Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cvs Segmentation Fault, repeatable #16355

Closed
luke-goddard opened this issue Mar 29, 2020 · 0 comments
Closed

Cvs Segmentation Fault, repeatable #16355

luke-goddard opened this issue Mar 29, 2020 · 0 comments

Comments

@luke-goddard
Copy link
Contributor

Work environment

Arch Linux archie 5.5.8-arch1-1 #1 SMP PREEMPT Fri, 06 Mar 2020 00:57:33 +0000 x86_64 GNU/Linux

Questions Answers
OS/arch/bits (mandatory) Arch Linux x64/x86
File format of the file you reverse (mandatory) ELF x86 Intel 80386,
Architecture/bits of the file (mandatory) ELF x86 Intel 80386,
r2 -v full output, not truncated (mandatory) radare2 4.4.0-git 24132 @ linux-x86-64 git.4.3.1-145-g2a9d7e9d44
commit: 2a9d7e9 build: 2020-03-29__19:32:56

Expected behavior

Running Cvs var should print "invalid command"

Actual behavior

Seg faults

Steps to reproduce the behavior

  1. Analyze the binary
  2. Jump to main
  3. pdf (to view stack var)
  4. Cvs var_8h
  5. Segfault
    https://asciinema.org/a/tyL03A7EakIlHBPw9kE15uydv

stack3.zip

containing the test case in the test/ folder. See for example test/new/db/cmd/cmd_search.

Additional Logs, screenshots, source-code, configuration dump, ...

Compiled fresh r2 especially for this issue, so it's up to date.

I attached GDB and reproduced the steps to cause the segfault and got this backtrace.

(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7de61e5 in __strlen_avx2 () from /usr/lib/libc.so.6
(gdb) backtrace
#0  0x00007ffff7de61e5 in __strlen_avx2 () from /usr/lib/libc.so.6
#1  0x00007ffff71864c9 in r_meta_set_var_comment () from /usr/lib/libr_anal.so
#2  0x00007ffff74e5b19 in ?? () from /usr/lib/libr_core.so
#3  0x00007ffff74f4259 in ?? () from /usr/lib/libr_core.so
#4  0x00007ffff757d7ca in r_cmd_call () from /usr/lib/libr_core.so
#5  0x00007ffff74edbce in ?? () from /usr/lib/libr_core.so
#6  0x00007ffff74f03b0 in r_core_cmd () from /usr/lib/libr_core.so
#7  0x00007ffff74bdd8c in r_core_prompt_exec () from /usr/lib/libr_core.so
#8  0x00007ffff74be569 in r_core_prompt_loop () from /usr/lib/libr_core.so
#9  0x00007ffff7e60eef in r_main_radare2 () from /usr/lib/libr_main.so
#10 0x00007ffff7cac023 in __libc_start_main () from /usr/lib/libc.so.6
#11 0x000055555555527e in ?? ()

// XXX very similar to set_string
R_API bool r_meta_set_var_comment(RAnal *a, int type, ut64 idx, ut64 addr, const char *s) {
	char key[100], val[2048], *e_str;
	bool ret;
	ut64 size;
	const char *space = r_spaces_current_name (&a->meta_spaces);
	meta_type_add (a, type, addr);

	snprintf (key, sizeof (key)-1, "meta.%c.0x%"PFMT64x".0x%"PFMT64x, type, addr, idx);
	size = sdb_array_get_num (DB, key, 0, 0);
	if (!size) {
		size = strlen (s);
		meta_inrange_add (a, addr, size);
		ret = true;
	} else {
		ret = false;
	}
	e_str = sdb_encode ((const void*)s, -1);
	snprintf (val, sizeof (val)-1, "%d,%s,%s", (int)size, space, e_str);
	sdb_set (DB, key, val, 0);
	free ((void*)e_str);
	return ret;
}

I don't know C very well but I think that strlen being called on s results in a null pointer dereference inside of the r_meta_set_var_comment function

Drag and drop zip archives containing the Additional info here, don't use external services or link.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@luke-goddard