=0x0) at fcn.c:498
#10 0x00007ffff7b88278 in r_core_anal_fcn (core=0x607600 <r>, at=0x8048896, from=0x80487b4, reftype=0x0, depth=0x5) at anal.c:779
#11 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x8048810, from=0x80487b4, reftype=0x0, depth=0x6) at anal.c:908
#12 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x80487b4, from=0x80487b4, reftype=0x0, depth=0x7) at anal.c:908
#13 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 <r>, at=0x804879b, from=0x804875c, reftype=0x63, depth=0x8) at anal.c:954
#14 0x00007ffff7b887c0 in r_core_anal_fcn (core=0x607600 <r>, at=0x8048729, from=0x8048644, reftype=0x0, depth=0x9) at anal.c:892
#15 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x8048644, from=0x8048644, reftype=0x0, depth=0xa) at anal.c:908
#16 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 <r>, at=0x80485ec, from=0x8048598, reftype=0x0, depth=0xb) at anal.c:954
#17 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x80485be, from=0x8048598, reftype=0x0, depth=0xc) at anal.c:908
#18 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x8048598, from=0x8048598, reftype=0x0, depth=0xd) at anal.c:908
#19 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 <r>, at=0x804855b, from=0x804855b, reftype=0x0, depth=0xe) at anal.c:954
#20 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 <r>, at=0x8048522, from=0xffffffffffffffff, reftype=0x0, depth=0xf)
    at anal.c:954
#21 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x8048500, from=0xffffffffffffffff, reftype=0x0, depth=0x10)
    at anal.c:908
#22 0x00007ffff7b8b08b in r_core_anal_all (core=0x607600 <r>) at anal.c:1523
#23 0x00007ffff7b4478a in cmd_anal (data=0x607600 <r>, input=0x74d161 "a") at cmd_anal.c:1870
#24 0x00007ffff7b83f50 in r_cmd_call (cmd=0x6a9ea0, input=0x74d160 "aa") at cmd_api.c:179
#25 0x00007ffff7b624f5 in r_core_cmd_subst_i (core=0x607600 <r>, cmd=0x74d160 "aa") at cmd.c:1366
#26 0x00007ffff7b60954 in r_core_cmd_subst (core=0x607600 <r>, cmd=0x74d160 "aa") at cmd.c:919
#27 0x00007ffff7b631d7 in r_core_cmd (core=0x607600 <r>, cstr=0x74f7e0 "aa", log=0x1) at cmd.c:1572
#28 0x00007ffff7b29257 in r_core_prompt_exec (r=0x607600 <r>) at core.c:941
#29 0x0000000000405282 in main (argc=0x2, argv=0x7fffffffe3c8, envp=0x7fffffffe3e0) at radare2.c:737
#30 0x00007ffff3f97ec5 in __libc_start_main (main=0x403148 <main>, argc=0x2, argv=0x7fffffffe3c8, init=<optimized out>, 
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe3b8) at libc-start.c:287
#31 0x0000000000402a79 in _start ()
gdb-peda$
@radare
Copy link
Collaborator

radare commented Nov 18, 2014

I guess its a bug for the capstone pluin. Can u verify with x86.udis? Also, a valgrind log may help to identify the issue better.

Can you try to construct a smaller test case? Should be easy to fix anyway.. Like using RFREE instead of free for example. I will look at it when at home

On 18 Nov 2014, at 17:53, jvoisin notifications@github.com wrote:

This is what I've got on this binary:

jvoisin@kaa 17:51 ~/download/OREO gdb r2
Reading symbols from r2...done.
gdb-peda$ r ./oreo_35f118d90a7790bbd1eb6d4549993ef0
Starting program: /usr/local/bin/r2 ./oreo_35f118d90a7790bbd1eb6d4549993ef0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
-- How about a nice game of chess?
[0x08048500]> aa
*** Error in `/usr/local/bin/r2': double free or corruption (out): 0x0000000000781810 ***

Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x5a (b'Z')
RCX: 0xffffffffffffffff
RDX: 0x6 (b'\x06')
RSI: 0x5350 (b'PS')
RDI: 0x5350 (b'PS')
RBP: 0x7fffffff9cb0 --> 0x7ffff40f7b70 ("double free or corruption (out)")
RSP: 0x7fffffff9918 --> 0x7ffff3fae418 (<__GI_abort+328>: mov rdx,QWORD PTR fs:0x10)
RIP: 0x7ffff3facd27 (<__GI_raise+55>: cmp rax,0xfffffffffffff000)
R8 : 0x3031383138373030 (b'00781810')
R9 : 0x0
R10: 0x8 (b'\x08')
R11: 0x206 (b'\x06\x02')
R12: 0x7fffffff9ac0 --> 0xffffffffffffffff
R13: 0x7 (b'\x07')
R14: 0x5a (b'Z')
R15: 0x7 (b'\x07')
[-------------------------------------code-------------------------------------]
0x7ffff3facd1d <__GI_raise+45>: movsxd rdi,ecx
0x7ffff3facd20 <__GI_raise+48>: mov eax,0xea
0x7ffff3facd25 <__GI_raise+53>: syscall
=> 0x7ffff3facd27 <__GI_raise+55>: cmp rax,0xfffffffffffff000
0x7ffff3facd2d <__GI_raise+61>: ja 0x7ffff3facd4d <__GI_raise+93>
0x7ffff3facd2f <__GI_raise+63>: repz ret
0x7ffff3facd31 <__GI_raise+65>: nop DWORD PTR [rax+0x0]
0x7ffff3facd38 <__GI_raise+72>: test ecx,ecx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff9918 --> 0x7ffff3fae418 (<__GI_abort+328>: mov rdx,QWORD PTR fs:0x10)
0008| 0x7fffffff9920 (" ")
0016| 0x7fffffff9928 ("")
0024| 0x7fffffff9930 ("")
0032| 0x7fffffff9938 ("")
0040| 0x7fffffff9940 ("")
0048| 0x7fffffff9948 ("")
0056| 0x7fffffff9950 ("")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
0x00007ffff3facd27 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0 0x00007ffff3facd27 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff3fae418 in __GI_abort () at abort.c:89
#2 0x00007ffff3fee9f4 in __libc_message (do_abort=do_abort@entry=0x1,
fmt=fmt@entry=0x7ffff40f7a40 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff3ff6006 in malloc_printerr (ptr=, str=0x7ffff40f7b70 "double free or corruption (out)", action=0x1)
at malloc.c:4996
#4 _int_free (av=, p=, have_lock=0x0) at malloc.c:3840
#5 0x00007ffff67dd551 in cs_close (handle=0x7fffffff9dc0) at cs.c:241
#6 0x00007ffff67b4a05 in analop (a=0x680ef0, op=0x7fffffff9ef0, addr=0x8048896, buf=0x780800 "U\211\345\203\354He\241\024",
len=0x1000) at /home/jvoisin/dev/r2/radare2/libr/..//libr/anal/p/anal_x86_cs.c:329
#7 0x00007ffff67c41a6 in r_anal_op (anal=0x680ef0, op=0x7fffffff9ef0, addr=0x8048896, data=0x780800 "U\211\345\203\354He\241\024",
len=0x1000) at op.c:46
#8 0x00007ffff67c6228 in fcn_recurse (anal=0x680ef0, fcn=0x77bc70, addr=0x8048896, buf=0x780800 "U\211\345\203\354He\241\024",
len=0x1000, depth=0x10) at fcn.c:254
