search

rizinorg / rizin

UNIX-like reverse engineering framework and command-line toolset.
https://rizin.re
GNU Lesser General Public License v3.0
2.56k stars 343 forks source link

`double free or corruption (fasttop)` if analysing unstripped binary #1982

Closed JCWasmx86 closed 2 years ago

JCWasmx86 commented 2 years ago

Work environment

Questions Answers
OS/arch/bits (mandatory) Fedora x86_64
File format of the file you reverse (mandatory) ELF
Architecture/bits of the file (mandatory) x86/64
rizin -v full output, not truncated (mandatory) rizin 0.4.0-git @ linux-x86-64 commit: 081ebe728f368fb91749b7898dfefba82132ee9f, build: 2021-11-15__07:03:54

Expected behavior

rizin doesn't crash

Actual behavior

rizin crashes with: 

Cannot find base type "allocator"mation.
Cannot find base type "allocator"
Cannot find base type "_Sp_alloc_shared_tag"
Cannot find base type "_Sp_alloc_shared_tag"
Cannot find base type "allocator"
WARNING: (../librz/type/type.c:790):rz_type_db_get_bitsize: code should not be reached
WARNING: rz_type_is_strictly_atomic: assertion 'type->identifier.name' failed (line 357)
WARNING: rz_type_db_get_base_type: assertion 'typedb && name' failed (line 35)
double free or corruption (fasttop)
Aborted

Steps to reproduce the behavior

$ rizin money_watch_non_stripped
[0x004091b0]> aaaaaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for classes
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[Cannot find base type "allocator"mation.
Cannot find base type "allocator"
Cannot find base type "_Sp_alloc_shared_tag"
Cannot find base type "_Sp_alloc_shared_tag"
Cannot find base type "allocator"
WARNING: (../librz/type/type.c:790):rz_type_db_get_bitsize: code should not be reached
WARNING: rz_type_is_strictly_atomic: assertion 'type->identifier.name' failed (line 357)
WARNING: rz_type_db_get_base_type: assertion 'typedb && name' failed (line 35)
double free or corruption (fasttop)
Aborted

The stripped binary doesn't make rizin crash

Additional Logs, screenshots, source code, configuration dump, ...

GDB Backtrace:

