Stack overflow detected in hf emrtd dump command

[Sanduuz]

Describe the bug A stack overflow is detected while trying to dump epassport with hf emrtd dump.

To Reproduce Steps to reproduce the behavior.

1. Flash the newest firmware (as of 2024-02-14): ./pm3-flash-all

   
   [=] Session log /home/sanduuz/.proxmark3/logs/log_20240214120222.txt
   [+] loaded from JSON file `/home/sanduuz/.proxmark3/preferences.json`
   [+] About to use the following files:
   [+]    /home/sanduuz/proxmark3/client/../bootrom/obj/bootrom.elf
   [+]    /home/sanduuz/proxmark3/client/../armsrc/obj/fullimage.elf
   [+] Loading ELF file /home/sanduuz/proxmark3/client/../bootrom/obj/bootrom.elf
   [+] ELF file version Iceman/master/v4.16717-404-gae4e97999-suspect 2023-09-03 12:32:46 455cbe400

[+] Loading ELF file /home/sanduuz/proxmark3/client/../armsrc/obj/fullimage.elf [+] ELF file version Iceman/master/v4.16717-404-gae4e97999-suspect 2023-09-03 12:32:50 455cbe400

[+] Waiting for Proxmark3 to appear on /dev/ttyACM0 🕑 59 found [+] Entering bootloader... [+] (Press and release the button only to abort) [+] Waiting for Proxmark3 to appear on /dev/ttyACM0 🕓 59 found [=] Available memory on this board: 512K bytes

[=] Permitted flash range: 0x00100000-0x00180000 [+] Loading usable ELF segments: [+] 0: V 0x00100000 P 0x00100000 (0x00000200->0x00000200) [R X] @0x94 [+] 1: V 0x00200000 P 0x00100200 (0x00001260->0x00001260) [R X] @0x298

[+] Loading usable ELF segments: [+] 1: V 0x00102000 P 0x00102000 (0x00051ecc->0x00051ecc) [R X] @0xb8 [+] 2: V 0x00200000 P 0x00153ecc (0x00001b9b->0x00001b9b) [R X] @0x51f88 [=] Note: Extending previous segment from 0x51ecc to 0x53a67 bytes

[+] Flashing... [+] Writing segments for file: /home/sanduuz/proxmark3/client/../bootrom/obj/bootrom.elf [+] 0x00100000..0x001001ff [0x200 / 1 blocks] . ok [+] 0x00100200..0x0010145f [0x1260 / 10 blocks] .......... ok

[+] Writing segments for file: /home/sanduuz/proxmark3/client/../armsrc/obj/fullimage.elf [+] 0x00102000..0x00155a66 [0x53a67 / 670 blocks] ................................................................... @@@ @@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@ @@@ @@@ @@! !@@ @@! @@! @@! @@! @@! @@@ @@!@!@@@ !!@ !@! @!!!:! @!! !!@ @!@ @!@!@!@! @!@@!!@! !!: :!! !!: !!: !!: !!: !!! !!: !!! : :: :: : : :: ::: : : : : : :: : . .. .. . . .. ... . . . . . .. . ................................................................... ................................................................... ................................................................... ............................. ok

[+] All done

[=] Have a nice day!

2. Run the proxmark client software: `./pm3`

[=] Session log /home/sanduuz/.proxmark3/logs/log_20240214120403.txt [+] loaded from JSON file /home/sanduuz/.proxmark3/preferences.json [=] Using UART port /dev/ttyACM0 [=] Communicating with PM3 over USB-CDC

8888888b. 888b d888 .d8888b.
888 Y88b 8888b d8888 d88P Y88b
888 888 88888b.d88888 .d88P
888 d88P 888Y88888P888 8888"
8888888P" 888 Y888P 888 "Y8b.
888 888 Y8P 888 888 888
888 888 " 888 Y88b d88P 888 888 888 "Y8888P" [ ☕ ]

[ Proxmark3 RFID instrument ]

MCU....... AT91SAM7S512 Rev A
Memory.... 512 KB ( 67% used )

