Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segfault under Vv, scrolling down with j with long, possibly binary, function names #15093

Closed
brainstorm opened this issue Sep 21, 2019 · 5 comments · Fixed by #15100
Closed

Segfault under Vv, scrolling down with j with long, possibly binary, function names #15093

brainstorm opened this issue Sep 21, 2019 · 5 comments · Fixed by #15100

Comments

@brainstorm
Copy link
Contributor

brainstorm commented Sep 21, 2019
edited
Loading

Work environment

Questions Answers
OS/arch/bits (mandatory) OSX 10.14.6
File format of the file you reverse (mandatory) VxWorks firmware
Architecture/bits of the file (mandatory) SuperH4, 32bits
r2 -v full output, not truncated (mandatory) radare2 4.0.0-git 22817 @ darwin-x86-64 git.3.2.1-2269-gd112883c5 commit: d112883 build: 2019-09-21__13:44:30

Actual behavior

$ r2 -b 32 -a sh VxWorks.bin
 -- Coffee time!
[0x00000000]> . ./vxhunter_r2.py
Please input the VxWorks main version type 'c' to exit
Available (5/6/c): 5
(...)
[0x00000000]> Vv

(scroll down with jjjjjjj)
(...)
   0x0c27e820   98 _AddEvent__7ZafTextllUiUi
   0x0c1b4760   98 _AddEvent__8ZafGroupllUiUi
...
Process 23677 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x00007fff738516f2 libsystem_platform.dylib`_platform_strlen + 18
libsystem_platform.dylib`_platform_strlen:
->  0x7fff738516f2 <+18>: pcmpeqb (%rdi), %xmm0
    0x7fff738516f6 <+22>: pmovmskb %xmm0, %esi
    0x7fff738516fa <+26>: andq   $0xf, %rcx
    0x7fff738516fe <+30>: orq    $-0x1, %rax
Target 0: (r2) stopped.
(lldb) up
frame #1: 0x00007fff7370bbf6 libsystem_c.dylib`strdup + 18
libsystem_c.dylib`strdup:
->  0x7fff7370bbf6 <+18>: movq   %rax, %rbx
    0x7fff7370bbf9 <+21>: incq   %rbx
    0x7fff7370bbfc <+24>: movq   %rbx, %rdi
    0x7fff7370bbff <+27>: callq  0x7fff737335c4            ; symbol stub for: malloc
(lldb) up
frame #2: 0x0000000100df740f libr_core.dylib`r_core_get_func_args(core=0x0000000101c2a0a0, fcn_name="_memcpy") at carg.c:235:13
   232 		}
   233 		const char *sp = r_reg_get_name (core->anal->reg, R_REG_NAME_SP);
   234 		int nargs = r_type_func_args_count (TDB, key);
-> 235 		char *cc = strdup (r_anal_cc_func (core->anal, key));
   236 		const char *src = r_anal_cc_arg (core->anal, cc, 0); // src of first argument
   237 		if (!cc) {
   238 			// unsupported calling convention
(lldb) up
frame #3: 0x0000000100e247cc libr_core.dylib`ds_print_esil_anal(ds=0x0000000102012000) at disasm.c:4646:18
