Fix coverities related to dmh

This commit is contained in:
n4☠0r 2016-09-15 19:11:15 +02:00 committed by radare
parent 1449d61850
commit 798959bd6f
2 changed files with 176 additions and 130 deletions

View File

@ -189,6 +189,10 @@ static bool r_resolve_main_arena_32(RCore *core, ut32 *m_arena, RHeap_MallocStat
RListIter *iter; RListIter *iter;
RDebugMap *map; RDebugMap *map;
if (!core || !core->dbg || !core->dbg->maps){
return false;
}
if (*m_arena == UT32_MAX) { if (*m_arena == UT32_MAX) {
const char *dir_dbg = "/usr/lib/debug"; const char *dir_dbg = "/usr/lib/debug";
const char *dir_build_id = "/.build-id"; const char *dir_build_id = "/.build-id";
@ -198,9 +202,6 @@ static bool r_resolve_main_arena_32(RCore *core, ut32 *m_arena, RHeap_MallocStat
bool is_debug_file[4]; bool is_debug_file[4];
ut32 libc_addr = UT32_MAX, vaddr = UT32_MAX; ut32 libc_addr = UT32_MAX, vaddr = UT32_MAX;
if (!core || !core->dbg || !core->dbg->maps){
return false;
}
r_debug_map_sync (core->dbg); r_debug_map_sync (core->dbg);
r_list_foreach (core->dbg->maps, iter, map) { r_list_foreach (core->dbg->maps, iter, map) {
if (strstr (map->name, "/libc-")) { if (strstr (map->name, "/libc-")) {
@ -269,11 +270,11 @@ arena:
} }
not_arena: not_arena:
eprintf ("Warning: glibc library with symbol main_arena could not be found. Is libc6-dbg installed?\n"); eprintf ("Warning: glibc library with symbol main_arena could not be found. Is libc6-dbg installed?\n");
free (path);
return false; return false;
} else { } else {
update_main_arena_32 (core, *m_arena, main_arena); update_main_arena_32 (core, *m_arena, main_arena);
} }
return true; return true;
} }
@ -344,6 +345,7 @@ static int print_double_linked_list_bin_simple_32(RCore *core, ut32 bin, RHeap_M
next = cnk->fd; next = cnk->fd;
if (next < brk_start || next > main_arena->top) { if (next < brk_start || next > main_arena->top) {
PRINT_RA ("Double linked list corrupted\n"); PRINT_RA ("Double linked list corrupted\n");
free (cnk);
return -1; return -1;
} }
r_core_read_at (core, next, (ut8 *)cnk, sizeof (RHeapChunk32)); r_core_read_at (core, next, (ut8 *)cnk, sizeof (RHeapChunk32));
@ -354,6 +356,7 @@ static int print_double_linked_list_bin_simple_32(RCore *core, ut32 bin, RHeap_M
if (next != bin) { if (next != bin) {
PRINT_RA ("Double linked list corrupted\n"); PRINT_RA ("Double linked list corrupted\n");
free (cnk);
return -1; return -1;
} }
r_core_read_at (core, next, (ut8 *)cnk, sizeof (RHeapChunk32)); r_core_read_at (core, next, (ut8 *)cnk, sizeof (RHeapChunk32));
@ -364,6 +367,7 @@ static int print_double_linked_list_bin_simple_32(RCore *core, ut32 bin, RHeap_M
next = cnk->bk; next = cnk->bk;
if (next < brk_start || next > main_arena->top) { if (next < brk_start || next > main_arena->top) {
PRINT_RA ("Double linked list corrupted\n"); PRINT_RA ("Double linked list corrupted\n");
free (cnk);
return -1; return -1;
} }
r_core_read_at (core, next, (ut8 *)cnk, sizeof (RHeapChunk32)); r_core_read_at (core, next, (ut8 *)cnk, sizeof (RHeapChunk32));
@ -371,7 +375,7 @@ static int print_double_linked_list_bin_simple_32(RCore *core, ut32 bin, RHeap_M
PRINTF_GA ("->bk = 0x%"PFMT32x, cnk->bk); PRINTF_GA ("->bk = 0x%"PFMT32x, cnk->bk);
free (cnk); free (cnk);
return 1; return 0;
} }
static int print_double_linked_list_bin_graph_32(RCore *core, ut32 bin, RHeap_MallocState32 *main_arena, ut32 brk_start) { static int print_double_linked_list_bin_graph_32(RCore *core, ut32 bin, RHeap_MallocState32 *main_arena, ut32 brk_start) {
@ -382,7 +386,9 @@ static int print_double_linked_list_bin_graph_32(RCore *core, ut32 bin, RHeap_Ma
RANode *bin_node = NULL, *prev_node = NULL, *next_node = NULL; RANode *bin_node = NULL, *prev_node = NULL, *next_node = NULL;
RHeapChunk32 *cnk = R_NEW0 (RHeapChunk32); RHeapChunk32 *cnk = R_NEW0 (RHeapChunk32);
if (!cnk) { if (!cnk || !g) {
free (cnk);
free (g);
return -1; return -1;
} }
@ -396,6 +402,8 @@ static int print_double_linked_list_bin_graph_32(RCore *core, ut32 bin, RHeap_Ma
next = cnk->bk; next = cnk->bk;
if (next < brk_start || next > main_arena->top) { if (next < brk_start || next > main_arena->top) {
PRINT_RA ("Double linked list corrupted\n"); PRINT_RA ("Double linked list corrupted\n");
free (cnk);
free (g);
return -1; return -1;
} }
@ -414,26 +422,28 @@ static int print_double_linked_list_bin_graph_32(RCore *core, ut32 bin, RHeap_Ma
free (cnk); free (cnk);
r_agraph_free (g); r_agraph_free (g);
return 0;
return 1;
} }
static int print_double_linked_list_bin_32(RCore *core, RHeap_MallocState32 *main_arena, ut32 m_arena, ut32 offset, ut32 num_bin, int graph) { static int print_double_linked_list_bin_32(RCore *core, RHeap_MallocState32 *main_arena, ut32 m_arena, ut32 offset, ut32 num_bin, int graph) {