Client.... Iceman/master/v4.16717-404-gae4e97999 2023-09-03 12:32:47
Bootrom... Iceman/master/v4.16717-404-gae4e97999-suspect 2023-09-03 12:32:46 
OS........ Iceman/master/v4.16717-404-gae4e97999-suspect 2023-09-03 12:32:50 
Target.... RDV4

3. Run command `hf emrtd dump -m [REDACTED] --dir [REDACTED]`

[=] .. [=] Read EF_CardAccess , len 42 [+] saved 42 bytes to binary file /home/sanduuz/[REDACTED]/EF_CardAccess.BIN [=] Authentication is enforced. Will attempt external authentication. [=] External authentication with BAC successful. [=] .. [=] Read EF_COM, len: 25 [+] saved 25 bytes to binary file /home/sanduuz/[REDACTED]/EF_COM.BIN [=] .. [=] Read EF_DG1 , len 93 [+] saved 93 bytes to binary file /home/sanduuz/[REDACTED]/EF_DG1.BIN [=] ................................. [=] ................................. [=] ................................. [=] ................................. [=] ................................. [=] .......... [=] Read EF_DG2 , len 19926 [+] saved 19926 bytes to binary file /home/sanduuz/[REDACTED]/EF_DG2.BIN [+] saved 19842 bytes to binary file /home/sanduuz/[REDACTED]/EF_DG2.jpg [=] ......... [=] Read EF_DG14 , len 891 [+] saved 891 bytes to binary file /home/sanduuz/[REDACTED]/EF_DG14.BIN [=] .... [=] Read EF_DG15 , len 298 [+] saved 298 bytes to binary file /home/sanduuz/[REDACTED]/EF_DG15.BIN [=] .................[#] Stack overflow detected! Please increase stack size, currently 8480 bytes [#] Unplug your device now. [=] You can cancel this operation by pressing the pm3 button [!!] 🚨 APDU: reply timeout

[!!] 🚨 Failed to read 011D

4. See error

[=] .................[#] Stack overflow detected! Please increase stack size, currently 8480 bytes [#] Unplug your device now. [=] You can cancel this operation by pressing the pm3 button [!!] 🚨 APDU: reply timeout

[!!] 🚨 Failed to read 011D

**Expected behavior**
Instead of overflowing the stack, the dumping should continue like this:

[=] Read EF_DG15 , len 298 [+] saved 298 bytes to binary file /home/sanduuz/[REDACTED]/EF_DG15.BIN [=] ....................... [=] Read EF_SOD , len 2542 [+] saved 2542 bytes to binary file /home/sanduuz/[REDACTED]/EF_SOD.BIN [+] saved 2538 bytes to binary file /home/sanduuz/[REDACTED]/EF_SOD.p7b

**Screenshots**
![image](https://github.com/RfidResearchGroup/proxmark3/assets/26064233/e90d9ed4-7fbe-4e90-9685-a27e2db32473)

**Version information:**
 - OS: Debian 12 (`uname -a`: `Linux obsidian 6.1.0-17-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.69-1 (2023-12-30) x86_64 GNU/Linux`)
 - hw version: 

[usb] pm3 --> hw version

[ Proxmark3 RFID instrument ]

[ Client ] Iceman/master/v4.16717-404-gae4e97999-suspect 2023-09-03 12:32:47 455cbe400 compiled with............. GCC 12.2.0 platform.................. Linux / x86_64 Readline support.......... present QT GUI support............ present native BT support......... present Python script support..... present Lua SWIG support.......... present Python SWIG support....... present

[ Proxmark3 ] device.................... RDV4 firmware.................. RDV4 external flash............ present smartcard reader.......... present FPC USART for BT add-on... absent

[ ARM ] bootrom: Iceman/master/v4.16717-404-gae4e97999-suspect 2023-09-03 12:32:46 455cbe400 os: Iceman/master/v4.16717-404-gae4e97999-suspect 2023-09-03 12:32:50 455cbe400 compiled with GCC 12.2.1 20221205

[ FPGA ] fpga_pm3_lf.ncd image 2s30vq100 2023-08-29 16:44:07 fpga_pm3_hf.ncd image 2s30vq100 2023-08-29 16:44:19 fpga_pm3_felica.ncd image 2s30vq100 2023-08-29 16:44:43 fpga_pm3_hf_15.ncd image 2s30vq100 2023-08-29 16:44:31

