From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id C4D933858CDA; Wed, 3 Apr 2024 04:58:54 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C4D933858CDA DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1712120334; bh=+OJA1+PmaKHTMQg/DVDk99r0A4RWbqxVaxT/YNF/WKY=; h=From:To:Subject:Date:From; b=Ai5AsIZLwqyE6ptUEt6K8PNgHTTe0hTRV/8sx1ZPlwOHCVhoz3sMpkk5G8/dNLcE9 aMY53lxS4zSr9oXQ4VZIuyVi+e9PYIVwgIKdCF3QtMeo/n4lPS8z7kxwMyh4D9UH5Y dpW+LVp6Pz2lFTRnQ0KEDuWZMn+aOH5bHdVzjgk0= From: "k4lizen at proton dot me" To: gdb-prs@sourceware.org Subject: [Bug breakpoints/31599] New: [gdb] setting breakpoint prevents value being from written to address via read Date: Wed, 03 Apr 2024 04:58:53 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gdb X-Bugzilla-Component: breakpoints X-Bugzilla-Version: 13.1 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: k4lizen at proton dot me X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D31599 Bug ID: 31599 Summary: [gdb] setting breakpoint prevents value being from written to address via read Product: gdb Version: 13.1 Status: UNCONFIRMED Severity: normal Priority: P2 Component: breakpoints Assignee: unassigned at sourceware dot org Reporter: k4lizen at proton dot me Target Milestone: --- Created attachment 15449 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D15449&action=3Ded= it the executable used to reproduce gdb version: GNU gdb (Debian 13.2-1) 13.2 OS: Linux kali 6.6.9-amd64 The binary I used to reproduced this is from a pwn challenge, so I don't ha= ve the source code. The binary is in the attachment. It is a 32-bit ELF file. What the binary does is: 1. uses `prctl` to make it so the `execve` syscall can't be called 2. `read`s at most 200 bytes from stdin, into the address 0x0804a060. this address is in a `rw-` mapping on my machine, and has the symbol "shellcode" 3. calls the address (0x0804a060) 4. segfaults, probably because the mapping thats called isn't executable The Problem: When a break point for 0x0804a060 is set (and enabled), the `read` call doe= sn't actually read the first byte of the input. This makes it so the byte at 0x0804a060 is null (0x00). If the breakpoint isn't created or is disabled, = the `read` call properly puts the first byte of the input at 0x0804a060. The re= st of the input is put in its proper place, regardless of the breakpoint. In the example below, I will set a breakpoint at 0x08048582, which is the instruction right after the `read` call. And print the first byte of 0x0804a060. The behaviour is the same regardless of the breakpoint at 0x08048582, which can be checked by stepping through instruction-by-instruction. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D With the 0x0804a060 (shellcode) breakpoint set. =3D=3D =E2=94=94=E2=94=80$ gdb orw GNU gdb (Debian 13.2-1) 13.2 Copyright (C) 2023 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from orw... (No debugging symbols found in orw) (gdb) break *0x08048582 Breakpoint 1 at 0x8048582 (gdb) break *0x0804a060 Breakpoint 2 at 0x804a060 (gdb) r Starting program: /home/hacker/ctf/pwnabletw/orw/orw=20 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Give my your shellcode:AAAA Breakpoint 1, 0x08048582 in main () (gdb) x/1bx 0x804a060 0x804a060 : 0x00 (gdb) =3D=3D=3D=3D=3D=3D=3D=3D=3D Without setting the 0x0804a060 (shellcode) breakpoint =3D=3D=3D =E2=94=94=E2=94=80$ gdb orw=20=20=20=20=20=20 GNU gdb (Debian 13.2-1) 13.2 Copyright (C) 2023 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from orw... (No debugging symbols found in orw) (gdb) break *0x08048582 Breakpoint 1 at 0x8048582 (gdb) r Starting program: /home/hacker/ctf/pwnabletw/orw/orw=20 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Give my your shellcode:AAAA Breakpoint 1, 0x08048582 in main () (gdb) x/1bx 0x0804a060 0x804a060 : 0x41 (gdb) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D I can produce screenshots from Ghidras decompilation if necessary. --=20 You are receiving this mail because: You are on the CC list for the bug.=