Segfault with anal type matching #14870
Comments
|
Which arch is this? Can u add the SN line in the profile like i did yesterday for Sh?
… On 22 Aug 2019, at 06:34, Anton Kochkov ***@***.***> wrote:
Can't share the binary though, will check it myself later.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
[x] Emulate code to find computed references (aae)
[ ] Type matching analysis for all functions (aaft)
Program received signal SIGSEGV, Segmentation fault.
-----------------------------------------------------------------------------------------------------------------------[regs]
RAX: 0x0000000000000000 RBX: 0x0000000000000001 RBP: 0x0000000000000000 RSP: 0x00007FFFFFFFB818 o d I t S z a p C
RDI: 0x0000000000000000 RSI: 0x00007FFFF67C7ED3 RDX: 0x0000000000000000 RCX: 0x0000000000000000 RIP: 0x00007FFFF6021E55
R8 : 0x00000000FFFFFFFF R9 : 0x00007FFFFFFFB690 R10: 0x00007FFFF6268BA4 R11: 0x00007FFFF65DF5C3 R12: 0x00005555555550E0
R13: 0x00007FFFFFFFD0B0 R14: 0x0000000000000000 R15: 0x0000000000000000
CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B
-----------------------------------------------------------------------------------------------------------------------[code]
=> 0x7ffff6021e55 <__strlen_avx2+21>: vpcmpeqb (%rdi),%ymm0,%ymm1
0x7ffff6021e59 <__strlen_avx2+25>: vpmovmskb %ymm1,%eax
0x7ffff6021e5d <__strlen_avx2+29>: test %eax,%eax
0x7ffff6021e5f <__strlen_avx2+31>: jne 0x7ffff6021f50 <__strlen_avx2+272>
0x7ffff6021e65 <__strlen_avx2+37>: add $0x20,%rdi
0x7ffff6021e69 <__strlen_avx2+41>: and $0x1f,%ecx
0x7ffff6021e6c <__strlen_avx2+44>: and $0xffffffffffffffe0,%rdi
0x7ffff6021e70 <__strlen_avx2+48>: jmp 0x7ffff6021eb4 <__strlen_avx2+116>
-----------------------------------------------------------------------------------------------------------------------------
0x00007ffff6021e55 in __strlen_avx2 () from /lib64/libc.so.6
gdb$ bt
#0 0x00007ffff6021e55 in __strlen_avx2 () from /lib64/libc.so.6
#1 0x00007ffff5f4f7d3 in strdup () from /lib64/libc.so.6
#2 0x00007ffff7004547 in r_core_anal_type_match (core=0x7ffff60b80c0 <r>, fcn=0x555555811c50) at anal_tp.c:564
#3 0x00007ffff6ee96c4 in cmd_anal_aaft (core=0x7ffff60b80c0 <r>) at cmd_anal.c:815
#4 0x00007ffff6f04f9c in cmd_anal_all (core=0x7ffff60b80c0 <r>, input=0x5555557d8ec2 "ft") at cmd_anal.c:8273
#5 0x00007ffff6f081b6 in cmd_anal (data=0x7ffff60b80c0 <r>, input=0x5555557d8ec1 "aft") at cmd_anal.c:9270
#6 0x00007ffff6fa80fc in r_cmd_call (cmd=0x5555555c3220, input=0x5555557d8ec0 "aaft") at cmd_api.c:244
#7 0x00007ffff6f56b9d in r_core_cmd_subst_i (core=0x7ffff60b80c0 <r>, cmd=0x5555557d8ec0 "aaft", colon=0x0, tmpseek=0x7fffffffc4b7) at cmd.c:3539
#8 0x00007ffff6f533c2 in r_core_cmd_subst (core=0x7ffff60b80c0 <r>, cmd=0x5555557d8ec0 "aaft") at cmd.c:2418
