| Issue |
157368
|
| Summary |
lldb bug: segmentation fault when running linux x86_64 file on M4 mac
|
| Labels |
new issue
|
| Assignees |
|
| Reporter |
theKnightsOfRohan
|
# Overview
I was doing some binary reverse engineering challenges and tried to open and run some linux x86_64 binaries in lldb so I could step through them. lldb opened them fine, but when I tried to run them, **lldb** segfaulted, even though the programs should have ran fine.
Since this is a reverse engineering challenge, I don't have access to the source code, but I can post the ghidra decomp. They are written in C.
# Versions:
OS Version: `macOS 15.6.1 24G90 arm64`
Shell: `zsh 5.9`
# Files I tried to run:
[File 1](https://ctf.sigpwny.com/challenges#Vault/Crackme%200-715)
File type:
```
❯ file crackme_0
crackme_0: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=c97195d085866180550e43c79059fb552bbb054f, for GNU/Linux 3.2.0, not stripped
```
Decomped Code:
```c
undefined8 main(void) {
undefined8 uVar1;
long in_FS_OFFSET;
uint local_6c;
long local_68;
long local_60;
ulong local_58;
ulong local_50;
ulong local_48;
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
printf("Enter the first secret number: ");
__isoc99_scanf(&DAT_00102028,&local_6c);
local_58 = (ulong)local_6c;
if (local_58 == 2233720368) {
printf("Enter the second secret number: ");
__isoc99_scanf(&DAT_00102028,&local_6c);
local_50 = (ulong)local_6c;
local_68 = local_50 - 696969;
if (local_68 == 2557891634) {
printf("Enter the third secret number: ");
__isoc99_scanf(&DAT_00102028,&local_6c);
local_48 = (ulong)local_6c;
local_60 = local_48 * 31 + 333333;
if (local_60 == 16839916028) {
printf("Congrats! The flag is: sigpwny{my_lucky_numbers_are_%llu_%llu_%llu}\n",local_48,
local_50,local_58);
uVar1 = 0;
}
else {
puts("Wrong number!");
uVar1 = 1;
}
}
else {
puts("Wrong number!");
uVar1 = 1;
}
}
else {
puts("Wrong number!");
uVar1 = 1;
}
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return uVar1;
}
```
[File 2](https://ctf.sigpwny.com/challenges#Vault/Crackme%200.5-818)
```
❯ file crackme_0_5
crackme_0_5: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b637fdcedfcb0de7d0bc8b76353910f98b7df8a2, for GNU/Linux 3.2.0, not stripped
```
Decomped Code:
```c
undefined8 main(void) {
long in_FS_OFFSET;
int local_14;
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
local_14 = 0;
printf("Enter the secret number: ");
__isoc99_scanf(&DAT_00102022,&local_14);
if (local_14 == 0xcc07c9) {
printf("Congrats! The flag is: %s{hax0r_%d}\n","sigpwny",0xcc07c9);
}
else {
puts("Wrong number!");
}
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return 0;
}
```
# Steps to reproduce:
1. Download the files from the website
2. Open them with `lldb file`
3. Run the file with either `process launch` or `run`
4. Observe segfault with below error message.
```
❯ lldb crackme_0
(lldb) target create "crackme_0"
Current executable set to '/Users/rohanseth/Documents/GitHub/challenges/crackme_0' (x86_64).
(lldb) run
LLDB diagnostics will be written to /var/folders/q_/8ks_crds7ql8gmgj09fkm_5h0000gp/T/diagnostics-36017c
Please include the directory content when filing a bug report
PLEASE submit a bug report to https://developer.apple.com/bug-reporting/ and include the crash backtrace.
