search

rizinorg / rizin

UNIX-like reverse engineering framework and command-line toolset.
https://rizin.re
GNU Lesser General Public License v3.0
2.64k stars 352 forks source link

RISC-V 32: Crash when trying to display disassembly code #4577

Open ghostiam opened 1 month ago

ghostiam commented 1 month ago

Environment information

Describe the bug

Crash when trying to display disassembly code.

MacOS report ``` ------------------------------------- Translated Report (Full Report Below) ------------------------------------- Process: cutter [75863] Path: /Applications/Cutter.app/Contents/MacOS/cutter Identifier: re.rizin.cutter Version: 2.3.4-stable-209c26b (2.3.4-stable-209c26b) Code Type: ARM-64 (Native) Parent Process: launchd [1] User ID: 501 Date/Time: 2024-07-24 23:23:32.0016 +0400 OS Version: macOS 14.5 (23F79) Report Version: 12 Anonymous UUID: 5BC71BD9-F14A-2CB9-7C3A-A5EA18D4D253 Sleep/Wake UUID: FF657A00-3D1F-4900-8568-BBFC9479AF65 Time Awake Since Boot: 1800000 seconds Time Since Wake: 114638 seconds System Integrity Protection: enabled Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 Exception Codes: 0x0000000000000001, 0x0000000000000000 Termination Reason: Namespace SIGNAL, Code 11 Segmentation fault: 11 Terminating Process: exc handler [75863] VM Region Info: 0 is not in any region. Bytes before following region: 4307992576 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL UNUSED SPACE AT START ---> __TEXT 100c6c000-100f84000 [ 3168K] r-x/r-x SM=COW /Applications/Cutter.app/Contents/MacOS/cutter Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libsystem_platform.dylib 0x1848393c8 _platform_strstr + 32 1 librz_core.0.7.dylib 0x101fdd6cc ds_print_ptr + 2636 2 librz_core.0.7.dylib 0x101fd8a84 rz_core_print_disasm + 14536 3 cutter 0x100ccf084 0x100c6c000 + 405636 4 cutter 0x100cce59c 0x100c6c000 + 402844 5 cutter 0x100cce1c0 0x100c6c000 + 401856 6 QtCore 0x103d300ec 0x103b28000 + 2130156 7 cutter 0x100c7bab8 CutterSeekable::seekableSeekChanged(unsigned long long, CutterCore::SeekHistoryType) + 72 8 QtCore 0x103d300ec 0x103b28000 + 2130156 9 cutter 0x100c7eaf0 CutterCore::seekChanged(unsigned long long, CutterCore::SeekHistoryType) + 72 10 cutter 0x100c9abd8 CutterCore::seek(unsigned long long) + 140 11 cutter 0x100c99ebc CutterCore::seekAndShow(unsigned long long) + 20 12 QtCore 0x103d300ec 0x103b28000 + 2130156 13 QtWidgets 0x10271d99c QAbstractItemView::activated(QModelIndex const&) + 52 14 QtWidgets 0x10278a16c QTreeView::mouseDoubleClickEvent(QMouseEvent*) + 868 15 QtWidgets 0x10250ea1c QWidget::event(QEvent*) + 128 16 QtWidgets 0x1025a31e0 QFrame::event(QEvent*) + 56 17 QtWidgets 0x10271c450 QAbstractItemView::viewportEvent(QEvent*) + 1124 18 QtWidgets 0x102786cec QTreeView::viewportEvent(QEvent*) + 500 19 QtCore 0x103d0015c QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) + 264 20 QtWidgets 0x1024d8d58 QApplicationPrivate::notify_helper(QObject*, QEvent*) + 260 21 QtWidgets 0x1024db6a4 QApplication::notify(QObject*, QEvent*) + 6072 22 QtCore 0x103cffe44 QCoreApplication::notifyInternal2(QObject*, QEvent*) + 208 23 QtWidgets 0x1024d96dc QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer&, bool, bool) + 968 24 QtWidgets 0x10252c250 0x1024c8000 + 410192 25 QtWidgets 0x10252b280 0x1024c8000 + 406144 26 QtWidgets 0x1024d8d78 QApplicationPrivate::notify_helper(QObject*, QEvent*) + 292 27 QtWidgets 0x1024da110 QApplication::notify(QObject*, QEvent*) + 548 28 QtCore 0x103cffe44 QCoreApplication::notifyInternal2(QObject*, QEvent*) + 208 29 QtGui 0x10300b23c QGuiApplicationPrivate::processMouseEvent(QWindowSystemInterfacePrivate::MouseEvent*) + 4436 30 QtGui 0x102ff0558 QWindowSystemInterface::sendWindowSystemEvents(QFlags) + 248 31 libqcocoa.dylib 0x101292d58 0x10125c000 + 224600 32 CoreFoundation 0x1848ea4d8 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 28 33 CoreFoundation 0x1848ea46c __CFRunLoopDoSource0 + 176 34 CoreFoundation 0x1848ea1dc __CFRunLoopDoSources0 + 244 35 CoreFoundation 0x1848e8dc8 __CFRunLoopRun + 828 36 CoreFoundation 0x1848e8434 CFRunLoopRunSpecific + 608 37 HIToolbox 0x18f08c19c RunCurrentEventLoopInMode + 292 38 HIToolbox 0x18f08be2c ReceiveNextEventCommon + 220 39 HIToolbox 0x18f08bd30 _BlockUntilNextEventMatchingListInModeWithFilter + 76 40 AppKit 0x188147d68 _DPSNextEvent + 660 41 AppKit 0x18893d808 -[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 700 42 AppKit 0x18813b09c -[NSApplication run] + 476 43 libqcocoa.dylib 0x101291b6c 0x10125c000 + 220012 44 QtCore 0x103cfbf1c QEventLoop::exec(QFlags) + 524 45 QtCore 0x103d00470 QCoreApplication::exec() + 132 46 cutter 0x100c947c0 0x100c6c000 + 165824 47 dyld 0x1844820e0 start + 2360 ```

