Multiple (105) segfaults from processing a large number of binaries from Debian

[moyix]

Version and Platform (required):

• Binary Ninja Version: 3.0.3301-dev
• OS: Debian
• OS Version: unstable

Bug Description:

Recently I used Binary Ninja to collect IL and Pseudo-C for ~5 million functions across 80K binaries from Debian. This exposed a number of segfaults. I'm reporting them in bulk here because unfortunately I don't have time to go through and try to figure out which ones are unique.

Note that although the binaries have DWARF info, I didn't try to use the DWARF plugin with them; this is a clean install of BN.

Steps To Reproduce:

1. Grab the binaries here: https://moyix.net/~moyix/bn_crash_bins.tar.gz (NB: they're around 6GB unzipped, sorry about that!)
2. Get the attached repro script (bnsingle.py.gz), which attempts to get the various ILs for a specified function in a binary
3. To repro an individual crash, use one of the commands in the attached bnrepro.txt

Expected Behavior:

Binary Ninja should not segfault ;)

[psifertex]

Thanks! I'm converting that list into a checklist so we can mark them off here as we believe they're resolved so you can test and confirm. I'm going through them again after a few recent optimization and bug fixes to see what's left. I suspect that a few of the lager ones are likely OOMs and am curious how they do with the new memory improvements.