int ret = 0;
ut32 brk_start = UT32_MAX, brk_end = UT32_MAX;
ut32 bin = main_arena->bins[num_bin];
if (!bin) {
return ret;
}
if (!core || !core->dbg || !core->dbg->maps) { if (!core || !core->dbg || !core->dbg->maps) {
return ret; return -1;
}
int ret = 0;
ut32 brk_start = UT32_MAX, brk_end = UT32_MAX;
if (num_bin < 0 || num_bin > 126) {
return -1;
}
ut32 bin = main_arena->bins[num_bin];
if (!bin) {
return -1;
} }
get_brks_32 (core, &brk_start, &brk_end); get_brks_32 (core, &brk_start, &brk_end);
if (brk_start == UT32_MAX || brk_end == UT32_MAX) { if (brk_start == UT32_MAX || brk_end == UT32_MAX) {
eprintf ("No Heap section\n"); eprintf ("No Heap section\n");
return ret; return -1;
} }
bin = m_arena + offset + SZ * num_bin * 2 - SZ * 2; bin = m_arena + offset + SZ * num_bin * 2 - SZ * 2;
@ -457,7 +467,6 @@ static int print_double_linked_list_bin_32(RCore *core, RHeap_MallocState32 *ma
} }
PRINT_GA ("\n }\n"); PRINT_GA ("\n }\n");
return ret; return ret;
} }
@ -496,27 +505,26 @@ static void print_heap_bin_32(RCore *core, ut32 m_arena, RHeap_MallocState32 *ma
} }
static int print_single_linked_list_bin_32(RCore *core, RHeap_MallocState32 *main_arena, ut32 m_arena, ut32 offset, ut32 bin_num) { static int print_single_linked_list_bin_32(RCore *core, RHeap_MallocState32 *main_arena, ut32 m_arena, ut32 offset, ut32 bin_num) {
if (!core || !core->dbg || !core->dbg->maps) {
return -1;
}
ut32 next = UT32_MAX, brk_start = UT32_MAX, brk_end = UT32_MAX; ut32 next = UT32_MAX, brk_start = UT32_MAX, brk_end = UT32_MAX;
ut32 bin = main_arena->fastbinsY[bin_num]; ut32 bin = main_arena->fastbinsY[bin_num];
if (!bin) { if (!bin) {
return 0; return -1;
} }
RHeapChunk32 *cnk = R_NEW0 (RHeapChunk32); RHeapChunk32 *cnk = R_NEW0 (RHeapChunk32);
if (!cnk) { if (!cnk) {
return 0; return 0;
} }
if (!core || !core->dbg || !core->dbg->maps) {
return 0;
}
bin = m_arena + offset + SZ * bin_num; bin = m_arena + offset + SZ * bin_num;
r_core_read_at (core, bin, (ut8 *)&next, SZ); r_core_read_at (core, bin, (ut8 *)&next, SZ);
get_brks_32 (core, &brk_start, &brk_end); get_brks_32 (core, &brk_start, &brk_end);
if (brk_start == UT32_MAX || brk_end == UT32_MAX) { if (brk_start == UT32_MAX || brk_end == UT32_MAX) {
eprintf ("No Heap section\n"); eprintf ("No Heap section\n");
free (cnk);
return 0; return 0;
} }
@ -545,6 +553,7 @@ static int print_single_linked_list_bin_32(RCore *core, RHeap_MallocState32 *mai
PRINTF_RA (" 0x%"PFMT32x, next); PRINTF_RA (" 0x%"PFMT32x, next);
PRINT_RA (" Linked list corrupted\n"); PRINT_RA (" Linked list corrupted\n");
PRINT_GA ("\n }\n"); PRINT_GA ("\n }\n");
free (cnk);
return -1; return -1;
} }
@ -553,6 +562,7 @@ static int print_single_linked_list_bin_32(RCore *core, RHeap_MallocState32 *mai
PRINTF_RA ("0x%"PFMT32x, next); PRINTF_RA ("0x%"PFMT32x, next);
PRINT_RA (" Double free detected\n"); PRINT_RA (" Double free detected\n");
PRINT_GA ("\n }\n"); PRINT_GA ("\n }\n");
free (cnk);
return -1; return -1;
} }
} }
@ -561,11 +571,13 @@ static int print_single_linked_list_bin_32(RCore *core, RHeap_MallocState32 *mai
PRINTF_RA ("0x%"PFMT32x, next); PRINTF_RA ("0x%"PFMT32x, next);
PRINT_RA (" Linked list corrupted\n"); PRINT_RA (" Linked list corrupted\n");
PRINT_GA ("\n }\n"); PRINT_GA ("\n }\n");
return 1; free (cnk);
return -1;
} }
PRINT_GA ("\n }\n"); PRINT_GA ("\n }\n");
return -1; free (cnk);
return 0;
} }
void print_heap_fastbin_32(RCore *core, ut32 m_arena, RHeap_MallocState32 *main_arena, const char *input) { void print_heap_fastbin_32(RCore *core, ut32 m_arena, RHeap_MallocState32 *main_arena, const char *input) {
@ -600,24 +612,24 @@ void print_heap_fastbin_32(RCore *core, ut32 m_arena, RHeap_MallocState32 *main_
} }
static void print_mmap_graph_32(RCore *core, RHeap_MallocState32 *malloc_state, ut32 m_state) { static void print_mmap_graph_32(RCore *core, RHeap_MallocState32 *malloc_state, ut32 m_state) {
int w, h;
ut32 top_size = UT32_MAX;
if (!core || !core->dbg || !core->dbg->maps) { if (!core || !core->dbg || !core->dbg->maps) {
return; return;
} }
int w, h;
ut32 top_size = UT32_MAX;
w = r_cons_get_size (&h); w = r_cons_get_size (&h);
RConsCanvas *can = r_cons_canvas_new (w, h); RConsCanvas *can = r_cons_canvas_new (w, h);
can->color = r_config_get_i (core->config, "scr.color"); can->color = r_config_get_i (core->config, "scr.color");
RAGraph *g = r_agraph_new (can); RAGraph *g = r_agraph_new (can);
RANode *top = {0}, *chunk_node = {0}, *prev_node = {0}; RANode *top = {0}, *chunk_node = {0}, *prev_node = {0};
RHeapChunk32 *cnk = R_NEW0 (RHeapChunk32), RHeapChunk32 *cnk = R_NEW0 (RHeapChunk32),*prev_c = R_NEW0 (RHeapChunk32);