#9 0x00007ffff67c6fa3 in r_anal_fcn (anal=0x680ef0, fcn=0x77bc70, addr=0x8048896, buf=0x780800 "U\211\345\203\354He\241\024",
len=0x1000, reftype=0x0) at fcn.c:498
#10 0x00007ffff7b88278 in r_core_anal_fcn (core=0x607600 , at=0x8048896, from=0x80487b4, reftype=0x0, depth=0x5) at anal.c:779
#11 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 , at=0x8048810, from=0x80487b4, reftype=0x0, depth=0x6) at anal.c:908
#12 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 , at=0x80487b4, from=0x80487b4, reftype=0x0, depth=0x7) at anal.c:908
#13 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 , at=0x804879b, from=0x804875c, reftype=0x63, depth=0x8) at anal.c:954
#14 0x00007ffff7b887c0 in r_core_anal_fcn (core=0x607600 , at=0x8048729, from=0x8048644, reftype=0x0, depth=0x9) at anal.c:892
#15 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 , at=0x8048644, from=0x8048644, reftype=0x0, depth=0xa) at anal.c:908
#16 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 , at=0x80485ec, from=0x8048598, reftype=0x0, depth=0xb) at anal.c:954
#17 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 , at=0x80485be, from=0x8048598, reftype=0x0, depth=0xc) at anal.c:908
#18 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 , at=0x8048598, from=0x8048598, reftype=0x0, depth=0xd) at anal.c:908
#19 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 , at=0x804855b, from=0x804855b, reftype=0x0, depth=0xe) at anal.c:954
#20 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 , at=0x8048522, from=0xffffffffffffffff, reftype=0x0, depth=0xf)
at anal.c:954
#21 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 , at=0x8048500, from=0xffffffffffffffff, reftype=0x0, depth=0x10)
at anal.c:908
#22 0x00007ffff7b8b08b in r_core_anal_all (core=0x607600 ) at anal.c:1523
#23 0x00007ffff7b4478a in cmd_anal (data=0x607600 , input=0x74d161 "a") at cmd_anal.c:1870
#24 0x00007ffff7b83f50 in r_cmd_call (cmd=0x6a9ea0, input=0x74d160 "aa") at cmd_api.c:179
#25 0x00007ffff7b624f5 in r_core_cmd_subst_i (core=0x607600 , cmd=0x74d160 "aa") at cmd.c:1366
#26 0x00007ffff7b60954 in r_core_cmd_subst (core=0x607600 , cmd=0x74d160 "aa") at cmd.c:919
#27 0x00007ffff7b631d7 in r_core_cmd (core=0x607600 , cstr=0x74f7e0 "aa", log=0x1) at cmd.c:1572
#28 0x00007ffff7b29257 in r_core_prompt_exec (r=0x607600 ) at core.c:941
#29 0x0000000000405282 in main (argc=0x2, argv=0x7fffffffe3c8, envp=0x7fffffffe3e0) at radare2.c:737
#30 0x00007ffff3f97ec5 in __libc_start_main (main=0x403148

