Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
debugging assistance
Posted by: Albino
Date: June 12, 2010 03:20PM

Anyone feel like squinting at some debugging info? :)

I've found a bug in firefox that can be used to make it hang indefinitely but I can't tell whether it is exploitable, since I'm a newbie to debugging. Here is my weak attempt at debugging it, does it look exploitable to you, or should I just pass it straight to bugzilla?

^C
Program received signal SIGINT, Interrupt.
pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:162
162 62: movl (%rsp), %edi

(gdb) info threads
14 Thread 0x7f1fd87f2710 (LWP 8495) pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:162
9 Thread 0x7f1fd39ff710 (LWP 8387) pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:162
8 Thread 0x7f1fd49bf710 (LWP 8382) pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:162
7 Thread 0x7f1fd53c0710 (LWP 8381) pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:162
6 Thread 0x7f1fd5dc1710 (LWP 8380) pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:162
4 Thread 0x7f1fdc1ff710 (LWP 8375) pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:211
3 Thread 0x7f1fdd0e5710 (LWP 8374) pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:211
2 Thread 0x7f1fddcf0710 (LWP 8373) 0x000000352ead5353 in __poll (fds=<value optimized out>, nfds=<value optimized out>, timeout=<value optimized out>)
at ../sysdeps/unix/sysv/linux/poll.c:87
* 1 Thread 0x7f1fe61ae720 (LWP 8369) pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:162

(gdb) thread 2
[Switching to thread 2 (Thread 0x7f1fddcf0710 (LWP 8373))]#0 0x000000352ead5353 in __poll (fds=<value optimized out>, nfds=<value optimized out>,
timeout=<value optimized out>) at ../sysdeps/unix/sysv/linux/poll.c:87
87 int result = INLINE_SYSCALL (poll, 3, CHECK_N (fds, nfds), nfds, timeout);


(gdb) bt full
#0 0x000000352ead5353 in __poll (fds=<value optimized out>, nfds=<value optimized out>, timeout=<value optimized out>)
at ../sysdeps/unix/sysv/linux/poll.c:87
_a3 = 65535000
_a1 = 139774842042912
resultvar = <value optimized out>
_a2 = 3
resultvar = <value optimized out>
oldtype = 0
result = <value optimized out>

//stuff that's probably irrelevant


(gdb) bt
#0 0x000000352ead5353 in __poll (fds=<value optimized out>, nfds=<value optimized out>, timeout=<value optimized out>)
at ../sysdeps/unix/sysv/linux/poll.c:87
#1 0x000000353ea2573f in _pr_poll_with_poll (pds=0x7f1fdf5ce9c0, npds=<value optimized out>, timeout=<value optimized out>)
at ../../../mozilla/nsprpub/pr/src/pthreads/ptio.c:3915
#2 0x00000035412f8cc5 in nsSocketTransportService::Poll (this=<value optimized out>, wait=<value optimized out>, interval=0x7f1fddcefcbc)
at nsSocketTransportService2.cpp:355
#3 0x00000035412f917e in nsSocketTransportService::DoPollIteration (this=0x7f1fdf5ce000, wait=1) at nsSocketTransportService2.cpp:660
#4 0x00000035412f9390 in nsSocketTransportService::OnProcessNextEvent (this=0x7f1fdf5ce000, thread=0x7f1fe5f3b940, mayWait=<value optimized out>,
depth=<value optimized out>) at nsSocketTransportService2.cpp:539
#5 0x0000003541ac5b46 in nsThread::ProcessNextEvent (this=0x7f1fe5f3b940, mayWait=1, result=0x7f1fddcefd8c) at nsThread.cpp:508
#6 0x0000003541a993d1 in NS_ProcessNextEvent_P (thread=<value optimized out>, mayWait=<value optimized out>) at nsThreadUtils.cpp:247
#7 0x00000035412f8ed4 in nsSocketTransportService::Run (this=0x7f1fdf5ce000) at nsSocketTransportService2.cpp:581
#8 0x0000003541ac5b9b in nsThread::ProcessNextEvent (this=0x7f1fe5f3b940, mayWait=1, result=0x7f1fddcefe4c) at nsThread.cpp:521
#9 0x0000003541a993d1 in NS_ProcessNextEvent_P (thread=<value optimized out>, mayWait=<value optimized out>) at nsThreadUtils.cpp:247
#10 0x0000003541ac625f in nsThread::ThreadFunc (arg=0x7f1fe5f3b940) at nsThread.cpp:254
#11 0x000000353ea29853 in _pt_root (arg=0x7f1fe5f547b0) at ../../../mozilla/nsprpub/pr/src/pthreads/ptthread.c:228
#12 0x000000352f206a3a in start_thread (arg=0x7f1fddcf0710) at pthread_create.c:297
#13 0x000000352eade77d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#14 0x0000000000000000 in ?? ()

Options: ReplyQuote
Re: debugging assistance
Posted by: Skyphire
Date: June 18, 2010 07:03AM

Seems you tried to kill the script while it was busy (or idle), hence the sigint. You might want to try auto-debug, it attaches all api's and hooks them for you which is a lot easier to work with: http://www.autodebug.com/

Options: ReplyQuote


Sorry, only registered users may post in this forum.