search

Vector35 / binaryninja-api

Public API, examples, documentation and issues for Binary Ninja
https://binary.ninja/
MIT License
900 stars 204 forks source link

Crashes when trying to load a Linux Kernel Module (*.ko file). #4682

Closed tur11ng closed 11 months ago

tur11ng commented 11 months ago

Version and Platform (required):

The bug is mainly stated in the title. I tried opening a modified version of the Diamorphine rootkit (seen in HackTheBox's CyberPsychosis challenge) and it completely crashed the application.

xusheng6 commented 11 months ago

Link to the challenge: https://app.hackthebox.com/challenges/cyberpsychosis. I think this is a recent regression since I have opened the file in BN 1-2 months ago and it works fine

xusheng6 commented 11 months ago

The crash is caused by the dwarf import plugin

rust stack trace:

thread '<unnamed>' panicked at 'assertion failed: depth >= 0', examples/dwarf/dwarf_import/src/lib.rs:66:13
stack backtrace:
   0: rust_begin_unwind
             at /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/std/src/panicking.rs:575:5
   1: core::panicking::panic_fmt
             at /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/core/src/panicking.rs:65:14
   2: core::panicking::panic
             at /rustc/69f9c33d71c871fc16ac445211281c6e7a340943/library/core/src/panicking.rs:115:5
   3: <dwarf_import::DWARFParser as binaryninja::debuginfo::CustomDebugInfoParser>::parse_info
   4: std::panicking::try
   5: binaryninja::debuginfo::DebugInfoParser::register::cb_parse_info
   6: _ZNKSt3__110__function12__value_funcIFbPvP11BNDebugInfoP12BNBinaryViewS6_PFbS2_mmES2_EEclB7v160006EOS2_OS4_OS6_SD_OS8_SB_
             at /Library/Developer/CommandLineTools/SDKs/MacOSX14.0.sdk/usr/include/c++/v1/__functional/function.h:510:16
   7: _ZNKSt3__18functionIFbPvP11BNDebugInfoP12BNBinaryViewS5_PFbS1_mmES1_EEclES1_S3_S5_S5_S7_S1_
             at /Library/Developer/CommandLineTools/SDKs/MacOSX14.0.sdk/usr/include/c++/v1/__functional/function.h:1156:12
   8: _ZNK15BinaryNinjaCore22DebugInfoParserWrapper14ParseDebugInfoENS_3RefINS_9DebugInfoEEENS1_INS_10BinaryViewEEES5_NSt3__18functionIFbmmEEE
             at /Users/xusheng/binaryninja/core/debuginfo.cpp:1140:11

Might be an issue with the Rust API?

ElykDeer commented 11 months ago

After thinking about this for some time, I've decided to fix the crash and call this an "upstream bug." The root-cause here is that gimli (the library we use to parse DWARF) is encountering an entry in the DWARF debug tree with an unknown attribute. It's unclear to me whether this is caused by some sort of custom debug info generator or file corruption, but if we see more cases like these down the line and it turns out to be the former, we can explore what would need to be done to support that.

For now, it will print "DWARF information is seriously malformed. Aborting parsing." and discard any DWARF information. Handling arbitrary "corrupt" nodes would have wide-spread implications for the DWARF parser, and I'm going to keep this issue closed until we can collect additional samples like this that we can say for certain aren't caused by file corruption.

Regardless, you should be able to analyze this file now, and thank you for the report!

tur11ng commented 10 months ago

After thinking about this for some time, I've decided to fix the crash and call this an "upstream bug." The root-cause here is that gimli (the library we use to parse DWARF) is encountering an entry in the DWARF debug tree with an unknown attribute. It's unclear to me whether this is caused by some sort of custom debug info generator or file corruption, but if we see more cases like these down the line and it turns out to be the former, we can explore what would need to be done to support that.

For now, it will print "DWARF information is seriously malformed. Aborting parsing." and discard any DWARF information. Handling arbitrary "corrupt" nodes would have wide-spread implications for the DWARF parser, and I'm going to keep this issue closed until we can collect additional samples like this that we can say for certain aren't caused by file corruption.

Regardless, you should be able to analyze this file now, and thank you for the report!

Diamorphine's source code can be found publicly available here. You can try compiling it yourself and try parsing it with the old version and see what happens. I now have updated my instance and cannot have access to the old version (or at least I don't know how). Thanks you for your time and effort!