Coredump Decode

This is a summary of decoding Linux userspace process corefiles using GDB.

1. Preparation
2. Decode
3. Examples
   • Example 1 - Buffer overflow
   • Example 2 - Busybox crash
   • Example 3 - String race condition

Preparation

To decode the corefile, both gdb and unstripped binary are necessary.

1. Get the corresponding GDB for target corefile. The GDB must match with the target executables. This is especially important for corss-platform compilers.

2. Find the unstripped binary - the unstripped binary contains the symbols of the coredumped process. To check for the debug info in a binary, either objdump or readelf can be used. Sometimes even the filecommand can tell the difference.

Decode

The basic command to decode corefile is

`gdb <unstripped_binary> <corefile>`.

If you have all shared libraries at hand, they can be automatically loaded by command

`gdb <unstripped_binary> -q -ex "set solib-search-path <lib1>:<lib2>:...:<libn>" <corefile>`.

To check for loaded/needed shared libraries, gdb command info sharedlibrary can be used. To load multiple shared libaries, you can use gdb command set solib-search-path <lib1>:<lib2>:...:<libn>, where libn is the path to the shared libary. Colon(:) can be used to concatenate multiple paths.

For the complete article, please refer to:http://www.bo-yang.net/2016/07/05/coredump-decode