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
#1  0x00007ffff7cd28a4 in __GI_abort () at abort.c:79
#2  0x00007ffff7d2ba97 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7e3c7fc "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff7d3370c in malloc_printerr (str=str@entry=0x7ffff7e3ec48 "double free or corruption (fasttop)") at malloc.c:5628
#4  0x00007ffff7d34c33 in _int_free (av=0x7ffff7e6fa00 <main_arena>, p=0x221fc70, have_lock=0) at malloc.c:4498
#5  0x00007ffff7d387c8 in __GI___libc_free (mem=<optimized out>) at malloc.c:3309
#6  0x00007ffff6d54278 in rz_analysis_dwarf_integrate_functions (analysis=<optimized out>, flags=0x4503e0, dwarf_sdb=dwarf_sdb@entry=0xf7e580) at ../librz/analysis/dwarf_process.c:1708
#7  0x00007ffff69213d1 in rz_core_analysis_everything (core=core@entry=0x7ffff66bf010, experimental=<optimized out>, dh_orig=dh_orig@entry=0x0) at ../librz/core/canalysis.c:6758
#8  0x00007ffff69e2f32 in cmd_analysis_all (input=0xaff642 "aaaa", core=0x7ffff66bf010) at ../librz/core/cmd/cmd_analysis.c:7478
#9  rz_cmd_analysis (data=0x7ffff66bf010, input=0xaff641 "aaaaa") at ../librz/core/cmd/cmd_analysis.c:8423
#10 0x00007ffff69fd250 in call_cd (args=<optimized out>, cd=0x45f5f0, cmd=<optimized out>) at ../librz/core/cmd/cmd_api.c:753
#11 rz_cmd_call_parsed_args (cmd=0x457010, args=args@entry=0xaff5d0) at ../librz/core/cmd/cmd_api.c:768
#12 0x00007ffff69f3508 in handle_ts_arged_stmt_internal (node_string=0xaff590 "aaaaaa", node=..., state=0x7fffffffd970) at ../librz/core/cmd/cmd.c:3981
#13 handle_ts_arged_stmt (state=0x7fffffffd970, node=...) at ../librz/core/cmd/cmd.c:3929
#14 0x00007ffff698de89 in handle_ts_stmt (state=state@entry=0x7fffffffd970, node=...) at ../librz/core/cmd/cmd.c:5429
#15 0x00007ffff69d0b12 in handle_ts_statements_internal (node_string=0xaff570 "aaaaaa", node=..., state=0x7fffffffd970) at ../librz/core/cmd/cmd.c:5486
#16 handle_ts_statements (state=state@entry=0x7fffffffd970, node=...) at ../librz/core/cmd/cmd.c:5451
#17 0x00007ffff69d0efb in core_cmd_tsrzcmd (core=0x7fffffffd988, cstr=<optimized out>, split_lines=split_lines@entry=false, log=log@entry=true) at ../librz/core/cmd/cmd.c:5594
#18 0x00007ffff69c3d3e in rz_core_cmd (core=core@entry=0x7ffff66bf010, cstr=0xafec10 "aaaaaa", log=log@entry=1) at ../librz/core/cmd/cmd.c:5643
#19 0x00007ffff69513ab in rz_core_prompt_exec (r=r@entry=0x7ffff66bf010) at ../librz/core/core.c:2838
#20 0x00007ffff6951a3e in rz_core_prompt_loop (r=r@entry=0x7ffff66bf010) at ../librz/core/core.c:2689
#21 0x00007ffff7eb15ad in rz_main_rizin (argc=<optimized out>, argv=<optimized out>) at ../librz/main/rizin.c:1370
#22 0x00007ffff7cd3b75 in __libc_start_main (main=0x401100 <main>, argc=2, argv=0x7fffffffdd08, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdcf8) at ../csu/libc-start.c:332
#23 0x000000000040149e in _start ()

binaries.zip

ret2libc commented 2 years ago

If anyone wants to give this a shot, this is the ASAN trace (commit 5d42d9d1636c165083eeb7348e4beba4bfbb48f2):

=================================================================                                                                                                                             
==14852==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300135cca0 at pc 0x7f45dc466938 bp 0x7ffd9f8b0f10 sp 0x7ffd9f8b0f08                                                      
READ of size 4 at 0x60300135cca0 thread T0                                                                                                                                                    
    #0 0x7f45dc466937 in rz_type_clone ../librz/type/type.c:1170                                                                                                                              
    #1 0x7f45e1f24c91 in var_type_clone_or_default_type ../librz/analysis/var.c:25                                                                                                            
    #2 0x7f45e1f26f7e in rz_analysis_function_set_var ../librz/analysis/var.c:161                                                                                                             
    #3 0x7f45e1f228bb in rz_analysis_dwarf_integrate_functions ../librz/analysis/dwarf_process.c:1706                                                                                         
    #4 0x7f45dd59e960 in rz_core_analysis_everything ../librz/core/canalysis.c:6758                                                                                                           
    #5 0x7f45dd93634e in cmd_analysis_all ../librz/core/cmd/cmd_analysis.c:7439                                                                                                               
    #6 0x7f45dd940b5d in rz_cmd_analysis ../librz/core/cmd/cmd_analysis.c:8384                                                                                                                
    #7 0x7f45ddaa5433 in call_cd ../librz/core/cmd/cmd_api.c:753                                                                                                                              
    #8 0x7f45ddaa54f0 in rz_cmd_call_parsed_args ../librz/core/cmd/cmd_api.c:768                                                                                                              
    #9 0x7f45dda757f4 in handle_ts_arged_stmt_internal ../librz/core/cmd/cmd.c:3981                                                                                                           
    #10 0x7f45dda74690 in handle_ts_arged_stmt ../librz/core/cmd/cmd.c:3929                                                                                                                   
    #11 0x7f45dda9287c in handle_ts_stmt ../librz/core/cmd/cmd.c:5429                                                                                                                         
    #12 0x7f45dda93fe9 in handle_ts_statements_internal ../librz/core/cmd/cmd.c:5486                                                                                                          
    #13 0x7f45dda93114 in handle_ts_statements ../librz/core/cmd/cmd.c:5451                                                                                                                   
    #14 0x7f45dda953c5 in core_cmd_tsrzcmd ../librz/core/cmd/cmd.c:5594                                                                                                                       
    #15 0x7f45dda95d33 in rz_core_cmd ../librz/core/cmd/cmd.c:5643                                                                                                                            
    #16 0x7f45dd6d3402 in rz_core_prompt_exec ../librz/core/core.c:2838                                                                                                                       
    #17 0x7f45dd6d0d0f in rz_core_prompt_loop ../librz/core/core.c:2689                                                                                                                       
    #18 0x7f45eadce673 in rz_main_rizin ../librz/main/rizin.c:1370                                                                                                                            
    #19 0x401a6b in main ../binrz/rizin/rizin.c:57                                                                                                                                            
    #20 0x7f45ea1feb74 in __libc_start_main (/lib64/libc.so.6+0x27b74)                                                                                                                        
    #21 0x4011dd in _start (/home/rschiron/projects/rizinorg/rizin/build-dev/binrz/rizin/rizin+0x4011dd)                                                                                      