• [x] python3 bnsingle.py nn_comments_bins/3depict-0.0.23/src/3Depict 0x2fad70
• [x] python3 bnsingle.py nn_comments_bins/adun.app-0.81/debian/tmp/usr/lib/adun.app/libadun_base.so.0.0.1 0xd170
• [x] python3 bnsingle.py nn_comments_bins/alien-arena-7.66+dfsg/source/alienarena 0x575a0
• [x] python3 bnsingle.py nn_comments_bins/ardour-6.9.0+ds0/build/libs/gtkmm2ext/libgtkmm2ext.so 0x5df60
• [x] python3 bnsingle.py nn_comments_bins/astrometry.net-0.89+dfsg/debian/tmp/usr/lib/python3/dist-packages/astrometry/plot/_plotstuff_c.cpython-39-x86_64-linux-gnu.so 0xe99c0
• [x] python3 bnsingle.py nn_comments_bins/ball-1.5.0+git20180813.37fc53c/build/usr/lib/libBALL.so.1.5 0x8d5a70
• [x] python3 bnsingle.py nn_comments_bins/bandage-0.9.0/Bandage 0x9b940
• [x] python3 bnsingle.py nn_comments_bins/barrier-2.4.0+dfsg/builddir/bin/barriers 0x2bbb0
• [x] python3 bnsingle.py nn_comments_bins/bedtools-2.30.0+dfsg/debian/tmp/usr/local/bin/bedtools 0xd6e90
• [x] python3 bnsingle.py nn_comments_bins/blobandconquer-1.11-dfsg+20/blobAndConquer 0x2e2a0
• [x] python3 bnsingle.py nn_comments_bins/blocks-of-the-undead-1.0/TetrisAttack/src/BlocksOfTheUndead 0x2f2b0
• [x] python3 bnsingle.py nn_comments_bins/bornagain-1.19.0/obj-x86_64-linux-gnu/lib/_libBornAgainDevice.so 0x8f1f0
• [x] python3 bnsingle.py nn_comments_bins/brewtarget-2.3.1/obj-x86_64-linux-gnu/src/brewtarget_tests 0x20c690
• [x] python3 bnsingle.py nn_comments_bins/bullet-3.06+dfsg/build-float64/Extras/ConvexDecomposition/libConvexDecomposition-float64.so.3.05 0xcd50
• [x] python3 bnsingle.py nn_comments_bins/bzflag-2.4.22/src/bzflag/bzflag 0x126c10
• [x] python3 bnsingle.py nn_comments_bins/cairo-dock-plug-ins-3.4.1+git20201022.a0d3415c/debian/tmp/usr/lib/x86_64-linux-gnu/cairo-dock/libcd-system-monitor.so 0x7670
• [x] python3 bnsingle.py nn_comments_bins/camitk-4.1.2/camitk-build/lib/libmonitoring.so.4.1.2 0x8eda0
• [x] python3 bnsingle.py nn_comments_bins/canu-2.0+dfsg/Linux-amd64/bin/sqStoreCreate 0x3370
• [x] python3 bnsingle.py nn_comments_bins/cglm-0.8.4/obj-x86_64-linux-gnu/libcglm.so.0.8.4 0x13c50
• [x] python3 bnsingle.py nn_comments_bins/clipper-2.1.20201109/clipper/core/.libs/libclipper-core.so.2.0.1 0x62ba0
• [x] python3 bnsingle.py nn_comments_bins/cloudcompare-2.11.3/obj-x86_64-linux-gnu/qCC/CloudCompare 0x176370
• [x] python3 bnsingle.py nn_comments_bins/colmap-3.7/obj-x86_64-linux-gnu/src/exe/colmap 0x3525c0
• [x] python3 bnsingle.py nn_comments_bins/dvisvgm-2.13.1/src/dvisvgm 0x18ab10
• [x] python3 bnsingle.py nn_comments_bins/efl-1.26.1/obj-x86_64-linux-gnu/src/modules/evas/engines/gl_generic/libgl_generic.so 0x37070
• [x] python3 bnsingle.py nn_comments_bins/fitsh-0.9.4/src/fitrans 0x5050
• [x] python3 bnsingle.py nn_comments_bins/flam3-3.1.1/flam3-render 0x35c70
• [x] python3 bnsingle.py nn_comments_bins/fox1.6-1.6.57/debian/tmp/usr/lib/x86_64-linux-gnu/libFOX-1.6.so.0.0.57 0x171ef0
• [x] python3 bnsingle.py nn_comments_bins/gdis-0.90/gdis 0x5a800
• [x] python3 bnsingle.py nn_comments_bins/gerris-20131206+dfsg/modules/rsurface2kdt 0xd340
• [x] python3 bnsingle.py nn_comments_bins/gmsh-4.8.4+ds2/debian/tmp/usr/lib/x86_64-linux-gnu/libgmsh.so.4.8.4 0x8a5ca0
• [x] python3 bnsingle.py nn_comments_bins/gnubg-1.06.002/gnubg 0xfa400
• [x] python3 bnsingle.py nn_comments_bins/goldencheetah-3.5/src/GoldenCheetah 0x4235f0
• [x] python3 bnsingle.py nn_comments_bins/gravit-0.5.1+dfsg/gravit 0xb100
• [x] python3 bnsingle.py nn_comments_bins/harp-1.14/debian/tmp/usr/lib/x86_64-linux-gnu/libharp.so.12.1.1 0xedca0
• [x] python3 bnsingle.py nn_comments_bins/homebank-5.5.2/src/homebank 0x5a030
• [x] python3 bnsingle.py nn_comments_bins/igor-1.4.0+dfsg/igor_src/igor 0x294c0
• [x] python3 bnsingle.py nn_comments_bins/ikarus-0.0.3+bzr.2010.01.26/src/scheme-script 0xd1b0