*prev_c = R_NEW0 (RHeapChunk32);
if (!cnk || !prev_c) { if (!cnk || !prev_c || !g || !can) {
free (cnk); free (cnk);
free (prev_c); free (prev_c);
free (can);
free (g);
return; return;
} }
@ -640,7 +652,7 @@ static void print_mmap_graph_32(RCore *core, RHeap_MallocState32 *malloc_state,
r_core_read_at (core, next_chunk_ref, (ut8 *)prev_c, sizeof (RHeapChunk32)); r_core_read_at (core, next_chunk_ref, (ut8 *)prev_c, sizeof (RHeapChunk32));
node_title = r_str_newf (" Malloc chunk @ 0x%"PFMT32x" ", prev_chunk_ref); node_title = r_str_newf (" Malloc chunk @ 0x%"PFMT32x" ", prev_chunk_ref);
size_tmp = (prev_c->size >> 3) << 3; size_tmp = (prev_c->size >> 3) << 3;
if (top_size != UT64_MAX && (size_tmp > top_size || next_chunk_ref + size_tmp > malloc_state->top)) { if (size_tmp > top_size || next_chunk_ref + size_tmp > malloc_state->top) {
node_data = r_str_newf ("[corrupted] size: 0x%x\n fd: 0x%"PFMT32x", bk: 0x%"PFMT64x"\nHeap graph could not be recovered\n", prev_c->size, prev_c->fd, prev_c->bk) ; node_data = r_str_newf ("[corrupted] size: 0x%x\n fd: 0x%"PFMT32x", bk: 0x%"PFMT64x"\nHeap graph could not be recovered\n", prev_c->size, prev_c->fd, prev_c->bk) ;
r_agraph_add_node (g, node_title, node_data); r_agraph_add_node (g, node_title, node_data);
if (first_node) first_node = false; if (first_node) first_node = false;
@ -665,14 +677,19 @@ static void print_mmap_graph_32(RCore *core, RHeap_MallocState32 *malloc_state,
free (node_title); free (node_title);
} }
r_agraph_print (g); r_agraph_print (g);
free (g);
free (cnk); free (cnk);
free (can);
free (prev_c); free (prev_c);
free (top_data); free (top_data);
free (top_title); free (top_title);
} }
static void print_heap_graph_32(RCore *core, RHeap_MallocState32 *main_arena, ut32 *initial_brk) { static void print_heap_graph_32(RCore *core, RHeap_MallocState32 *main_arena, ut32 *initial_brk) {
if (!core || !core->dbg || !core->dbg->maps) {
return;
}
int w, h; int w, h;
ut32 top_size = UT32_MAX; ut32 top_size = UT32_MAX;
w = r_cons_get_size (&h); w = r_cons_get_size (&h);
@ -683,6 +700,10 @@ static void print_heap_graph_32(RCore *core, RHeap_MallocState32 *main_arena, ut
RHeapChunk32 *cnk = R_NEW0 (RHeapChunk32), *prev_c = R_NEW0 (RHeapChunk32); RHeapChunk32 *cnk = R_NEW0 (RHeapChunk32), *prev_c = R_NEW0 (RHeapChunk32);
if (!cnk || !prev_c) { if (!cnk || !prev_c) {
free (can);
free (cnk);
free (prev_c);
free (g);
return; return;
} }
@ -693,14 +714,15 @@ static void print_heap_graph_32(RCore *core, RHeap_MallocState32 *main_arena, ut
r_agraph_set_title (g, "Heap Layout"); r_agraph_set_title (g, "Heap Layout");
top_title = r_str_newf ("Top chunk @ 0x%"PFMT32x"\n", main_arena->top); top_title = r_str_newf ("Top chunk @ 0x%"PFMT32x"\n", main_arena->top);
if (!core || !core->dbg || !core->dbg->maps) {
return;
}
get_brks_32 (core, &brk_start, &brk_end); get_brks_32 (core, &brk_start, &brk_end);
*initial_brk = (brk_start >> 12) << 12; *initial_brk = (brk_start >> 12) << 12;
if (brk_start == UT32_MAX || brk_end == UT32_MAX || *initial_brk == UT32_MAX) { if (brk_start == UT32_MAX || brk_end == UT32_MAX || *initial_brk == UT32_MAX) {
eprintf ("No Heap section\n"); eprintf ("No Heap section\n");
free (can);
free (cnk);
free (prev_c);
free (g);
free (top_title);
return; return;
} }
@ -738,39 +760,42 @@ static void print_heap_graph_32(RCore *core, RHeap_MallocState32 *main_arena, ut
free (node_title); free (node_title);
} }
r_agraph_print (g); r_agraph_print (g);
free (cnk); free (cnk);
free (g);
free (can);
free (prev_c); free (prev_c);
free (top_data); free (top_data);
free (top_title); free (top_title);
} }
static void print_heap_segment32(RCore *core, RHeap_MallocState32 *main_arena, ut32 *initial_brk) { static void print_heap_segment32(RCore *core, RHeap_MallocState32 *main_arena, ut32 *initial_brk) {
if (!core || !core->dbg || !core->dbg->maps){
return;
}
ut32 brk_start = UT32_MAX, brk_end = UT32_MAX, size_tmp, top_size = UT32_MAX; ut32 brk_start = UT32_MAX, brk_end = UT32_MAX, size_tmp, top_size = UT32_MAX;
RHeapChunk32 *cnk = R_NEW0 (RHeapChunk32); RHeapChunk32 *cnk = R_NEW0 (RHeapChunk32);
if (!cnk) { if (!cnk) {
return; return;
} }
if (!core || !core->dbg || !core->dbg->maps){
return;
}
get_brks_32 (core, &brk_start, &brk_end); get_brks_32 (core, &brk_start, &brk_end);
*initial_brk = (brk_start >> 12) << 12; *initial_brk = (brk_start >> 12) << 12;
if (brk_start == UT32_MAX || brk_end == UT32_MAX || *initial_brk == UT32_MAX) { if (brk_start == UT32_MAX || brk_end == UT32_MAX || *initial_brk == UT32_MAX) {
eprintf ("No Heap section\n"); eprintf ("No Heap section\n");
free (cnk);
return; return;