, argc=0x2, argv=0x7fffffffe3c8, init=,
fini=, rtld_fini=, stack_end=0x7fffffffe3b8) at libc-start.c:287
#31 0x0000000000402a79 in _start ()
gdb-peda$

Reply to this email directly or view it on GitHub.

@jvoisin
Copy link
Contributor Author

jvoisin commented Nov 18, 2014 

[0x08048500]> e asm.arch = x86.udis
[0x08048500]> aa
*** Error in `/usr/local/bin/r2': double free or corruption (out): 0x000000000078f180 ***

Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x5a (b'Z')
RCX: 0xffffffffffffffff 
RDX: 0x6 (b'\x06')
RSI: 0x6272 (b'rb')
RDI: 0x6272 (b'rb')
RBP: 0x7fffffff5720 --> 0x7ffff40f7b70 ("double free or corruption (out)")
RSP: 0x7fffffff5388 --> 0x7ffff3fae418 (<__GI_abort+328>:   mov    rdx,QWORD PTR fs:0x10)
RIP: 0x7ffff3facd27 (<__GI_raise+55>:   cmp    rax,0xfffffffffffff000)
R8 : 0x3038316638373030 (b'0078f180')
R9 : 0x0 
R10: 0x8 (b'\x08')
R11: 0x206 (b'\x06\x02')
R12: 0x7fffffff5530 --> 0x7fffffff5600 --> 0x7ffff40f7a50 ("': %s: 0x%s ***\n")
R13: 0x7 (b'\x07')
R14: 0x5a (b'Z')
R15: 0x7 (b'\x07')
[-------------------------------------code-------------------------------------]
   0x7ffff3facd1d <__GI_raise+45>:  movsxd rdi,ecx
   0x7ffff3facd20 <__GI_raise+48>:  mov    eax,0xea
   0x7ffff3facd25 <__GI_raise+53>:  syscall 
=> 0x7ffff3facd27 <__GI_raise+55>:  cmp    rax,0xfffffffffffff000
   0x7ffff3facd2d <__GI_raise+61>:  ja     0x7ffff3facd4d <__GI_raise+93>
   0x7ffff3facd2f <__GI_raise+63>:  repz ret 
   0x7ffff3facd31 <__GI_raise+65>:  nop    DWORD PTR [rax+0x0]
   0x7ffff3facd38 <__GI_raise+72>:  test   ecx,ecx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff5388 --> 0x7ffff3fae418 (<__GI_abort+328>:  mov    rdx,QWORD PTR fs:0x10)
0008| 0x7fffffff5390 (" ")
0016| 0x7fffffff5398 ("")
0024| 0x7fffffff53a0 ("")
0032| 0x7fffffff53a8 ("")
0040| 0x7fffffff53b0 ("")
0048| 0x7fffffff53b8 ("")
0056| 0x7fffffff53c0 ("")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
0x00007ffff3facd27 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56  ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  0x00007ffff3facd27 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff3fae418 in __GI_abort () at abort.c:89
#2  0x00007ffff3fee9f4 in __libc_message (do_abort=do_abort@entry=0x1, 
    fmt=fmt@entry=0x7ffff40f7a40 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff3ff6006 in malloc_printerr (ptr=<optimized out>, str=0x7ffff40f7b70 "double free or corruption (out)", action=0x1)
    at malloc.c:4996
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0x0) at malloc.c:3840
#5  0x00007ffff4fdfcb8 in sdb_set_internal () from /usr/local/lib/libr_db.so.0.9.9-git
#6  0x00007ffff4fdfe7c in sdb_set_owned () from /usr/local/lib/libr_db.so.0.9.9-git
#7  0x00007ffff4fd2a06 in sdb_array_insert () from /usr/local/lib/libr_db.so.0.9.9-git
#8  0x00007ffff4fd2cc9 in sdb_array_set () from /usr/local/lib/libr_db.so.0.9.9-git
#9  0x00007ffff4fd2bd2 in sdb_array_add () from /usr/local/lib/libr_db.so.0.9.9-git
#10 0x00007ffff4fd2b5f in sdb_array_add_num () from /usr/local/lib/libr_db.so.0.9.9-git
#11 0x00007ffff67c5cbc in r_anal_fcn_xref_add (a=0x680ef0, fcn=0x73dd20, at=0x80488fd, addr=0x8048904, type=0x63) at fcn.c:118
#12 0x00007ffff67c6ab3 in fcn_recurse (anal=0x680ef0, fcn=0x73dd20, addr=0x80488f0, buf=0x7fffffff7db0 "\213EЋU\364e3\025\024", 
    len=0x1fa0, depth=0xe) at fcn.c:423
#13 0x00007ffff67c6bb4 in fcn_recurse (anal=0x680ef0, fcn=0x73dd20, addr=0x80488a9, 
