breakpoints doesn't work on FreeBSD

[niekgg]

Environment

> date
Sat Apr 13 04:06:53 +04 2024

> r2 -v
radare2 5.9.1 31963 @ freebsd-x86-64
birth: git.5.9.0-64-gbaa82e13b8 2024-04-12__14:08:29
commit: baa82e13b8e17595fc8dd86eabb00e28efdecf02
options: gpl -O? cs:5 cl:2 make
  
> uname -ms
FreeBSD amd64

Description

I have been trying to debug a simple program on FreeBSD 14.0 amd64 platform and breakpoints doesn't work. it gets set but debugger doesn't stop at breakpoint and runs as if it wasn't set at all.

I have sysctl setting to give unprivileged process debugging capability

> sysctl -a security.bsd.unprivileged_proc_debug
security.bsd.unprivileged_proc_debug: 1

Test

> r2 simple_malloc 
WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
 -- How about a nice game of chess?
[0x00201780]> db main
[0x00201780]> db
0x00201820 - 0x00201821 1 --x sw break enabled valid cmd="" cond="" name="main" module=""
[0x00201780]> ood
INFO: File dbg:///usr/home/tgk/pwn_dev/pwn_jemalloc/bin/simple_malloc/5.3.0/simple_malloc reopened in read-write mode
WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
49045
[0x2df15e891b70]> dc
INFO: child exited with status 0
INFO: ==> Process finished
[0x2df15e891b70]> 

[trufae]

Try disabling the hw breakpoints : e dbg.hwbp=false

[niekgg]

same result with hw breakpoints disabled

> r2 simple_malloc
WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
 -- Remember to maintain your ~/.radare_history
[0x00201780]> e dbg.hwbp=
true      false     
[0x00201780]> e dbg.hwbp=false
[0x00201780]> db main
[0x00201780]> db
0x00201820 - 0x00201821 1 --x sw break enabled valid cmd="" cond="" name="main" module=""
[0x00201780]> ood
INFO: File dbg:///usr/home/tgk/pwn_dev/pwn_jemalloc/bin/simple_malloc/5.3.0/simple_malloc reopened in read-write mode
WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
29201
[0x42a0d75eb70]> db
0x00202820 - 0x00202821 1 --x sw break enabled valid cmd="" cond="" name="main" module=""
[0x42a0d75eb70]> dc
INFO: child exited with status 0
INFO: ==> Process finished
[0x42a0d75eb70]> 

[trufae]

uhm what about

r2 -d simple_malloc 
db main
dc

or just r2 -c 'dcu main' -d simple_malloc ? i think th eproblem is that doing ood doesnt re-set the breakpoints

[niekgg]

I have tried both

> r2 -d simple_malloc
WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
 -- Add colors to your screen with 'e scr.color=X' where 1 is 16 colors, 2 is 256 colors and 3 is 16M colors
[0x1dee67a3b70]> db main
[0x1dee67a3b70]> dc
INFO: child exited with status 0
INFO: ==> Process finished

> r2 -c 'dcu main' -d simple_malloc 
WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
INFO: Continue until 0x00202820 using 1 bpsize
INFO: child exited with status 0
INFO: ==> Process finished

[niekgg]

Is there anything else I can do more ? sadly I'm not familiar with radare2 code to investigate into details

[trufae]

are you sure the entrypoint is detected properly? i have installed freebsd14 on arm64, and i can "repro" this issue, but what i get is basically that the bininfo is rebased with a wrong address, which results in entrypoint /main located in a wrong place. i can do the manual steps and breakpoints work . so i think the issue is related to rbin instead of rdebug.

s `dm~[0:0]`
ih~Entry 
s..52e60
dcu $$

you can also try setting breakpoints after running pd and defining an address near the current PC, to confirm the breakpoint works or not. but my feeling is that the "main" symbol that is resolving is incorrect. as it happens in fbsd-arm64

[niekgg]

I checked entrypoints with readelf and radare2 and executed until entry0

> readelf -h bin/simple_malloc/5.3.0/simple_malloc | grep Entry
  Entry point address:               0x201780

> r2 -d  bin/simple_malloc/5.3.0/simple_malloc
WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
 -- This binary may contain traces of human
[0xd532932bb70]> ieee
[Constructors]
vaddr=0x002027f0 paddr=0x000007f0 hvaddr=0x00203968 hpaddr=0x00000968 type=init

1 entrypoints
[Entrypoints]
vaddr=0x00202780 paddr=0x00000780 haddr=0x00000018 hvaddr=0x00201018 type=program

1 entrypoints
[0xd532932bb70]> ih~Entry
0x00000018 0x00000018 0x00201780 EntryPoint
[0xd532932bb70]> dm
0x0000000000200000 - 0x0000000000201000 - usr     4K s --x /usr/home/tgk/pwn_dev/pwn_jemalloc/bin/simple_malloc/5.3.0/simple_malloc ? ; map._usr_home_tgk_pwn_dev_pwn_jemalloc_bin_simple_malloc_5.3.0_simple_malloc.__x
0x0000000000201000 - 0x0000000000202000 - usr     4K s r-x /usr/home/tgk/pwn_dev/pwn_jemalloc/bin/simple_malloc/5.3.0/simple_malloc ? ; map._usr_home_tgk_pwn_dev_pwn_jemalloc_bin_simple_malloc_5.3.0_simple_malloc.r_x
0x0000000000202000 - 0x0000000000203000 - usr     4K s -wx /usr/home/tgk/pwn_dev/pwn_jemalloc/bin/simple_malloc/5.3.0/simple_malloc ? ; map._usr_home_tgk_pwn_dev_pwn_jemalloc_bin_simple_malloc_5.3.0_simple_malloc._wx
0x0000000000203000 - 0x0000000000204000 - usr     4K s -wx  ? ; map._0203000._wx
0x000000080033f000 - 0x000000082031f000 - usr 511.9M s ---  ? ; map._0033f000.___
0x000000082031f000 - 0x000000082033f000 - usr   128K s -wx  ? ; map._2031f000._wx
0x0000000820adb000 - 0x0000000820adc000 - usr     4K s r-x  ? ; map._20adb000.r_x
0x00000d5329325000 - 0x00000d532932b000 - usr    24K s --x /libexec/ld-elf.so.1 ? ; map._libexec_ld_elf.so.1.__x
0x00000d532932b000 - 0x00000d5329342000 * usr    92K s r-x /libexec/ld-elf.so.1 ? ; map._libexec_ld_elf.so.1.r_x
0x00000d5329342000 - 0x00000d5329343000 - usr     4K s -wx /libexec/ld-elf.so.1 ?
0x00000d5329343000 - 0x00000d5329344000 - usr     4K s -wx /libexec/ld-elf.so.1 ? ; map._libexec_ld_elf.so.1._wx
0x00000d5329344000 - 0x00000d5329345000 - usr     4K s -wx  ? ; map.d5329344000._wx
0x00007ffffffff000 - 0x0000800000000000 - usr     4K s ---  ? ; map._ffffffff000.___
[0xd532932bb70]> dcu entry0
INFO: Continue until 0x00202780 using 1 bpsize
INFO: child exited with status 0
INFO: ==> Process finished

After this I ran debugger again and continued until call with dcc executed couple of instructions and stepped in crt1_s.S
and set breakpoint on randomly chosen address and continued using dc. breakpoint worked and execution stopped at given address but another dc resulted in bus error. so I guess your assumption about breakpoints working is correct

[trufae]

Use .dm* to get the map flags

[niekgg]

Sure I used commands you recommended. Anything else I can check ?

[trufae]

Aaaand fixed

[niekgg]

good work thanks :)