} }
ut32 next_chunk = *initial_brk, prev_chunk = next_chunk; ut32 next_chunk = *initial_brk, prev_chunk = next_chunk;
top_size = main_arena->top - brk_start; top_size = main_arena->top - brk_start;
bool list_corrupted = false;
while (next_chunk && next_chunk >= brk_start && next_chunk < main_arena->top) { while (next_chunk && next_chunk >= brk_start && next_chunk < main_arena->top) {
r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk32)); r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk32));
size_tmp = (cnk->size >> 3) << 3; size_tmp = (cnk->size >> 3) << 3;
if (top_size != UT32_MAX && (size_tmp > top_size || next_chunk + size_tmp > main_arena->top)) { if (size_tmp > top_size || next_chunk + size_tmp > main_arena->top) {
PRINT_YA ("\n Malloc chunk @ "); PRINT_YA ("\n Malloc chunk @ ");
PRINTF_BA ("0x%"PFMT32x" ", next_chunk); PRINTF_BA ("0x%"PFMT32x" ", next_chunk);
PRINT_RA ("[corrupted]\n"); PRINT_RA ("[corrupted]\n");
@ -801,11 +826,6 @@ static void print_heap_segment32(RCore *core, RHeap_MallocState32 *main_arena, u
} }
} }
} }
if (list_corrupted) {
break;
}
next_chunk += size_tmp; next_chunk += size_tmp;
prev_chunk = next_chunk; prev_chunk = next_chunk;
r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk32)); r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk32));
@ -832,16 +852,18 @@ static void print_heap_segment32(RCore *core, RHeap_MallocState32 *main_arena, u
} }
static void print_heap_mmaped32(RCore *core, ut32 malloc_state) { static void print_heap_mmaped32(RCore *core, ut32 malloc_state) {
if (!core || !core->dbg || !core->dbg->maps){
return;
}
ut32 mmap_start = UT32_MAX, mmap_end = UT32_MAX, size_tmp; ut32 mmap_start = UT32_MAX, mmap_end = UT32_MAX, size_tmp;
ut32 top_size = UT32_MAX; ut32 top_size = UT32_MAX;
RHeapChunk32 *cnk = R_NEW0 (RHeapChunk32); RHeapChunk32 *cnk = R_NEW0 (RHeapChunk32);
RHeap_MallocState32 *ms = R_NEW0 (RHeap_MallocState32); RHeap_MallocState32 *ms = R_NEW0 (RHeap_MallocState32);
if (!cnk) { if (!cnk || !ms) {
return; free (cnk);
} free (ms);
if (!core || !core->dbg || !core->dbg->maps){
return; return;
} }
@ -849,13 +871,11 @@ static void print_heap_mmaped32(RCore *core, ut32 malloc_state) {
r_core_read_at (core, malloc_state, (ut8*)ms, sizeof (RHeap_MallocState32)); r_core_read_at (core, malloc_state, (ut8*)ms, sizeof (RHeap_MallocState32));
mmap_end = ms->top; mmap_end = ms->top;
ut32 next_chunk = mmap_start, prev_chunk = next_chunk; ut32 next_chunk = mmap_start, prev_chunk = next_chunk;
r_core_read_at (core, malloc_state, (ut8*)ms, sizeof (RHeap_MallocState32)); r_core_read_at (core, malloc_state, (ut8*)ms, sizeof (RHeap_MallocState32));
r_core_read_at (core, ms->top, (ut8*)cnk, sizeof (RHeapChunk32)); r_core_read_at (core, ms->top, (ut8*)cnk, sizeof (RHeapChunk32));
top_size = (cnk->size >> 3) << 3; top_size = (cnk->size >> 3) << 3;
bool list_corrupted = false;
while (next_chunk && next_chunk >= mmap_start && next_chunk < ms->top) { while (next_chunk && next_chunk >= mmap_start && next_chunk < ms->top) {
r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk32)); r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk32));
size_tmp = (cnk->size >> 3) << 3; size_tmp = (cnk->size >> 3) << 3;
@ -890,14 +910,10 @@ static void print_heap_mmaped32(RCore *core, ut32 malloc_state) {
} }
} }
} }
if (list_corrupted) {
break;
}
next_chunk += size_tmp; next_chunk += size_tmp;
prev_chunk = next_chunk; prev_chunk = next_chunk;
r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk32)); r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk32));
if (is_free) { if (is_free) {
PRINT_GA ("[free]"); PRINT_GA ("[free]");
} else { } else {
@ -924,10 +940,17 @@ static void print_heap_mmaped32(RCore *core, ut32 malloc_state) {
void print_malloc_states32 ( RCore *core, ut32 m_arena, RHeap_MallocState32 *main_arena) { void print_malloc_states32 ( RCore *core, ut32 m_arena, RHeap_MallocState32 *main_arena) {
RHeap_MallocState32 *ta = R_NEW0 (RHeap_MallocState32); RHeap_MallocState32 *ta = R_NEW0 (RHeap_MallocState32);
if (!ta) {
return;
}
PRINT_YA ("main_arena @ "); PRINT_YA ("main_arena @ ");
PRINTF_BA ("0x%"PFMT32x"\n", m_arena); PRINTF_BA ("0x%"PFMT32x"\n", m_arena);
if (main_arena->next == m_arena) return; if (main_arena->next == m_arena) {
free (ta);
return;
}
else { else {
ta->next = main_arena->next; ta->next = main_arena->next;
while (ta->next != UT32_MAX && ta->next != m_arena) { while (ta->next != UT32_MAX && ta->next != m_arena) {
@ -1059,7 +1082,8 @@ static int cmd_dbg_map_heap_glibc_32(RCore *core, const char *input) {
RHeap_MallocState32 *malloc_state = R_NEW0 (RHeap_MallocState32); RHeap_MallocState32 *malloc_state = R_NEW0 (RHeap_MallocState32);