    buf=0x7fffffff9f20 "\220\307\004$o\214\004\b\350\252\373\377\377\241\200\242\004\b\211D$\b\307D$\004 ", len=0x1fa0, depth=0xf)
    at fcn.c:429
#14 0x00007ffff67c6b47 in fcn_recurse (anal=0x680ef0, fcn=0x73dd20, addr=0x80488aa, 
    buf=0x789e30 "\307\004$o\214\004\b\350\252\373\377\377\241\200\242\004\b\211D$\b\307D$\004 ", len=0x1000, depth=0x10) at fcn.c:428
#15 0x00007ffff67c6fa3 in r_anal_fcn (anal=0x680ef0, fcn=0x73dd20, addr=0x80488aa, 
    buf=0x789e30 "\307\004$o\214\004\b\350\252\373\377\377\241\200\242\004\b\211D$\b\307D$\004 ", len=0x1000, reftype=0x63)
    at fcn.c:498
#16 0x00007ffff7b88278 in r_core_anal_fcn (core=0x607600 <r>, at=0x80488aa, from=0x80488a7, reftype=0x63, depth=0x4) at anal.c:779
#17 0x00007ffff7b887c0 in r_core_anal_fcn (core=0x607600 <r>, at=0x8048896, from=0x80487b4, reftype=0x0, depth=0x5) at anal.c:892
#18 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x8048810, from=0x80487b4, reftype=0x0, depth=0x6) at anal.c:908
#19 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x80487b4, from=0x80487b4, reftype=0x0, depth=0x7) at anal.c:908
#20 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 <r>, at=0x804879b, from=0x804875c, reftype=0x63, depth=0x8) at anal.c:954
#21 0x00007ffff7b887c0 in r_core_anal_fcn (core=0x607600 <r>, at=0x8048729, from=0x8048644, reftype=0x0, depth=0x9) at anal.c:892
#22 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x8048644, from=0x8048644, reftype=0x0, depth=0xa) at anal.c:908
#23 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 <r>, at=0x80485ec, from=0x8048598, reftype=0x0, depth=0xb) at anal.c:954
#24 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x80485be, from=0x8048598, reftype=0x0, depth=0xc) at anal.c:908
#25 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x8048598, from=0x8048598, reftype=0x0, depth=0xd) at anal.c:908
#26 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 <r>, at=0x804855b, from=0x804855b, reftype=0x0, depth=0xe) at anal.c:954
#27 0x00007ffff7b88b1c in r_core_anal_fcn (core=0x607600 <r>, at=0x8048522, from=0xffffffffffffffff, reftype=0x0, depth=0xf)
    at anal.c:954
#28 0x00007ffff7b8887e in r_core_anal_fcn (core=0x607600 <r>, at=0x8048500, from=0xffffffffffffffff, reftype=0x0, depth=0x10)
    at anal.c:908
#29 0x00007ffff7b8b08b in r_core_anal_all (core=0x607600 <r>) at anal.c:1523
#30 0x00007ffff7b4478a in cmd_anal (data=0x607600 <r>, input=0x6c2461 "a") at cmd_anal.c:1870
#31 0x00007ffff7b83f50 in r_cmd_call (cmd=0x6a9ea0, input=0x6c2460 "aa") at cmd_api.c:179
#32 0x00007ffff7b624f5 in r_core_cmd_subst_i (core=0x607600 <r>, cmd=0x6c2460 "aa") at cmd.c:1366
#33 0x00007ffff7b60954 in r_core_cmd_subst (core=0x607600 <r>, cmd=0x6c2460 "aa") at cmd.c:919
#34 0x00007ffff7b631d7 in r_core_cmd (core=0x607600 <r>, cstr=0x74f7e0 "aa", log=0x1) at cmd.c:1572
#35 0x00007ffff7b29257 in r_core_prompt_exec (r=0x607600 <r>) at core.c:941
#36 0x0000000000405282 in main (argc=0x2, argv=0x7fffffffe3c8, envp=0x7fffffffe3e0) at radare2.c:737
#37 0x00007ffff3f97ec5 in __libc_start_main (main=0x403148 <main>, argc=0x2, argv=0x7fffffffe3c8, init=<optimized out>, 
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe3b8) at libc-start.c:287
#38 0x0000000000402a79 in _start ()
gdb-peda$

fu

@radare radare closed this as completed in 1f685fc Nov 18, 2014
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
blocker RAnal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jvoisin @radare