#9 0x00007ffff6f59695 in r_core_cmd (core=0x7ffff60b80c0 <r>, cstr=0x7ffff702ee98 "aaft", log=0x0) at cmd.c:4374
#10 0x00007ffff6f59d9e in r_core_cmd0 (core=0x7ffff60b80c0 <r>, cmd=0x7ffff702ee98 "aaft") at cmd.c:4539
#11 0x00007ffff6f05d26 in cmd_anal_all (core=0x7ffff60b80c0 <r>, input=0x5555557ba162 "a") at cmd_anal.c:8486
#12 0x00007ffff6f081b6 in cmd_anal (data=0x7ffff60b80c0 <r>, input=0x5555557ba161 "aa") at cmd_anal.c:9270
#13 0x00007ffff6fa80fc in r_cmd_call (cmd=0x5555555c3220, input=0x5555557ba160 "aaa") at cmd_api.c:244
#14 0x00007ffff6f56b9d in r_core_cmd_subst_i (core=0x7ffff60b80c0 <r>, cmd=0x5555557ba160 "aaa", colon=0x0, tmpseek=0x7fffffffcbb7) at cmd.c:3539
#15 0x00007ffff6f533c2 in r_core_cmd_subst (core=0x7ffff60b80c0 <r>, cmd=0x5555557ba160 "aaa") at cmd.c:2418
#16 0x00007ffff6f59695 in r_core_cmd (core=0x7ffff60b80c0 <r>, cstr=0x5555557b9110 "aaa", log=0x1) at cmd.c:4374
#17 0x00007ffff6eaf541 in r_core_prompt_exec (r=0x7ffff60b80c0 <r>) at core.c:3094
#18 0x00007ffff60a9364 in r_main_radare2 (argc=0x2, argv=0x7fffffffd0b8) at radare2.c:1489
#19 0x000055555555540f in main (argc=0x2, argv=0x7fffffffd0b8) at radare2.c:95
gdb$
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
That looks like a null deref, probably because of missing calling convention
… On 22 Aug 2019, at 06:34, Anton Kochkov ***@***.***> wrote:
Can't share the binary though, will check it myself later.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
Warning: No SN reg alias for current architecture.
[x] Emulate code to find computed references (aae)
[ ] Type matching analysis for all functions (aaft)
Program received signal SIGSEGV, Segmentation fault.
-----------------------------------------------------------------------------------------------------------------------[regs]
RAX: 0x0000000000000000 RBX: 0x0000000000000001 RBP: 0x0000000000000000 RSP: 0x00007FFFFFFFB818 o d I t S z a p C
RDI: 0x0000000000000000 RSI: 0x00007FFFF67C7ED3 RDX: 0x0000000000000000 RCX: 0x0000000000000000 RIP: 0x00007FFFF6021E55
R8 : 0x00000000FFFFFFFF R9 : 0x00007FFFFFFFB690 R10: 0x00007FFFF6268BA4 R11: 0x00007FFFF65DF5C3 R12: 0x00005555555550E0
R13: 0x00007FFFFFFFD0B0 R14: 0x0000000000000000 R15: 0x0000000000000000
CS: 0033 DS: 0000 ES: 0000 FS: 0000 GS: 0000 SS: 002B
-----------------------------------------------------------------------------------------------------------------------[code]
=> 0x7ffff6021e55 <__strlen_avx2+21>: vpcmpeqb (%rdi),%ymm0,%ymm1
0x7ffff6021e59 <__strlen_avx2+25>: vpmovmskb %ymm1,%eax
0x7ffff6021e5d <__strlen_avx2+29>: test %eax,%eax
0x7ffff6021e5f <__strlen_avx2+31>: jne 0x7ffff6021f50 <__strlen_avx2+272>