r_core_read_at (core, m_state, (ut8*)malloc_state, sizeof (RHeap_MallocState32)); r_core_read_at (core, m_state, (ut8*)malloc_state, sizeof (RHeap_MallocState32));
print_heap_bin_32 (core, m_state, malloc_state, bin); print_heap_bin_32 (core, m_state, malloc_state, bin);
free(malloc_state); free (malloc_state);
free (dup);
} }
} }
break; break;
@ -1082,7 +1106,8 @@ static int cmd_dbg_map_heap_glibc_32(RCore *core, const char *input) {
RHeap_MallocState32 *malloc_state = R_NEW0 (RHeap_MallocState32); RHeap_MallocState32 *malloc_state = R_NEW0 (RHeap_MallocState32);
r_core_read_at (core, m_state, (ut8*)malloc_state, sizeof (RHeap_MallocState32)); r_core_read_at (core, m_state, (ut8*)malloc_state, sizeof (RHeap_MallocState32));
print_heap_fastbin_32 (core, m_state, malloc_state, bin); print_heap_fastbin_32 (core, m_state, malloc_state, bin);
free(malloc_state); free (malloc_state);
free (dup);
} }
} }
break; break;

View File

@ -270,11 +270,11 @@ arena:
} }
not_arena: not_arena:
eprintf ("Warning: glibc library with symbol main_arena could not be found. Is libc6-dbg installed?\n"); eprintf ("Warning: glibc library with symbol main_arena could not be found. Is libc6-dbg installed?\n");
free (path);
return false; return false;
} else { } else {
update_main_arena_64 (core, *m_arena, main_arena); update_main_arena_64 (core, *m_arena, main_arena);
} }
return true; return true;
} }
@ -316,7 +316,7 @@ static void print_heap_chunk_64(RCore *core) {
PRINT_GA (",\n}\n"); PRINT_GA (",\n}\n");
ut64 size = ((cnk->size >> 3) << 3) - SZ * 2; ut64 size = ((cnk->size >> 3) << 3) - SZ * 2;
if (size > SZ * 128) { if (size > (ut64)SZ * 128) {
PRINT_GA ("chunk too big to be displayed\n"); PRINT_GA ("chunk too big to be displayed\n");
size = SZ * 128; size = SZ * 128;
} }
@ -345,6 +345,7 @@ static int print_double_linked_list_bin_simple_64(RCore *core, ut64 bin, RHeap_M
next = cnk->fd; next = cnk->fd;
if (next < brk_start || next > main_arena->top) { if (next < brk_start || next > main_arena->top) {
PRINT_RA ("Double linked list corrupted\n"); PRINT_RA ("Double linked list corrupted\n");
free (cnk);
return -1; return -1;
} }
r_core_read_at (core, next, (ut8 *)cnk, sizeof (RHeapChunk64)); r_core_read_at (core, next, (ut8 *)cnk, sizeof (RHeapChunk64));
@ -355,6 +356,7 @@ static int print_double_linked_list_bin_simple_64(RCore *core, ut64 bin, RHeap_M
if (next != bin) { if (next != bin) {
PRINT_RA ("Double linked list corrupted\n"); PRINT_RA ("Double linked list corrupted\n");
free (cnk);
return -1; return -1;
} }
r_core_read_at (core, next, (ut8 *)cnk, sizeof (RHeapChunk64)); r_core_read_at (core, next, (ut8 *)cnk, sizeof (RHeapChunk64));
@ -365,6 +367,7 @@ static int print_double_linked_list_bin_simple_64(RCore *core, ut64 bin, RHeap_M
next = cnk->bk; next = cnk->bk;
if (next < brk_start || next > main_arena->top) { if (next < brk_start || next > main_arena->top) {
PRINT_RA ("Double linked list corrupted\n"); PRINT_RA ("Double linked list corrupted\n");
free (cnk);
return -1; return -1;
} }
r_core_read_at (core, next, (ut8 *)cnk, sizeof (RHeapChunk64)); r_core_read_at (core, next, (ut8 *)cnk, sizeof (RHeapChunk64));
@ -372,7 +375,7 @@ static int print_double_linked_list_bin_simple_64(RCore *core, ut64 bin, RHeap_M
PRINTF_GA ("->bk = 0x%"PFMT64x, cnk->bk); PRINTF_GA ("->bk = 0x%"PFMT64x, cnk->bk);
free (cnk); free (cnk);
return 1; return 0;
} }
static int print_double_linked_list_bin_graph_64(RCore *core, ut64 bin, RHeap_MallocState64 *main_arena, ut64 brk_start) { static int print_double_linked_list_bin_graph_64(RCore *core, ut64 bin, RHeap_MallocState64 *main_arena, ut64 brk_start) {
@ -383,7 +386,9 @@ static int print_double_linked_list_bin_graph_64(RCore *core, ut64 bin, RHeap_Ma
RANode *bin_node = NULL, *prev_node = NULL, *next_node = NULL; RANode *bin_node = NULL, *prev_node = NULL, *next_node = NULL;
RHeapChunk64 *cnk = R_NEW0 (RHeapChunk64); RHeapChunk64 *cnk = R_NEW0 (RHeapChunk64);
if (!cnk) { if (!cnk || !g) {
free (cnk);
free (g);
return -1; return -1;
} }
@ -397,6 +402,8 @@ static int print_double_linked_list_bin_graph_64(RCore *core, ut64 bin, RHeap_Ma
next = cnk->bk; next = cnk->bk;
if (next < brk_start || next > main_arena->top) { if (next < brk_start || next > main_arena->top) {
PRINT_RA ("Double linked list corrupted\n"); PRINT_RA ("Double linked list corrupted\n");
free (g);
free (cnk);
return -1; return -1;
} }
@ -412,32 +419,34 @@ static int print_double_linked_list_bin_graph_64(RCore *core, ut64 bin, RHeap_Ma
r_agraph_add_edge (g, prev_node, bin_node); r_agraph_add_edge (g, prev_node, bin_node);
