[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problems with gdb not catching breakpoints in shared .dynlib

Subject: Re: Problems with gdb not catching breakpoints in shared .dynlib
From: Greg Earle <email@hidden>
Date: Wed, 03 Nov 2004 23:51:03 -0800
Delivered-to: email@hidden
Delivered-to: email@hidden
Organization: Isolar Technical Consulting
User-agent: Mozilla Thunderbird 0.8 (Macintosh/20040913)

Eric Albert wrote:

On Nov 3, 2004, at 10:04 PM, Greg Earle wrote:

(Not sure if this is the best/right place to ask ... but I'm trying
to port an app written for Linux, so ... )

It's a perfectly fine place to ask this as far as I'm concerned.


Hi Eric,

Thanks for responding.

(I had to remove the "-O2" from CFLAGS to prevent a crash.)
I couldn't reproduce that crash. Are you just running it as './sshblaster2 sship.txt'?


Yep.  When "-O2" is in CFLAGS, it dies in strlen():

----------------------------------------------------------------------
Host Name:      workmac.my.do.main
Date/Time:      2004-11-03 23:12:02 -0800
OS Version:     10.3.5 (Build 7M34)
Report Version: 2

Command: sshblaster2
Path:    ./sshblaster2
Version: ??? (???)
PID:     10604
Thread:  0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x682d7573

Thread 0 Crashed:
0   libSystem.B.dylib 	0x90006e70 strlen + 0x50
1   libssh.dylib      	0x3a0047d4 string_from_char + 0x18 (string.c:41)
2   libssh.dylib      	0x3a007b3c ssh_userauth_password + 0x90 (auth.c:227)
3   sshblaster2       	0x000023d0 checkauth + 0x160
4   sshblaster2       	0x0000260c main + 0x154
5   sshblaster2       	0x00001c08 _start + 0x188 (crt.c:267)
6   dyld              	0x8fe1a558 _dyld_start + 0x64
----------------------------------------------------------------------

My libSystem.B is:

-r-xr-xr-x  1 root  wheel  1546396  7 Jun 14:16 /usr/lib/libSystem.B.dylib*

A stack backtrace in gdb says:

(gdb) bt #0 0x90006e70 in strlen () #1 0x3a0047d4 in string_from_char (what=0x682d7573 <Address 0x682d7573 out of bounds>) at string.c:41 #2 0x3a007b3c in ssh_userauth_password (session=0x2802200, username=0x500200 "test", password=0x682d7573 <Address 0x682d7573 out of bounds>) at auth.c:227 #3 0x00002470 in checkauth () #4 0x00002698 in main () #5 0x00001ca8 in _start (argc=2, argv=0xbffff7f0, envp=0xbffff7fc) at /SourceCache/Csu/Csu-47/crt.c:267 #6 0x8fe1a558 in __dyld__dyld_start ()

(The "what" values passed to strlen() are supposed to be things like
 "diffie-hellman-group1-sha1", 'hmac-sha1", "ssh-rsa", "aes128-cbc", etc.)

If I run it and tell it to

break string.c:41
commands 1
> print what
> cont
> end

I get:

---------------------------------------------------------------------- [...] Breakpoint 1, string_from_char (what=0x300630 "SSH-2.0-OpenSSH_3.9p1") at string.c:41 41 int len=strlen(what); $21 = 0x300630 "SSH-2.0-OpenSSH_3.9p1"

Breakpoint 1, string_from_char (what=0x3a00e3c4 "ssh-userauth") at string.c:41
41              int len=strlen(what);
$22 = 0x3a00e3c4 "ssh-userauth"

Breakpoint 1, string_from_char (what=0x300200 "test") at string.c:41
41              int len=strlen(what);
$23 = 0x300200 "test"

Breakpoint 1, string_from_char (what=0x3a00e4c0 "ssh-connection") at string.c:41
41              int len=strlen(what);
$24 = 0x3a00e4c0 "ssh-connection"

Breakpoint 1, string_from_char (what=0x3a00e4dc "password") at string.c:41
41              int len=strlen(what);
$25 = 0x3a00e4dc "password"

Breakpoint 1, string_from_char (what=0x682d7573 <Address 0x682d7573 out of bounds>) at string.c:41 41 int len=strlen(what); $26 = 0x682d7573 <Address 0x682d7573 out of bounds>

Program received signal EXC_BAD_ACCESS, Could not access memory.
----------------------------------------------------------------------

Without the "-O2", it gets past "ssh-userauth" but does something
else instead of using "test":

Breakpoint 1, string_from_char (what=0x3a0136ac "ssh-userauth") at string.c:41
41              int len=strlen(what);
$13 = 0x3a0136ac "ssh-userauth"

Breakpoint 1, string_from_char (what=0x3a012784 "Bye Bye") at string.c:41
41              int len=strlen(what);
$14 = 0x3a012784 "Bye Bye"
----------------------------------------------------------------------

When I run the program, it dies in a module in the library:
I couldn't reproduce this crash, either, even with a sship.txt file of 'localhost root:22'.


I think you have to use an IP address, i.e. 127.0.0.1 instead of a FQHN.

The program didn't exit normally, and gdb didn't stop at the breakpoint!
It crashed!
That's because it's forking. When a program forks, gdb continues to debug the parent process, but it doesn't debug the child. You can work around this in a number of ways. Here are a few options (there are others, too):

1) Remove the fork. I think this case will work without forking. 2) In the child, add something like static int foo = 0; while (foo == 0) { } Run the app, then attach to the child with gdb, type 'p foo = 1', and continue to be debugging the child.


Great, thanks.  I can comment out the fork() and it still runs - and,
most importantly, now I can get gdb to stop at the breakpoint (but it
also still crashes, after the 3rd successful cycle through):

Program received signal EXC_BAD_ACCESS, Could not access memory. 0x3a002270 in ssh_cleanup (session=0x1802200) at client.c:211 211 printf("session->client_kex.methods[%d] == %s\n", i, session->client_kex.methods[i]); (gdb) print *session $2 = { [...] client_kex = { cookie = '\0' <repeats 15 times>, methods = 0x0 },

Not sure why methods[0] is a NULL pointer instead of the expected
string "diffie-hellman-group1-sha1" (especially since the two
string arrays, "default_methods" and "supported_methods", are both
properly NULL-terminated), but that's a battle for another day.  :)

(What's weird is that this same code must surely run fine
on Linux, seeing as how we're seeing an average of 1-3 of these
Script Kiddie SSH brute-force scans/attacks a day around here.)

Thanks,

	- Greg
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Unix-porting mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/unix-porting/email@hidden

This email sent to email@hidden

Follow-Ups:
- Re: Problems with gdb not catching breakpoints in shared .dynlib
  - From: Eric Albert <email@hidden>

References:
	>Problems with gdb not catching breakpoints in shared .dynlib (From: Greg Earle <email@hidden>)
	>Re: Problems with gdb not catching breakpoints in shared .dynlib (From: Eric Albert <email@hidden>)

Prev by Date: different execv path behavior
Next by Date: Re: Problems with gdb not catching breakpoints in shared .dynlib
Previous by thread: Re: Problems with gdb not catching breakpoints in shared .dynlib
Next by thread: Re: Problems with gdb not catching breakpoints in shared .dynlib
Index(es):
- Date
- Thread

Home