To Reproduce

Steps to reproduce the behavior:

  1. Open file: blink-crash.elf from blink.zip

  2. Try open function blink.copy_data

  3. \

Expected behavior

Show disassembly code.

Additional context

If I remove the copy_data function, then the crash does not occur(file blink-no-copy_data.elf in archive).

ghostiam commented 1 month ago

The crash occurs because the realname field is NULL.

https://github.com/rizinorg/rizin/blob/706a6bf6c20f089f56d21fbb1e89b5afa6e02253/librz/core/disasm.c#L4076

I also have another file that also causes a crash, but in a different place, where the realname field is also to blame. https://github.com/rizinorg/rizin/blob/e4958fc146cffe60d194b070075d9a53938800e4/librz/core/canalysis.c#L5696

This quick fix helped (but I'm not sure it's correct):

diff --git a/librz/flag/flag.c b/librz/flag/flag.c
index 1baee1dff6..84367de61d 100644
--- a/librz/flag/flag.c
+++ b/librz/flag/flag.c
@@ -680,7 +680,7 @@ RZ_API void rz_flag_item_set_comment(RzFlagItem *item, const char *comment) {
 RZ_API void rz_flag_item_set_realname(RzFlagItem *item, const char *realname) {
        rz_return_if_fail(item);
        free_item_realname(item);
-       item->realname = RZ_STR_ISEMPTY(realname) ? NULL : strdup(realname);
+       item->realname = RZ_STR_ISEMPTY(realname) ? item->name : strdup(realname);
 }

 /* add/replace/remove the color of a flag item */
XVilka commented 1 month ago
  1. Crash should be fixed regardless but
  2. Please keep in mind that the RISC-V support in Rizin is outdated. We have a GSoC student @moste00 working on updating it first in Capstone and then in Rizin itself. See https://rizin.re/posts/gsoc-2024-announcement/#moste00-uplifting-risc-v-instructions-to-rzil for more details (also https://github.com/capstone-engine/capstone/issues/2015)