r_agraph_add_edge (g, bin_node, prev_node); r_agraph_add_edge (g, bin_node, prev_node);
r_agraph_print (g); r_agraph_print (g);
free (cnk); free (cnk);
r_agraph_free (g); r_agraph_free (g);
return 0;
return 1;
} }
static int print_double_linked_list_bin_64(RCore *core, RHeap_MallocState64 *main_arena, ut64 m_arena, ut64 offset, ut64 num_bin, int graph) { static int print_double_linked_list_bin_64(RCore *core, RHeap_MallocState64 *main_arena, ut64 m_arena, ut64 offset, ut64 num_bin, int graph) {
int ret = 0; if (!core || !core->dbg || !core->dbg->maps) {
ut64 brk_start = UT64_MAX, brk_end = UT64_MAX; return -1;
ut64 bin = main_arena->bins[num_bin];
if (!bin) {
return ret;
} }
if (!core || !core->dbg || !core->dbg->maps) { int ret = 0;
return ret; ut64 brk_start = UT64_MAX, brk_end = UT64_MAX;
if (num_bin > 126 || num_bin < 0) {
return;
}
ut64 bin = main_arena->bins[num_bin];
if (!bin) {
return -1;
} }
get_brks_64 (core, &brk_start, &brk_end); get_brks_64 (core, &brk_start, &brk_end);
if (brk_start == UT64_MAX || brk_end == UT64_MAX) { if (brk_start == UT64_MAX || brk_end == UT64_MAX) {
eprintf ("No Heap section\n"); eprintf ("No Heap section\n");
return ret; return -1;
} }
bin = m_arena + offset + SZ * num_bin * 2 - SZ * 2; bin = m_arena + offset + SZ * num_bin * 2 - (unsigned long long)SZ * 2;
switch (num_bin) { switch (num_bin) {
case 0: case 0:
@ -458,7 +467,6 @@ static int print_double_linked_list_bin_64(RCore *core, RHeap_MallocState64 *ma
} }
PRINT_GA ("\n }\n"); PRINT_GA ("\n }\n");
return ret; return ret;
} }
@ -497,28 +505,30 @@ static void print_heap_bin_64(RCore *core, ut64 m_arena, RHeap_MallocState64 *ma
} }
static int print_single_linked_list_bin_64(RCore *core, RHeap_MallocState64 *main_arena, ut64 m_arena, ut64 offset, ut64 bin_num) { static int print_single_linked_list_bin_64(RCore *core, RHeap_MallocState64 *main_arena, ut64 m_arena, ut64 offset, ut64 bin_num) {
if (!core || !core->dbg || !core->dbg->maps) {
return 0;
}
ut64 next = UT64_MAX, brk_start = UT64_MAX, brk_end = UT64_MAX; ut64 next = UT64_MAX, brk_start = UT64_MAX, brk_end = UT64_MAX;
ut64 bin = main_arena->fastbinsY[bin_num]; ut64 bin = main_arena->fastbinsY[bin_num];
if (!bin) { if (!bin) {
return 0; return 0;
} }
RHeapChunk64 *cnk = R_NEW0 (RHeapChunk64); RHeapChunk64 *cnk = R_NEW0 (RHeapChunk64);
if (!cnk) { if (!cnk) {
return 0; return 0;
} }
if (!core || !core->dbg || !core->dbg->maps) {
return 0;
}
bin = m_arena + offset + SZ * bin_num; bin = m_arena + offset + SZ * bin_num;
r_core_read_at (core, bin, (ut8 *)&next, SZ); r_core_read_at (core, bin, (ut8 *)&next, SZ);
get_brks_64 (core, &brk_start, &brk_end); get_brks_64 (core, &brk_start, &brk_end);
if (brk_start == UT64_MAX || brk_end == UT64_MAX) { if (brk_start == UT64_MAX || brk_end == UT64_MAX) {
eprintf ("No Heap section\n"); eprintf ("No Heap section\n");
return 0; free (cnk);
return -1;
} }
PRINTF_GA (" fastbin %d @ ", bin_num + 1); PRINTF_GA (" fastbin %d @ ", bin_num + 1);
@ -546,6 +556,7 @@ static int print_single_linked_list_bin_64(RCore *core, RHeap_MallocState64 *mai
PRINTF_RA (" 0x%"PFMT64x, next); PRINTF_RA (" 0x%"PFMT64x, next);
PRINT_RA (" Linked list corrupted\n"); PRINT_RA (" Linked list corrupted\n");
PRINT_GA ("\n }\n"); PRINT_GA ("\n }\n");
free (cnk);
return -1; return -1;
} }
@ -554,6 +565,7 @@ static int print_single_linked_list_bin_64(RCore *core, RHeap_MallocState64 *mai
PRINTF_RA ("0x%"PFMT64x, next); PRINTF_RA ("0x%"PFMT64x, next);
PRINT_RA (" Double free detected\n"); PRINT_RA (" Double free detected\n");
PRINT_GA ("\n }\n"); PRINT_GA ("\n }\n");
free (cnk);
return -1; return -1;
} }
} }
@ -562,11 +574,13 @@ static int print_single_linked_list_bin_64(RCore *core, RHeap_MallocState64 *mai
PRINTF_RA ("0x%"PFMT64x, next); PRINTF_RA ("0x%"PFMT64x, next);
PRINT_RA (" Linked list corrupted\n"); PRINT_RA (" Linked list corrupted\n");
PRINT_GA ("\n }\n"); PRINT_GA ("\n }\n");
return 1; free (cnk);
return -1;
} }
PRINT_GA ("\n }\n"); PRINT_GA ("\n }\n");
return -1; free (cnk);
return 0;
} }
static void print_heap_fastbin_64(RCore *core, ut64 m_arena, RHeap_MallocState64 *main_arena, const char *input) { static void print_heap_fastbin_64(RCore *core, ut64 m_arena, RHeap_MallocState64 *main_arena, const char *input) {
@ -601,13 +615,12 @@ static void print_heap_fastbin_64(RCore *core, ut64 m_arena, RHeap_MallocState64
} }
static void print_mmap_graph_64(RCore *core, RHeap_MallocState64 *malloc_state, ut64 m_state) { static void print_mmap_graph_64(RCore *core, RHeap_MallocState64 *malloc_state, ut64 m_state) {
int w, h;
ut64 top_size = UT64_MAX;
if (!core || !core->dbg || !core->dbg->maps) { if (!core || !core->dbg || !core->dbg->maps) {
return; return;