   4643				const char *sp = r_reg_get_name (core->anal->reg, R_REG_NAME_SP);
   4644				ut64 spv = r_reg_getv (core->anal->reg, sp);
   4645				r_reg_setv (core->anal->reg, sp, spv + s_width); // temporarily set stack ptr to sync with carg.c
-> 4646				RList *list = r_core_get_func_args (core, fcn_name);
   4647				if (!r_list_empty (list)) {
   4648					bool warning = false;
   4649					bool on_stack = false;
(lldb) up
frame #4: 0x0000000100e189a1 libr_core.dylib`r_core_print_disasm(p=0x0000000101f05980, core=0x0000000101c2a0a0, addr=203014336, buf="\x86/\x96/�/�/"O���nChR.a\x1er\x1e", len=650, l=650, invbreak=0, cbytes=1, json=false, pj=0x0000000000000000, pdf=0x0000000101f79330) at disasm.c:5433:5
   5430					ds_print_demangled (ds);
   5431					ds_print_color_reset (ds);
   5432					ds_print_comments_right (ds);
-> 5433					ds_print_esil_anal (ds);
   5434					ds_show_refs (ds);
   5435				}
   5436			}
(lldb) up
   5659							sz = R_MAX (sz, rs);
   5660							ut8 *buf = calloc (sz, 1);
   5661							(void)r_io_read_at (core->io, at, buf, sz);
-> 5662							core->num->value = r_core_print_disasm (core->print, core, at, buf, sz, sz, 0, 1, 0, NULL, f);
   5663							free (buf);
   5664							// r_core_cmdf (core, "pD %d @ 0x%08" PFMT64x, f->_size > 0 ? f->_size: r_anal_fcn_realsize (f), f->addr);
   5665						}
(lldb) up
frame #6: 0x0000000100df5373 libr_core.dylib`r_cmd_call(cmd=0x000000010285b000, input="pdf") at cmd_api.c:244:10
   241 			c = cmd->cmds[((ut8)input[0]) & 0xff];
   242 			if (c && c->callback) {
   243 				const char *inp = (*input)? input + 1: "";
-> 244 				ret = c->callback (cmd->data, inp);
   245 			} else {
   246 				ret = -1;
   247 			}
(lldb) up
frame #7: 0x0000000100d2ebad libr_core.dylib`r_core_cmd_subst_i(core=0x0000000101c2a0a0, cmd="pdf", colon=0x0000000000000000, tmpseek=0x00007ffeefbfb64f) at cmd.c:3494:11
   3491							r_core_block_read (core);
   3492						}
   3493					}
-> 3494					ret = r_cmd_call (core->rcmd, r_str_trim_head (cmd));
   3495
   3496				}
   3497				if (tmpseek) {
(lldb) up
frame #8: 0x0000000100ceee9c libr_core.dylib`r_core_cmd_subst(core=0x0000000101c2a0a0, cmd="pdf") at cmd.c:2424:9
   2421			}
   2422			char *cr = strdup (cmdrep);
   2423			core->break_loop = false;
-> 2424			ret = r_core_cmd_subst_i (core, cmd, colon, (rep == orep - 1) ? &tmpseek : NULL);
   2425			if (ret && *cmd == 'q') {
   2426				free (cr);
   2427				goto beach;