• [x] python3 bnsingle.py nn_comments_bins/inkscape-1.1.1/obj-x86_64-linux-gnu/lib/x86_64-linux-gnu/libinkscape_base.so 0x134a9a0
• [x] python3 bnsingle.py nn_comments_bins/ioquake3-1.36+u20211208.84daa28~dfsg/debian/tmp/usr/lib/ioquake3/ioq3ded 0x44940
• [x] python3 bnsingle.py nn_comments_bins/iqtree-2.0.7+dfsg/build.mpi/iqtree2-mpi 0x21dbc0
• [x] python3 bnsingle.py nn_comments_bins/k2pdfopt-2.53+ds/obj-x86_64-linux-gnu/k2pdfopt 0x31c50
• [x] python3 bnsingle.py nn_comments_bins/lamarc-2.1.10.1+dfsg/lamarc 0x16aec0
• [x] python3 bnsingle.py nn_comments_bins/lammps-20210122~gita77bb+ds1/debian/liblammps0/usr/lib/x86_64-linux-gnu/liblammps.so.0 0x5dd630
• [x] python3 bnsingle.py nn_comments_bins/libhmsbeagle-3.1.2+dfsg/debian/tmp/usr/lib/x86_64-linux-gnu/libhmsbeagle.so.1.3.2 0x5e90
• [x] python3 bnsingle.py nn_comments_bins/libimagequant-2.17.0/libimagequant.so.0 0x5830
• [x] python3 bnsingle.py nn_comments_bins/libqtpas-2.6+2.2.0+dfsg1/libQt5Pas.so.1.2.9 0x132690
• [x] python3 bnsingle.py nn_comments_bins/librecad-2.1.3/unix/librecad 0x18b950
• [x] python3 bnsingle.py nn_comments_bins/librime-1.7.3+dfsg3/debian/tmp/usr/lib/x86_64-linux-gnu/librime.so.1.7.3 0x1eef00
• [x] python3 bnsingle.py nn_comments_bins/libsharp-1.0.0/debian/tmp/usr/lib/x86_64-linux-gnu/libsharp.so.0.0.0 0xf9d0
• [x] python3 bnsingle.py nn_comments_bins/libvcflib-1.0.2+dfsg/obj-x86_64-linux-gnu/normalize-iHS 0x2bd0
• [x] python3 bnsingle.py nn_comments_bins/libvidstab-1.1.0/obj-x86_64-linux-gnu/libvidstab.so.1.1 0x4ea0
• [x] python3 bnsingle.py nn_comments_bins/lilypond-2.22.1/lily/out/lilypond 0xab510
• [x] python3 bnsingle.py nn_comments_bins/lordsawar-0.3.2+frogknows/debian/tmp/usr/games/lordsawar-import 0x18c270
• [x] python3 bnsingle.py nn_comments_bins/luminance-hdr-2.6.0+dfsg/obj-x86_64-linux-gnu/luminance-hdr 0x13aec0
• [x] python3 bnsingle.py nn_comments_bins/mandelbulber2-2.20/build/mandelbulber2 0x2af700
• [x] python3 bnsingle.py nn_comments_bins/mediastreamer2-4.4.21/debian/tmp/usr/lib/x86_64-linux-gnu/libmediastreamer.so.11 0x6a3f0
• [x] python3 bnsingle.py nn_comments_bins/mesa-21.3.5/build/src/gallium/targets/lavapipe/libvulkan_lvp.so 0x39f060
• [x] python3 bnsingle.py nn_comments_bins/metis-5.1.0.dfsg/obj-x86_64-linux-gnu/libmetis/libmetis.so.5.1.0 0x49410
• [x] python3 bnsingle.py nn_comments_bins/metis-edf-4.1-2/libmetis-edf.so.4.1 0x28c60
• [x] python3 bnsingle.py nn_comments_bins/mia-2.4.7/obj-x86_64-linux-gnu/src/mia-3dprealign-nonrigid 0x11fd0
• [x] python3 bnsingle.py nn_comments_bins/mrpt-2.4.2+ds/obj-x86_64-linux-gnu/lib/libmrpt-math.so.2.4.2 0x391a00
• [x] python3 bnsingle.py nn_comments_bins/mysql-8.0-8.0.23/builddir/plugin_output_directory/group_replication.so 0x19b330
• [x] python3 bnsingle.py nn_comments_bins/mysql-workbench-8.0.26+dfsg/obj-x86_64-linux-gnu/library/base/libwbbase.so.8.0.26 0x5dba0
• [x] python3 bnsingle.py nn_comments_bins/nco-5.0.6/src/nco/.libs/libnco-5.0.6.so 0x598f0
• [x] python3 bnsingle.py nn_comments_bins/nmap-7.92+dfsg2/nmap 0x9e490
• [x] python3 bnsingle.py nn_comments_bins/octave-stk-2.6.1/inst/x86_64-pc-linux-gnu-api-v56/stk_dominatedhv_mex.mex 0x2f40
• [x] python3 bnsingle.py nn_comments_bins/ogre-1.9-1.9.0+dfsg1/obj-x86_64-linux-gnu/lib/libOgreMain.so.1.9.0 0x3247b0
• [x] python3 bnsingle.py nn_comments_bins/openarena-0.8.8+dfsg/build/server/missionpack/qagamex86_64.so 0x99d1c
• [x] python3 bnsingle.py nn_comments_bins/opencv-4.5.4+dfsg/obj-x86_64-linux-gnu/lib/libopencv_ximgproc.so.4.5.4d 0x5e900
• [ ] python3 bnsingle.py nn_comments_bins/opengrm-ngram-1.3.2/src/bin/.libs/ngramapply 0x17070
• [x] python3 bnsingle.py nn_comments_bins/openmpi-4.1.2/debian/tmp/usr/lib/x86_64-linux-gnu/openmpi/lib/openmpi3/mca_topo_treematch.so 0xf5c0
• [x] python3 bnsingle.py nn_comments_bins/openmw-0.47.0/debian/tmp/usr/games/openmw 0x52f6e0