0x60300135cca0 is located 0 bytes inside of 32-byte region [0x60300135cca0,0x60300135ccc0)                                                                                                    
freed by thread T0 here:                                                                                                                                                                      
    #0 0x7f45ebc3d647 in free (/lib64/libasan.so.6+0xae647)                                                                                                                                   
    #1 0x7f45dc47cd98 in parse_type_abstract_declarator_node ../librz/type/parser/types_parser.c:1352                                                                                         
    #2 0x7f45dc481a45 in parse_type_descriptor_single ../librz/type/parser/types_parser.c:1774                                                                                                
    #3 0x7f45dc46d9f7 in rz_type_parse_string_single ../librz/type/parser/c_cpp_parser.c:354                           
    #4 0x7f45e1f22181 in rz_analysis_dwarf_integrate_functions ../librz/analysis/dwarf_process.c:1684                                                                                                                                         
    #5 0x7f45dd59e960 in rz_core_analysis_everything ../librz/core/canalysis.c:6758                                    
    #6 0x7f45dd93634e in cmd_analysis_all ../librz/core/cmd/cmd_analysis.c:7439                                        
    #7 0x7f45dd940b5d in rz_cmd_analysis ../librz/core/cmd/cmd_analysis.c:8384                                         
    #8 0x7f45ddaa5433 in call_cd ../librz/core/cmd/cmd_api.c:753                                                       
    #9 0x7f45ddaa54f0 in rz_cmd_call_parsed_args ../librz/core/cmd/cmd_api.c:768                                       
    #10 0x7f45dda757f4 in handle_ts_arged_stmt_internal ../librz/core/cmd/cmd.c:3981                                   
    #11 0x7f45dda74690 in handle_ts_arged_stmt ../librz/core/cmd/cmd.c:3929                                            
    #12 0x7f45dda9287c in handle_ts_stmt ../librz/core/cmd/cmd.c:5429                                                  
    #13 0x7f45dda93fe9 in handle_ts_statements_internal ../librz/core/cmd/cmd.c:5486                                   
    #14 0x7f45dda93114 in handle_ts_statements ../librz/core/cmd/cmd.c:5451                                            
    #15 0x7f45dda953c5 in core_cmd_tsrzcmd ../librz/core/cmd/cmd.c:5594                                                
    #16 0x7f45dda95d33 in rz_core_cmd ../librz/core/cmd/cmd.c:5643                                                     
    #17 0x7f45dd6d3402 in rz_core_prompt_exec ../librz/core/core.c:2838                                                
    #18 0x7f45dd6d0d0f in rz_core_prompt_loop ../librz/core/core.c:2689                                                
    #19 0x7f45eadce673 in rz_main_rizin ../librz/main/rizin.c:1370                                                     
    #20 0x401a6b in main ../binrz/rizin/rizin.c:57                                                                     
    #21 0x7f45ea1feb74 in __libc_start_main (/lib64/libc.so.6+0x27b74)                                                 