Steps to reproduce the behavior

Run @dark-lbp experimental r2 VxWorks demangling r2pipe script. Switch to Vv once it has finished running. Scroll down continuously with j command.
@brainstorm
Copy link
Contributor Author

Full backtrace:

(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x00007fff738516f2 libsystem_platform.dylib`_platform_strlen + 18
    frame #1: 0x00007fff7370bbf6 libsystem_c.dylib`strdup + 18
    frame #2: 0x0000000100df740f libr_core.dylib`r_core_get_func_args(core=0x0000000101c2a0a0, fcn_name="_memcpy") at carg.c:235:13
    frame #3: 0x0000000100e247cc libr_core.dylib`ds_print_esil_anal(ds=0x0000000102012000) at disasm.c:4646:18
    frame #4: 0x0000000100e189a1 libr_core.dylib`r_core_print_disasm(p=0x0000000101f05980, core=0x0000000101c2a0a0, addr=203014336, buf="\x86/\x96/�/�/"O���nChR.a\x1er\x1e", len=650, l=650, invbreak=0, cbytes=1, json=false, pj=0x0000000000000000, pdf=0x0000000101f79330) at disasm.c:5433:5
    frame #5: 0x0000000100d15909 libr_core.dylib`cmd_print(data=0x0000000101c2a0a0, input="df") at cmd_print.c:5662:26
    frame #6: 0x0000000100df5373 libr_core.dylib`r_cmd_call(cmd=0x000000010285b000, input="pdf") at cmd_api.c:244:10
    frame #7: 0x0000000100d2ebad libr_core.dylib`r_core_cmd_subst_i(core=0x0000000101c2a0a0, cmd="pdf", colon=0x0000000000000000, tmpseek=0x00007ffeefbfb64f) at cmd.c:3494:11
    frame #8: 0x0000000100ceee9c libr_core.dylib`r_core_cmd_subst(core=0x0000000101c2a0a0, cmd="pdf") at cmd.c:2424:9
    frame #9: 0x0000000100ce7a01 libr_core.dylib`r_core_cmd(core=0x0000000101c2a0a0, cstr="pdf @ 0xc19c0c0", log=0) at cmd.c:4381:9
    frame #10: 0x0000000100ceb92c libr_core.dylib`r_core_cmd_str(core=0x0000000101c2a0a0, cmd="pdf @ 0xc19c0c0") at cmd.c:4636:6
    frame #11: 0x0000000100e425d7 libr_core.dylib`r_core_visual_anal_refresh_column(core=0x0000000101c2a0a0, colpos=30) at vmenus.c:2844:17
    frame #12: 0x0000000100e3e7ba libr_core.dylib`r_core_visual_anal_refresh(core=0x0000000101c2a0a0) at vmenus.c:2923:2
    frame #13: 0x0000000100e3d882 libr_core.dylib`r_core_visual_anal(core=0x0000000101c2a0a0, input=0x0000000000000000) at vmenus.c:3121:10
  * frame #14: 0x0000000100db3c97 libr_core.dylib`r_core_visual_cmd(core=0x0000000101c2a0a0, arg="v") at visual.c:2879:4
    frame #15: 0x0000000100dbcf6a libr_core.dylib`r_core_visual(core=0x0000000101c2a0a0, input="v") at visual.c:4203:8
    frame #16: 0x0000000100d2460e libr_core.dylib`cmd_visual(data=0x0000000101c2a0a0, input="v") at cmd.c:1729:9
    frame #17: 0x0000000100df5373 libr_core.dylib`r_cmd_call(cmd=0x000000010285b000, input="Vv") at cmd_api.c:244:10
    frame #18: 0x0000000100d2eef2 libr_core.dylib`r_core_cmd_subst_i(core=0x0000000101c2a0a0, cmd="Vv", colon=0x0000000000000000, tmpseek=0x00007ffeefbfe57f) at cmd.c:3546:12
    frame #19: 0x0000000100ceee9c libr_core.dylib`r_core_cmd_subst(core=0x0000000101c2a0a0, cmd="Vv") at cmd.c:2424:9
    frame #20: 0x0000000100ce7a01 libr_core.dylib`r_core_cmd(core=0x0000000101c2a0a0, cstr="Vv", log=1) at cmd.c:4381:9
    frame #21: 0x0000000100cd4665 libr_core.dylib`r_core_prompt_exec(r=0x0000000101c2a0a0) at core.c:3099:12
    frame #22: 0x0000000101c1c8d9 libr_main.dylib`r_main_radare2(argc=6, argv=0x00007ffeefbfee88) at radare2.c:1452:16
    frame #23: 0x0000000100001a1d r2`main(argc=6, argv=0x00007ffeefbfee88) at radare2.c:95:9
    frame #24: 0x00007fff736693d5 libdyld.dylib`start + 1
    frame #25: 0x00007fff736693d5 libdyld.dylib`start + 1

@radare
Copy link
Collaborator

radare commented Sep 21, 2019

Add an if in carg.c:235 because its calling strdup with null as arg

@brainstorm
Copy link
Contributor Author

brainstorm commented Sep 21, 2019
edited
Loading

Wouldn't it make sense to see why the calling convention (*cc) is wrong when it hits that function? :-S

There's a few jjjj going on before it segfaults... there's no reason to believe that the n-th function call has suddenly a different calling convention, if I understand the code correctly.

@radare
Copy link
Collaborator

radare commented Sep 21, 2019 via email

@radare
Copy link
Collaborator

radare commented Sep 21, 2019 via email

@brainstorm brainstorm mentioned this issue Sep 22, 2019
Merged
@brainstorm brainstorm mentioned this issue Mar 3, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Check return of r_anal_cc_func brainstorm/radare2
2 participants
@brainstorm @radare