search

DarkFlippers / unleashed-firmware

Flipper Zero Unleashed Firmware
https://flipperunleashed.com
GNU General Public License v3.0
17.19k stars 1.43k forks source link

RFID Fuzzer - crashes if you exit it too fast while running attack #284

Closed kuznetsov-m closed 1 year ago

kuznetsov-m commented 1 year ago

Describe the bug.

Flipper zero crashed (NULL pointer dereference) with RFID Fuzzer tool

firmware_branch: release-cfw
firmware_branch_num: 3470
firmware_build_date: 31-12-2022
firmware_commit: 5c36043d
firmware_commit_dirty: false
firmware_target: 7
firmware_version: unlshd-023

dump-2023-01-15-19-13-39.txt

Reproduction

  1. Open RFID Fuzzer (EM4100 default mode)
  2. Select mode BF Customer ID
  3. Click TD- (5 times) for time delay: 5
  4. Skip 3-10 UIDs
  5. Click back button 2 times
  6. Flipper zero crashed

Target

No response

Logs

29 [default] Binding on background is not deferred as requested by the DeferredPropertyNames class info because one or more of its sub-objects contain an id.
29 [default] Binding on contentItem is not deferred as requested by the DeferredPropertyNames class info because one or more of its sub-objects contain an id.
30 [default] Binding on animation is not deferred as requested by the DeferredPropertyNames class info because one or more of its sub-objects contain an id.
34 [default] Binding on background is not deferred as requested by the DeferredPropertyNames class info because one or more of its sub-objects contain an id.
39 [default] Binding on background is not deferred as requested by the DeferredPropertyNames class info because one or more of its sub-objects contain an id.
39 [default] Binding on contentItem is not deferred as requested by the DeferredPropertyNames class info because one or more of its sub-objects contain an id.
40 [default] Binding on contentItem is not deferred as requested by the DeferredPropertyNames class info because one or more of its sub-objects contain an id.
40 [default] Binding on background is not deferred as requested by the DeferredPropertyNames class info because one or more of its sub-objects contain an id.
47 [default] Binding on background is not deferred as requested by the DeferredPropertyNames class info because one or more of its sub-objects contain an id.
47 [default] Binding on contentItem is not deferred as requested by the DeferredPropertyNames class info because one or more of its sub-objects contain an id.
47 [default] Binding on indicator is not deferred as requested by the DeferredPropertyNames class info because one or more of its sub-objects contain an id.
47 [default] Binding on background is not deferred as requested by the DeferredPropertyNames class info because one or more of its sub-objects contain an id.
353 [APP] qFlipper version 1.2.2 commit ba67025d 2022-12-08T19:31:11
354 [APP] OS info: macOS 11.6 11.6 20.6.0 Qt 6.3.1
381 [REG] Detected new device: VID_0x483:PID_0x5740
469 [DBG] Trying serial port  at /dev/cu.Bluetooth-Incoming-Port
470 [DBG] Trying serial port  at /dev/tty.Bluetooth-Incoming-Port
470 [DBG] Trying serial port  at /dev/cu.-CSRGAIA
470 [DBG] Trying serial port  at /dev/tty.-CSRGAIA
470 [DBG] Trying serial port  at /dev/cu.HUAWEIFreeBudsStudio-Se
470 [DBG] Trying serial port  at /dev/tty.HUAWEIFreeBudsStudio-Se
470 [DBG] Trying serial port  at /dev/cu.iPhone-WirelessiAP
470 [DBG] Trying serial port  at /dev/tty.iPhone-WirelessiAP
470 [DBG] Trying serial port  at /dev/cu.PSS-880-SerialPort
470 [DBG] Trying serial port  at /dev/tty.PSS-880-SerialPort
470 [DBG] Trying serial port  at /dev/cu.HUAWEIFreeBuds3i-Spp1
470 [DBG] Trying serial port  at /dev/tty.HUAWEIFreeBuds3i-Spp1
470 [DBG] Trying serial port flip_none ;) at /dev/cu.usbmodemflip_none ;)1
470 [DBG] Using  serial port flip_none ;) at /dev/cu.usbmodemflip_none ;)1
479 [RPC] Starting RPC session...
499 [UPD] Fetched update information from https://update.flipperzero.one/qFlipper/directory.json
517 [UPD] Fetched update information from https://update.flipperzero.one/firmware/directory.json
575 [RPC] RPC session started successfully.
575 [RPC] (1) System Protobuf Version START
631 [DBG] Detected protobuf version: 0.14
631 [RPC] (1) System Protobuf Version SUCCESS
631 [RPC] (2) Property Get START
743 [RPC] (2) Property Get SUCCESS
743 [RPC] (3) Storage Info @/ext START
795 [RPC] (3) Storage Info @/ext SUCCESS
795 [RPC] (4) Storage Stat @/ext/Manifest START
850 [RPC] (4) Storage Stat @/ext/Manifest SUCCESS
850 [RPC] (5) System Get DateTime START
902 [DBG] Flipper time skew is -50 milliseconds
902 [RPC] (5) System Get DateTime SUCCESS
902 [RPC] (6) System Set DateTime START
954 [RPC] (6) System Set DateTime SUCCESS
964 [RPC] Stopping RPC session...
1025 [RPC] RPC session stopped successfully.
1025 [REG] Registering the device
1025 [DEV] Version: unlshd-023 commit: 5c36043d radio: 1.13.3
1026 [BKD] Current device changed to "none ;)"
...

Anything else?

No response

xMasterX commented 1 year ago

Known issue, also logs from qflipper screen sharing will not help here at all, they only taken all space of this issue

also why your flipper name contains ;) and space, this characters is not allowed for custom names none ;)

kuznetsov-m commented 1 year ago

I checked existing open issue before creation new one and I didn't find anything like it. If it duplicate - let's close it and continue discussion in original issue. Sorry for long logs, just attach it for provide more information about Flipper state.

Flipper name in logs was replaced manually just like that.

elrod16 commented 1 year ago

I've actually encountered this in other apps that I've launched from my favorites.

xMasterX commented 1 year ago

I've actually encountered this in other apps that I've launched from my favorites.

And? How its related to this issue?

elrod16 commented 1 year ago

I think they are related, I don't think it is specific to the RFID Bruteforce app, I think it deals with closing any app too fast.

Edit:typed wrong app name

xMasterX commented 1 year ago

I think they are related, I don't think it is specific to the RFID Bruteforce app, I think it deals with closing any app too fast.

Edit:typed wrong app name

This issue is known and present only with this plugin, tell what exact plugins have same issue? Except ibutton fuzzer and rfid fuzzer

elrod16 commented 1 year ago

The infrared app, NFC Magic, Weather Station, for example can all be reliably crashed by backing out too fast. Results in a furi_check error.

xMasterX commented 1 year ago

The infrared app, NFC Magic, Weather Station, for example can all be reliably crashed by backing out too fast. Results in a furi_check error.

These all official plugins, we have not modified them and core parts of firmware also is not modified, tell me your firmware version and exact steps to reproduce this bug, because i can't reproduce any crashes with just exiting that apps

elrod16 commented 1 year ago

I'm on Unleashed 23. For any of those apps, all it takes is entering them interacting with a few menu items, then hammering the back button really fast. For infrared though, it seems to be connected to launching a remote directly instead of the main app and navigating to the saved remote.

Edit: subghz Bruteforce has it too.

xMasterX commented 1 year ago

Rfid fuzzer issues has been fixed since app was rewritten from scratch