previously allocated by thread T0 here:                    
    #0 0x7f45ebc3daf7 in calloc (/lib64/libasan.so.6+0xaeaf7)                                                          
    #1 0x7f45dc47c926 in parse_type_abstract_declarator_node ../librz/type/parser/types_parser.c:1332                                                                                                                                         
    #2 0x7f45dc481a45 in parse_type_descriptor_single ../librz/type/parser/types_parser.c:1774                         
    #3 0x7f45dc46d9f7 in rz_type_parse_string_single ../librz/type/parser/c_cpp_parser.c:354                           
    #4 0x7f45e1f22181 in rz_analysis_dwarf_integrate_functions ../librz/analysis/dwarf_process.c:1684                                                                                                                                         
    #5 0x7f45dd59e960 in rz_core_analysis_everything ../librz/core/canalysis.c:6758                                    
    #6 0x7f45dd93634e in cmd_analysis_all ../librz/core/cmd/cmd_analysis.c:7439                                        
    #7 0x7f45dd940b5d in rz_cmd_analysis ../librz/core/cmd/cmd_analysis.c:8384                                         
    #8 0x7f45ddaa5433 in call_cd ../librz/core/cmd/cmd_api.c:753                                                       
    #9 0x7f45ddaa54f0 in rz_cmd_call_parsed_args ../librz/core/cmd/cmd_api.c:768                                       
    #10 0x7f45dda757f4 in handle_ts_arged_stmt_internal ../librz/core/cmd/cmd.c:3981                                   
    #11 0x7f45dda74690 in handle_ts_arged_stmt ../librz/core/cmd/cmd.c:3929                                            
    #12 0x7f45dda9287c in handle_ts_stmt ../librz/core/cmd/cmd.c:5429                                                  
    #13 0x7f45dda93fe9 in handle_ts_statements_internal ../librz/core/cmd/cmd.c:5486                                   
    #14 0x7f45dda93114 in handle_ts_statements ../librz/core/cmd/cmd.c:5451                                            
    #15 0x7f45dda953c5 in core_cmd_tsrzcmd ../librz/core/cmd/cmd.c:5594                                                
    #16 0x7f45dda95d33 in rz_core_cmd ../librz/core/cmd/cmd.c:5643                                                     
    #17 0x7f45dd6d3402 in rz_core_prompt_exec ../librz/core/core.c:2838                                                
    #18 0x7f45dd6d0d0f in rz_core_prompt_loop ../librz/core/core.c:2689                                                
    #19 0x7f45eadce673 in rz_main_rizin ../librz/main/rizin.c:1370                                                     
    #20 0x401a6b in main ../binrz/rizin/rizin.c:57                                                                     
    #21 0x7f45ea1feb74 in __libc_start_main (/lib64/libc.so.6+0x27b74)                                                 

SUMMARY: AddressSanitizer: heap-use-after-free ../librz/type/type.c:1170 in rz_type_clone                              
Shadow bytes around the buggy address:                     
  0x0c0680263940: fd fd fd fa fa fa fd fd fd fa fa fa fa fa fa fa                                                      
  0x0c0680263950: fa fa fa fa fa fa fa fa fd fd fd fd fa fa fd fd                                                      
  0x0c0680263960: fd fd fa fa fa fa fa fa fa fa fd fd fd fd fa fa                                                      
  0x0c0680263970: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fa                                                      
  0x0c0680263980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                      
=>0x0c0680263990: fa fa fa fa[fd]fd fd fd fa fa fa fa fa fa fa fa                                                      
  0x0c06802639a0: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fa                                                      
  0x0c06802639b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                      
  0x0c06802639c0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 fa fa                                                      
  0x0c06802639d0: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd                                                      
  0x0c06802639e0: fa fa fa fa fa fa fa fa 00 00 00 00 fa fa fd fd                                                      
Shadow byte legend (one shadow byte represents 8 application bytes):                                                   
  Addressable:           00                                
  Partially addressable: 01 02 03 04 05 06 07              
  Heap left redzone:       fa                              
  Freed heap region:       fd                              
  Stack left redzone:      f1