} }
int w, h;
ut64 top_size = UT64_MAX;
w = r_cons_get_size (&h); w = r_cons_get_size (&h);
RConsCanvas *can = r_cons_canvas_new (w, h); RConsCanvas *can = r_cons_canvas_new (w, h);
can->color = r_config_get_i (core->config, "scr.color"); can->color = r_config_get_i (core->config, "scr.color");
@ -615,9 +628,11 @@ static void print_mmap_graph_64(RCore *core, RHeap_MallocState64 *malloc_state,
RANode *top = {0}, *chunk_node = {0}, *prev_node = {0}; RANode *top = {0}, *chunk_node = {0}, *prev_node = {0};
RHeapChunk64 *cnk = R_NEW0 (RHeapChunk64), *prev_c = R_NEW0 (RHeapChunk64); RHeapChunk64 *cnk = R_NEW0 (RHeapChunk64), *prev_c = R_NEW0 (RHeapChunk64);
if (!cnk || !prev_c) { if (!cnk || !prev_c || !can || !g) {
free (cnk); free (cnk);
free (prev_c); free (prev_c);
free (can);
free (g);
return; return;
} }
@ -665,14 +680,19 @@ static void print_mmap_graph_64(RCore *core, RHeap_MallocState64 *malloc_state,
free (node_title); free (node_title);
} }
r_agraph_print (g); r_agraph_print (g);
free (g);
free (cnk); free (cnk);
free (can);
free (prev_c); free (prev_c);
free (top_data); free (top_data);
free (top_title); free (top_title);
} }
static void print_heap_graph_64(RCore *core, RHeap_MallocState64 *main_arena, ut64 *initial_brk) { static void print_heap_graph_64(RCore *core, RHeap_MallocState64 *main_arena, ut64 *initial_brk) {
if (!core || !core->dbg || !core->dbg->maps) {
return;
}
int w, h; int w, h;
ut64 top_size = UT64_MAX; ut64 top_size = UT64_MAX;
w = r_cons_get_size (&h); w = r_cons_get_size (&h);
@ -682,7 +702,11 @@ static void print_heap_graph_64(RCore *core, RHeap_MallocState64 *main_arena, ut
RANode *top = {0}, *chunk_node = {0}, *prev_node = {0}; RANode *top = {0}, *chunk_node = {0}, *prev_node = {0};
RHeapChunk64 *cnk = R_NEW0 (RHeapChunk64), *prev_c = R_NEW0 (RHeapChunk64); RHeapChunk64 *cnk = R_NEW0 (RHeapChunk64), *prev_c = R_NEW0 (RHeapChunk64);
if (!cnk || !prev_c) { if (!cnk || !prev_c || !can || !g) {
free (cnk);
free (prev_c);
free (can);
free (g);
return; return;
} }
@ -693,14 +717,15 @@ static void print_heap_graph_64(RCore *core, RHeap_MallocState64 *main_arena, ut
r_agraph_set_title (g, "Heap Layout"); r_agraph_set_title (g, "Heap Layout");
top_title = r_str_newf ("Top chunk @ 0x%"PFMT64x"\n", main_arena->top); top_title = r_str_newf ("Top chunk @ 0x%"PFMT64x"\n", main_arena->top);
if (!core || !core->dbg || !core->dbg->maps) {
return;
}
get_brks_64 (core, &brk_start, &brk_end); get_brks_64 (core, &brk_start, &brk_end);
*initial_brk = (brk_start >> 12) << 12; *initial_brk = (brk_start >> 12) << 12;
if (brk_start == UT64_MAX || brk_end == UT64_MAX || *initial_brk == UT64_MAX) { if (brk_start == UT64_MAX || brk_end == UT64_MAX || *initial_brk == UT64_MAX) {
eprintf ("No Heap section\n"); eprintf ("No Heap section\n");
free (cnk);
free (prev_c);
free (can);
free (g);
free (top_title);
return; return;
} }
@ -738,35 +763,36 @@ static void print_heap_graph_64(RCore *core, RHeap_MallocState64 *main_arena, ut
free (node_title); free (node_title);
} }
r_agraph_print (g); r_agraph_print (g);
free (g);
free (cnk); free (cnk);
free (can);
free (prev_c); free (prev_c);
free (top_data); free (top_data);
free (top_title); free (top_title);
} }
static void print_heap_segment64(RCore *core, RHeap_MallocState64 *main_arena, ut64 *initial_brk) { static void print_heap_segment64(RCore *core, RHeap_MallocState64 *main_arena, ut64 *initial_brk) {
ut64 brk_start = UT64_MAX, brk_end = UT64_MAX, size_tmp; if (!core || !core->dbg || !core->dbg->maps){
return;
}
ut64 brk_start = UT64_MAX, brk_end = UT64_MAX, size_tmp;
ut64 top_size = UT64_MAX; ut64 top_size = UT64_MAX;
RHeapChunk64 *cnk = R_NEW0 (RHeapChunk64); RHeapChunk64 *cnk = R_NEW0 (RHeapChunk64);
if (!cnk) { if (!cnk) {
return; return;
} }
if (!core || !core->dbg || !core->dbg->maps){
return;
}
get_brks_64 (core, &brk_start, &brk_end); get_brks_64 (core, &brk_start, &brk_end);
*initial_brk = (brk_start >> 12) << 12; *initial_brk = (brk_start >> 12) << 12;
if (brk_start == UT64_MAX || brk_end == UT64_MAX || *initial_brk == UT64_MAX) {
if (brk_start == UT64_MAX || brk_end == UT64_MAX || *initial_brk == UT64_MAX) {
eprintf ("No Heap section\n"); eprintf ("No Heap section\n");
free (cnk);
return; return;
} }
ut64 next_chunk = *initial_brk, prev_chunk = next_chunk; ut64 next_chunk = *initial_brk, prev_chunk = next_chunk;
top_size = main_arena->top - brk_start; top_size = main_arena->top - brk_start;
bool list_corrupted = false;
while (next_chunk && next_chunk >= brk_start && next_chunk < main_arena->top) { while (next_chunk && next_chunk >= brk_start && next_chunk < main_arena->top) {