• [x] python3 bnsingle.py nn_comments_bins/performous-1.1+git20181118/obj-x86_64-linux-gnu/performous 0x189620
• [x] python3 bnsingle.py nn_comments_bins/pfstools-2.2.0/obj-x86_64-linux-gnu/src/pfsglview/pfsglview 0xf170
• [x] python3 bnsingle.py nn_comments_bins/piglit-0~git20220119-124bca3c9/obj-x86_64-linux-gnu/lib/libpiglitutil_gles3.so.0 0x1891d0
• [x] python3 bnsingle.py nn_comments_bins/porg-0.10/porg/porg 0xc380
• [x] python3 bnsingle.py nn_comments_bins/postgis-3.2.0+dfsg/postgis/postgis-3.so 0x34ca0
• [x] python3 bnsingle.py nn_comments_bins/previsat-3.5.1.7+dfsg1/PreviSat 0x1135c0
• [x] python3 bnsingle.py nn_comments_bins/qimgv-1.0.2/obj-x86_64-linux-gnu/qimgv/qimgv 0x1128e0
• [x] python3 bnsingle.py nn_comments_bins/qosmic-1.6.0/qosmic 0x10e1c0
• [x] python3 bnsingle.py nn_comments_bins/repsnapper-2.5a5/repsnapper 0x91990
• [x] python3 bnsingle.py nn_comments_bins/ruby-ferret-0.11.8.7/debian/ruby-ferret/usr/lib/x86_64-linux-gnu/ruby/vendor_ruby/2.7.0/ferret_ext.so 0x974f0
• [x] python3 bnsingle.py nn_comments_bins/scikit-learn-1.0.1/debian/tmp/usr/lib/python3.9/dist-packages/sklearn/ensemble/_hist_gradient_boosting/splitting.cpython-39-x86_64-linux-gnu.so 0xa260
• [x] python3 bnsingle.py nn_comments_bins/scribus-1.5.8+dfsg/obj-x86_64-linux-gnu/scribus/scribus 0x840860
• [x] python3 bnsingle.py nn_comments_bins/sdpa-7.3.15+dfsg/sdpa 0x84eb0
• [x] python3 bnsingle.py nn_comments_bins/segemehl-0.3.4/segemehl 0x73260
• [x] python3 bnsingle.py nn_comments_bins/shapelib-1.5.0/.libs/libshp.so.2.1.0 0xb580
• [x] python3 bnsingle.py nn_comments_bins/shelxle-1.0.1346/shelxle 0x5e6e0
• [x] python3 bnsingle.py nn_comments_bins/siconos-4.3.1+dfsg/obj-x86_64-linux-gnu/numerics/libsiconos_numerics.so.6.0.0 0x4b010
• [x] python3 bnsingle.py nn_comments_bins/sinfo-0.0.48/libsinfometer/.libs/libsinfometer-0.0.48.so 0x9a60
• [x] python3 bnsingle.py nn_comments_bins/stacks-2.60+dfsg/gstacks 0x96280
• [x] python3 bnsingle.py nn_comments_bins/sumo-1.8.0+dfsg2/debian/tmp/usr/lib/python3.9/site-packages/libsumo/_libsumo.so 0x5f8a30
• [x] python3 bnsingle.py nn_comments_bins/sweed-3.2.1+dfsg/SweeD 0xe6a0
• [x] python3 bnsingle.py nn_comments_bins/tandem-mass-201702011/bin/tandem 0x1b1c0
• [x] python3 bnsingle.py nn_comments_bins/therion-6.0.4/debian/tmp/usr/bin/therion 0xd85a0
• [x] python3 bnsingle.py nn_comments_bins/travis-210521/exe/travis 0x121ee0
• [x] python3 bnsingle.py nn_comments_bins/twinkle-1.10.2+dfsg/obj-x86_64-linux-gnu/src/twinkle-console 0x1aaa80
• [x] python3 bnsingle.py nn_comments_bins/ugene-40.1+dfsg/src/_release/libU2Algorithm.so 0xc9160
• [x] python3 bnsingle.py nn_comments_bins/viruskiller-1.03-1+dfsg1/viruskiller 0x66e0
• [x] python3 bnsingle.py nn_comments_bins/xbubble-0.5.11.2/src/pathinit 0x12c0
• [x] python3 bnsingle.py nn_comments_bins/yorick-2.2.04+dfsg1/mpy.mpich2/mpy.mpich2 0xaff30
• [x] python3 bnsingle.py nn_comments_bins/yorick-optimpack-1.3.2+dfsg+1.4.0/optimpack1/yorick/OptimPack1.so 0x38a0
• [x] python3 bnsingle.py nn_comments_bins/yt-4.0.1/.pybuild/cpython3_3.9_yt/build/yt/geometry/selection_routines.cpython-39-x86_64-linux-gnu.so 0x15fb0
• [x] python3 bnsingle.py nn_comments_bins/yudit-3.0.7/gui/yudit 0xf66c0
• [x] python3 bnsingle.py nn_comments_bins/zoneminder-1.36.12+dfsg1/dbuild/src/zm_rtsp_server 0x3d610

FWIW, my repro step was to simply add an extra print at the end and if I saw that print assume there was no crash. Let me know if you forsee any problems with that

[psifertex]

I mentioned it elsewhere but for anyone else tracking it, that only one left unchecked is likely an invalid function anyway? The offset aligns with a mangled string name it looks like.

[psifertex]

Not sure if you've had a chance to re-run this with recent dev builds, curious if you've been able to reproduce what we're seeing as all these being resolved.