Stack dump:
0. Program arguments: /Library/Developer/CommandLineTools/usr/bin/lldb crackme_0
Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var `LLVM_SYMBOLIZER_PATH` to point to it):
0 lldb 0x0000000102e5f68c llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) + 56
1 lldb 0x0000000102e5e010 llvm::sys::RunSignalHandlers() + 112
2 lldb 0x0000000102e5ffa8 SignalHandler(int) + 292
3 libsystem_platform.dylib 0x000000018b77d6a4 _sigtramp + 56
4 LLDB 0x00000001169d6250 lldb_private::PostMortemProcess::PostMortemProcess(std::__1::shared_ptr<lldb_private::Target>, std::__1::shared_ptr<lldb_private::Listener>, lldb_private::FileSpec const&) + 92
5 LLDB 0x00000001169d6154 lldb_private::ProcessTrace::ProcessTrace(std::__1::shared_ptr<lldb_private::Target>, std::__1::shared_ptr<lldb_private::Listener>, lldb_private::FileSpec const&) + 84
6 LLDB 0x00000001169d6de8 void std::__1::allocator<lldb_private::ProcessTrace>::construct[abi:nn180100]<lldb_private::ProcessTrace, std::__1::shared_ptr<lldb_private::Target>&, std::__1::shared_ptr<lldb_private::Listener>&, lldb_private::FileSpec const&>(lldb_private::ProcessTrace*, std::__1::shared_ptr<lldb_private::Target>&, std::__1::shared_ptr<lldb_private::Listener>&, lldb_private::FileSpec const&) + 84
7 LLDB 0x00000001169d6cbc std::__1::shared_ptr<lldb_private::ProcessTrace> std::__1::allocate_shared[abi:nn180100]<lldb_private::ProcessTrace, std::__1::allocator<lldb_private::ProcessTrace>, std::__1::shared_ptr<lldb_private::Target>&, std::__1::shared_ptr<lldb_private::Listener>&, lldb_private::FileSpec const&, void>(std::__1::allocator<lldb_private::ProcessTrace> const&, std::__1::shared_ptr<lldb_private::Target>&, std::__1::shared_ptr<lldb_private::Listener>&, lldb_private::FileSpec const&) + 112
8 LLDB 0x00000001169d60e0 lldb_private::ProcessTrace::CreateInstance(std::__1::shared_ptr<lldb_private::Target>, std::__1::shared_ptr<lldb_private::Listener>, lldb_private::FileSpec const*, bool) + 60
9 LLDB 0x00000001169be8ac lldb_private::Process::FindPlugin(std::__1::shared_ptr<lldb_private::Target>, llvm::StringRef, std::__1::shared_ptr<lldb_private::Listener>, lldb_private::FileSpec const*, bool) + 464
10 LLDB 0x00000001169feed0 lldb_private::Target::CreateProcess(std::__1::shared_ptr<lldb_private::Listener>, llvm::StringRef, lldb_private::FileSpec const*, bool) + 148
11 LLDB 0x0000000116a0e72c lldb_private::Target::Launch(lldb_private::ProcessLaunchInfo&, lldb_private::Stream*) + 772
12 LLDB 0x0000000116f5e860 CommandObjectProcessLaunch::DoExecute(lldb_private::Args&, lldb_private::CommandReturnObject&) + 1020
13 LLDB 0x000000011692edec lldb_private::CommandObjectParsed::Execute(char const*, lldb_private::CommandReturnObject&) + 672
14 LLDB 0x0000000116925d8c lldb_private::CommandInterpreter::HandleCommand(char const*, lldb_private::LazyBool, lldb_private::CommandReturnObject&, bool) + 2536
15 LLDB 0x000000011692957c lldb_private::CommandInterpreter::IOHandlerInputComplete(lldb_private::IOHandler&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) + 828
16 LLDB 0x000000011685bab0 lldb_private::IOHandlerEditline::Run() + 304
17 LLDB 0x000000011683dcc0 lldb_private::Debugger::RunIOHandlers() + 140
18 LLDB 0x000000011692a854 lldb_private::CommandInterpreter::RunCommandInterpreter(lldb_private::CommandInterpreterRunOptions&) + 196
19 LLDB 0x00000001166a7888 lldb::SBDebugger::RunCommandInterpreter(bool, bool) + 124
20 lldb 0x0000000102e48f68 Driver::MainLoop() + 2868
21 lldb 0x0000000102e499dc main + 2060
22 dyld 0x000000018b3a2b98 start + 6076
zsh: segmentation fault lldb crackme_0
```
The content of the diagnostics folder specified at the beginning of the error message was a single diagnostics.log file, which is empty.
![]()
_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