r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk64)); r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk64));
size_tmp = (cnk->size >> 3) << 3; size_tmp = (cnk->size >> 3) << 3;
@ -779,8 +805,8 @@ static void print_heap_segment64(RCore *core, RHeap_MallocState64 *main_arena, u
} }
PRINT_YA ("\n Malloc chunk @ "); PRINT_YA ("\n Malloc chunk @ ");
PRINTF_BA ("0x%"PFMT64x" ", prev_chunk); PRINTF_BA ("0x%"PFMT64x" ", prev_chunk);
bool is_free = false; bool is_free = false;
ut64 double_free = UT64_MAX; ut64 double_free = UT64_MAX;
if (size_tmp >= SZ * 4 && size_tmp <= SZ * 24) { if (size_tmp >= SZ * 4 && size_tmp <= SZ * 24) {
int i = (size_tmp / (SZ * 2)) - 2; int i = (size_tmp / (SZ * 2)) - 2;
@ -801,11 +827,6 @@ static void print_heap_segment64(RCore *core, RHeap_MallocState64 *main_arena, u
} }
} }
} }
if (list_corrupted) {
break;
}
next_chunk += size_tmp; next_chunk += size_tmp;
prev_chunk = next_chunk; prev_chunk = next_chunk;
r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk64)); r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk64));
@ -832,12 +853,11 @@ static void print_heap_segment64(RCore *core, RHeap_MallocState64 *main_arena, u
} }
static void print_heap_mmaped64(RCore *core, ut64 malloc_state) { static void print_heap_mmaped64(RCore *core, ut64 malloc_state) {
ut64 mmap_start = UT64_MAX, mmap_end = UT64_MAX, size_tmp;
ut64 top_size = UT64_MAX;
if (!core || !core->dbg || !core->dbg->maps){ if (!core || !core->dbg || !core->dbg->maps){
return; return;
} }
ut64 mmap_start = UT64_MAX, mmap_end = UT64_MAX, size_tmp;
ut64 top_size = UT64_MAX;
RHeapChunk64 *cnk = R_NEW0 (RHeapChunk64); RHeapChunk64 *cnk = R_NEW0 (RHeapChunk64);
if (!cnk) { if (!cnk) {
@ -854,7 +874,6 @@ static void print_heap_mmaped64(RCore *core, ut64 malloc_state) {
r_core_read_at (core, ms->top, (ut8*)cnk, sizeof (RHeapChunk64)); r_core_read_at (core, ms->top, (ut8*)cnk, sizeof (RHeapChunk64));
top_size = (cnk->size >> 3) << 3; top_size = (cnk->size >> 3) << 3;
bool list_corrupted = false;
while ( next_chunk && next_chunk >= mmap_start && next_chunk < ms->top) { while ( next_chunk && next_chunk >= mmap_start && next_chunk < ms->top) {
r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk64)); r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk64));
@ -872,7 +891,7 @@ static void print_heap_mmaped64(RCore *core, ut64 malloc_state) {
bool is_free = false; bool is_free = false;
ut64 double_free = UT64_MAX; ut64 double_free = UT64_MAX;
if (size_tmp >= SZ * 4 && size_tmp <= SZ * 24) { if (size_tmp >= (ut64)SZ * 4 && size_tmp <= SZ * 24) {
int i = (size_tmp / (SZ * 2)) - 2; int i = (size_tmp / (SZ * 2)) - 2;
ut64 next = ms->fastbinsY[i]; ut64 next = ms->fastbinsY[i];
double_free = next; double_free = next;
@ -892,10 +911,6 @@ static void print_heap_mmaped64(RCore *core, ut64 malloc_state) {
} }
} }
if (list_corrupted) {
break;
}
next_chunk += size_tmp; next_chunk += size_tmp;
prev_chunk = next_chunk; prev_chunk = next_chunk;
r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk64)); r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk64));
@ -925,10 +940,14 @@ static void print_heap_mmaped64(RCore *core, ut64 malloc_state) {
void print_malloc_states64( RCore *core, ut64 m_arena, RHeap_MallocState64 *main_arena) { void print_malloc_states64( RCore *core, ut64 m_arena, RHeap_MallocState64 *main_arena) {
RHeap_MallocState64 *ta = R_NEW0 (RHeap_MallocState64); RHeap_MallocState64 *ta = R_NEW0 (RHeap_MallocState64);
if (!ta) {
return;
}
PRINT_YA ("main_arena @ "); PRINT_YA ("main_arena @ ");
PRINTF_BA ("0x%"PFMT64x"\n", m_arena); PRINTF_BA ("0x%"PFMT64x"\n", m_arena);
if (main_arena->next == m_arena) { if (main_arena->next == m_arena) {
free (ta);
return; return;
} }
ta->next = main_arena->next; ta->next = main_arena->next;
@ -1062,6 +1081,7 @@ static int cmd_dbg_map_heap_glibc_64(RCore *core, const char *input) {
r_core_read_at (core, m_state, (ut8*)malloc_state, sizeof (RHeap_MallocState64)); r_core_read_at (core, m_state, (ut8*)malloc_state, sizeof (RHeap_MallocState64));
print_heap_bin_64 (core, m_state, malloc_state, bin); print_heap_bin_64 (core, m_state, malloc_state, bin);
free (malloc_state); free (malloc_state);
free (dup);
} }
} }
break; break;
@ -1085,6 +1105,7 @@ static int cmd_dbg_map_heap_glibc_64(RCore *core, const char *input) {
r_core_read_at (core, m_state, (ut8*)malloc_state, sizeof (RHeap_MallocState64)); r_core_read_at (core, m_state, (ut8*)malloc_state, sizeof (RHeap_MallocState64));
print_heap_fastbin_64 (core, m_state, malloc_state, bin); print_heap_fastbin_64 (core, m_state, malloc_state, bin);
free (malloc_state); free (malloc_state);
free (dup);
} }
} }
break; break;