[ Hardware ] --= uC: AT91SAM7S512 Rev A --= Embedded Processor: ARM7TDMI --= Internal SRAM size: 64K bytes --= Architecture identifier: AT91SAM7Sxx Series --= Embedded flash memory 512K bytes ( 67% used )

 - hw status

[usb] pm3 --> hw status [#] Memory [#] BigBuf_size............. 40488 [#] Available memory........ 40488 [#] Tracing [#] tracing ................ 1 [#] traceLen ............... 0 [#] Current FPGA image [#] mode.................... fpga_pm3_hf.ncd image 2s30vq100 2023-08-29 16:44:19 [#] Flash memory [#] Baudrate................ 24 MHz [#] Init.................... OK [#] Memory size............. 2 mbits / 256 kb [#] Unique ID (be).......... 0x238A0C97307C69D5 [#] Smart card module (ISO 7816) [#] version................. v3.10 [#] Outdated firmware. Please upgrade to v4.x or above. [#] LF Sampling config [#] [q] divisor............. 95 ( 125.00 kHz ) [#] [b] bits per sample..... 8 [#] [d] decimation.......... 1 [#] [a] averaging........... yes [#] [t] trigger threshold... 0 [#] [s] samples to skip..... 0 [#] [#] LF T55XX config [#] [r] [a] [b] [c] [d] [e] [f] [g] [#] mode |start|write|write|write| read|write|write [#] | gap | gap | 0 | 1 | gap | 2 | 3 [#] ---------------------------+-----+-----+-----+-----+-----+-----+------ [#] fixed bit length (default) | 29 | 17 | 15 | 47 | 15 | N/A | N/A | [#] long leading reference |N/A | N/A | N/A | N/A | N/A | N/A | N/A | [#] leading zero |N/A | N/A | N/A | N/A | N/A | N/A | N/A | [#] 1 of 4 coding reference |N/A | N/A | N/A | N/A | N/A | N/A | N/A | [#] [#] HF 14a config [#] [a] Anticol override.... std ( follow standard ) [#] [b] BCC override........ std ( follow standard ) [#] [2] CL2 override........ std ( follow standard ) [#] [3] CL3 override........ std ( follow standard ) [#] [r] RATS override....... std ( follow standard ) [#] Transfer Speed [#] Sending packets to client... [#] Time elapsed................... 500ms [#] Bytes transferred.............. 63488 [#] Transfer Speed PM3 -> Client... 126976 bytes/s [#] Various [#] Max stack usage......... 4088 / 8480 bytes [#] Debug log level......... 1 ( error ) [#] ToSendMax............... -1 [#] ToSend BUFFERSIZE....... 2308 [#] Slow clock.............. 31480 Hz [#] Installed StandAlone Mode [#] LF HID26 standalone - aka SamyRun (Samy Kamkar) [#] Flash memory dictionary loaded [#]

**Additional context**
The end of dump in expected behavior was old dump taken on 2024-02-09 with the following firmware version:

[+] loaded from JSON file /home/sanduuz/.proxmark3/preferences.json [=] Using UART port /dev/ttyACM0 [=] Communicating with PM3 over USB-CDC [ Proxmark3 RFID instrument ]

MCU....... AT91SAM7S512 Rev A
Memory.... 512 KB ( 68% used )

Client.... Iceman/master/v4.17511-4-g2b320929f 2023-11-13 14:06:41
Bootrom... Iceman/master/v4.17511-4-g2b320929f-suspect 2023-11-13 14:06:33
OS........ Iceman/master/v4.17511-4-g2b320929f-suspect 2023-11-13 14:06:49
Target.... RDV4

[iceman1001]

1714

Hard to replicate, since its dependent on your passport.

So its down to you to find the bug and fix it.

[Sanduuz]

I tried this on another computer and was not able to reproduce it on that. I reflashed the proxmark multiple times and now I can't even reproduce the error on my original computer (yes, I reflashed on both computers). So I guess it might've been something else than a bug in this project afterall, hence I'm closing this issue.

Thanks for the quick responses and sorry for the hassle :)