search

Vector35 / binaryninja-api

Public API, examples, documentation and issues for Binary Ninja
https://binary.ninja/
MIT License
919 stars 207 forks source link

Memory corruption when searching #3674

Closed comex closed 1 year ago

comex commented 1 year ago

Version and Platform (required):

Bug Description: When searching for anything with 'Find all' checked, Binary Ninja usually crashes, but only on a certain database. I originally encountered this on macOS (on ARM), but reproduced it on x86_64 Linux in order to use valgrind.

Steps To Reproduce: Please provide all steps required to reproduce the behavior:

  1. Open my database. I can provide it privately if needed, but I'm kind of hoping that either it's easy to reproduce or the Valgrind logs are helpful.
  2. Search for anything with 'Find all' checked.

Valgrind logs: Run 1 Run 2 Run 3 Run 4

Search for 'Invalid write'; there are some false positive errors, but 'Invalid write' is what happens when I search.

Example:

==65305== Invalid write of size 4
==65305==    at 0x52B1956: QGraphicsEffectSource::pixmap(Qt::CoordinateSystem, QPoint*, QGraphicsEffect::PixmapPadMode) const (in /home/comex/binja/binaryninja/libQt6Widgets.so.6)
==65305==    by 0x52B1A2E: QGraphicsEffect::sourcePixmap(Qt::CoordinateSystem, QPoint*, QGraphicsEffect::PixmapPadMode) const (in /home/comex/binja/binaryninja/libQt6Widgets.so.6)
==65305==    by 0x52B2647: QGraphicsOpacityEffect::draw(QPainter*) (in /home/comex/binja/binaryninja/libQt6Widgets.so.6)
==65305==    by 0x5206907: QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (in /home/comex/binja/binaryninja/libQt6Widgets.so.6)
==65305==    by 0x5207252: QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (in /home/comex/binja/binaryninja/libQt6Widgets.so.6)
==65305==    by 0x5207135: QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (in /home/comex/binja/binaryninja/libQt6Widgets.so.6)
==65305==    by 0x5205B2C: QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (in /home/comex/binja/binaryninja/libQt6Widgets.so.6)
==65305==    by 0x5207252: QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (in /home/comex/binja/binaryninja/libQt6Widgets.so.6)
==65305==    by 0x5205B2C: QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (in /home/comex/binja/binaryninja/libQt6Widgets.so.6)
==65305==    by 0x5207252: QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (in /home/comex/binja/binaryninja/libQt6Widgets.so.6)
==65305==    by 0x5207135: QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (in /home/comex/binja/binaryninja/libQt6Widgets.so.6)
==65305==    by 0x5207135: QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, QFlags<QWidgetPrivate::DrawWidgetFlag>, QPainter*, QWidgetRepaintManager*) (in /home/comex/binja/binaryninja/libQt6Widgets.so.6)
==65305==  Address 0x36fe62318 is 120 bytes inside a block of size 248 free'd
==65305==    at 0x484699B: operator delete(void*, unsigned long) (vg_replace_malloc.c:935)
==65305==    by 0xFF06379: QObject::~QObject() (in /home/comex/binja/binaryninja/libQt6Core.so.6)
==65305==    by 0x52B0EEC: QGraphicsEffectSource::~QGraphicsEffectSource() (in /home/comex/binja/binaryninja/libQt6Widgets.so.6)
==65305==    by 0x52B1F6B: QGraphicsEffect::~QGraphicsEffect() (in /home/comex/binja/binaryninja/libQt6Widgets.so.6)
==65305==    by 0x52B20AC: QGraphicsOpacityEffect::~QGraphicsOpacityEffect() (in /home/comex/binja/binaryninja/libQt6Widgets.so.6)
==65305==    by 0x51FA81B: QWidget::setGraphicsEffect(QGraphicsEffect*) (in /home/comex/binja/binaryninja/libQt6Widgets.so.6)
==65305==    by 0x4BF1352: Pane::setIsActivePane(bool) (in /home/comex/binja/binaryninja/libbinaryninjaui.so.1)
==65305==    by 0x4BF18DB: SplitPaneContainer::enumeratePanes(std::function<void (Pane*)> const&) (in /home/comex/binja/binaryninja/libbinaryninjaui.so.1)
==65305==    by 0x4BF1914: SplitPaneContainer::enumeratePanes(std::function<void (Pane*)> const&) (in /home/comex/binja/binaryninja/libbinaryninjaui.so.1)
==65305==    by 0x4BF418D: SplitPaneContainer::updateStatus() (in /home/comex/binja/binaryninja/libbinaryninjaui.so.1)
==65305==    by 0x20E63C: ??? (in /home/comex/binja/binaryninja/binaryninja)
==65305==    by 0x4B5A8BA: HexEditor::adjustSize(int, int) (in /home/comex/binja/binaryninja/libbinaryninjaui.so.1)
==65305==  Block was alloc'd at
==65305==    at 0x4843F2F: operator new(unsigned long) (vg_replace_malloc.c:422)
==65305==    by 0x51FA839: QWidget::setGraphicsEffect(QGraphicsEffect*) (in /home/comex/binja/binaryninja/libQt6Widgets.so.6)
==65305==    by 0x4BF1352: Pane::setIsActivePane(bool) (in /home/comex/binja/binaryninja/libbinaryninjaui.so.1)
==65305==    by 0x4BF18DB: SplitPaneContainer::enumeratePanes(std::function<void (Pane*)> const&) (in /home/comex/binja/binaryninja/libbinaryninjaui.so.1)
==65305==    by 0x4BF1914: SplitPaneContainer::enumeratePanes(std::function<void (Pane*)> const&) (in /home/comex/binja/binaryninja/libbinaryninjaui.so.1)
==65305==    by 0x4BF418D: SplitPaneContainer::updateStatus() (in /home/comex/binja/binaryninja/libbinaryninjaui.so.1)
==65305==    by 0x4BFAA67: SplitPaneContainer::paneSplitRequested(Pane*, Qt::Edge) (in /home/comex/binja/binaryninja/libbinaryninjaui.so.1)
==65305==    by 0x4BFB1F9: SplitPaneContainer::openForColumnCount(Pane*, Qt::Orientation, unsigned long) (in /home/comex/binja/binaryninja/libbinaryninjaui.so.1)
==65305==    by 0x204150: ??? (in /home/comex/binja/binaryninja/binaryninja)
==65305==    by 0x2125F1: ??? (in /home/comex/binja/binaryninja/binaryninja)
==65305==    by 0x21390E: ??? (in /home/comex/binja/binaryninja/binaryninja)
==65305==    by 0xFEFA216: QObject::event(QEvent*) (in /home/comex/binja/binaryninja/libQt6Core.so.6)
D0ntPanic commented 1 year ago

This issue should be resolved as of build 3862. If it is not resolved, please let us know.