0x7ffff6021e65 <__strlen_avx2+37>: add $0x20,%rdi
0x7ffff6021e69 <__strlen_avx2+41>: and $0x1f,%ecx
0x7ffff6021e6c <__strlen_avx2+44>: and $0xffffffffffffffe0,%rdi
0x7ffff6021e70 <__strlen_avx2+48>: jmp 0x7ffff6021eb4 <__strlen_avx2+116>
-----------------------------------------------------------------------------------------------------------------------------
0x00007ffff6021e55 in __strlen_avx2 () from /lib64/libc.so.6
gdb$ bt
#0 0x00007ffff6021e55 in __strlen_avx2 () from /lib64/libc.so.6
#1 0x00007ffff5f4f7d3 in strdup () from /lib64/libc.so.6
#2 0x00007ffff7004547 in r_core_anal_type_match (core=0x7ffff60b80c0 <r>, fcn=0x555555811c50) at anal_tp.c:564
#3 0x00007ffff6ee96c4 in cmd_anal_aaft (core=0x7ffff60b80c0 <r>) at cmd_anal.c:815
#4 0x00007ffff6f04f9c in cmd_anal_all (core=0x7ffff60b80c0 <r>, input=0x5555557d8ec2 "ft") at cmd_anal.c:8273
#5 0x00007ffff6f081b6 in cmd_anal (data=0x7ffff60b80c0 <r>, input=0x5555557d8ec1 "aft") at cmd_anal.c:9270
#6 0x00007ffff6fa80fc in r_cmd_call (cmd=0x5555555c3220, input=0x5555557d8ec0 "aaft") at cmd_api.c:244
#7 0x00007ffff6f56b9d in r_core_cmd_subst_i (core=0x7ffff60b80c0 <r>, cmd=0x5555557d8ec0 "aaft", colon=0x0, tmpseek=0x7fffffffc4b7) at cmd.c:3539
#8 0x00007ffff6f533c2 in r_core_cmd_subst (core=0x7ffff60b80c0 <r>, cmd=0x5555557d8ec0 "aaft") at cmd.c:2418
#9 0x00007ffff6f59695 in r_core_cmd (core=0x7ffff60b80c0 <r>, cstr=0x7ffff702ee98 "aaft", log=0x0) at cmd.c:4374
#10 0x00007ffff6f59d9e in r_core_cmd0 (core=0x7ffff60b80c0 <r>, cmd=0x7ffff702ee98 "aaft") at cmd.c:4539
#11 0x00007ffff6f05d26 in cmd_anal_all (core=0x7ffff60b80c0 <r>, input=0x5555557ba162 "a") at cmd_anal.c:8486
#12 0x00007ffff6f081b6 in cmd_anal (data=0x7ffff60b80c0 <r>, input=0x5555557ba161 "aa") at cmd_anal.c:9270
#13 0x00007ffff6fa80fc in r_cmd_call (cmd=0x5555555c3220, input=0x5555557ba160 "aaa") at cmd_api.c:244
#14 0x00007ffff6f56b9d in r_core_cmd_subst_i (core=0x7ffff60b80c0 <r>, cmd=0x5555557ba160 "aaa", colon=0x0, tmpseek=0x7fffffffcbb7) at cmd.c:3539
#15 0x00007ffff6f533c2 in r_core_cmd_subst (core=0x7ffff60b80c0 <r>, cmd=0x5555557ba160 "aaa") at cmd.c:2418
#16 0x00007ffff6f59695 in r_core_cmd (core=0x7ffff60b80c0 <r>, cstr=0x5555557b9110 "aaa", log=0x1) at cmd.c:4374
#17 0x00007ffff6eaf541 in r_core_prompt_exec (r=0x7ffff60b80c0 <r>) at core.c:3094
#18 0x00007ffff60a9364 in r_main_radare2 (argc=0x2, argv=0x7fffffffd0b8) at radare2.c:1489
#19 0x000055555555540f in main (argc=0x2, argv=0x7fffffffd0b8) at radare2.c:95
gdb$
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
pls confirm |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Can't share the binary though, will check it myself later.
The text was updated successfully, but these errors were encountered: