search

rizinorg / rz-silhouette

Rizin client plugin for the Rizin Silhouette Server
8 stars 2 forks source link

Segmentation Fault on rz_pvector_tail #10

Closed jdw1023 closed 4 months ago

jdw1023 commented 4 months ago

Work environment

Questions Answers
OS/arch/bits (mandatory) Ubuntu 23.10 in docker, Arch Linux
File format of the file you reverse (mandatory) ELF
Architecture/bits of the file (mandatory) x86-64
rizin -v full output, not truncated (mandatory) rizin 0.8.0 @ linux-x86-64 commit: 34f1a9e7b40e289cdf8e7f03c145bdbd5d41dc89

Expected behavior

Rizin finishes applying signature, and not segfault in the process.

Actual behavior

Rizin Segmentation Fault on rz_pvector_tail

(gdb) r
Starting program: /usr/local/bin/rizin ./a.out
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7af44d3456c0 (LWP 9517)]
[New Thread 0x7af444b446c0 (LWP 9518)]
[New Thread 0x7af44cb446c0 (LWP 9519)]
[Thread 0x7af44cb446c0 (LWP 9519) exited]
[New Thread 0x7af447fff6c0 (LWP 9520)]
[Thread 0x7af444b446c0 (LWP 9518) exited]
[Thread 0x7af447fff6c0 (LWP 9520) exited]
[New Thread 0x7af4477fe6c0 (LWP 9521)]
[Thread 0x7af4477fe6c0 (LWP 9521) exited]
[New Thread 0x7af446ffd6c0 (LWP 9522)]
[Thread 0x7af446ffd6c0 (LWP 9522) exited]
[New Thread 0x7af4467fc6c0 (LWP 9523)]
[Thread 0x7af4467fc6c0 (LWP 9523) exited]
[New Thread 0x7af445ffb6c0 (LWP 9524)]
[Thread 0x7af445ffb6c0 (LWP 9524) exited]
[Thread 0x7af44d3456c0 (LWP 9517) exited]
 -- Disable these messages with 'e cfg.fortunes=false' in your ~/.rizinrc
[0x004016d0]> e silhouette.psk=19f5a8e7-9b4e-4f6a-83bc-6a7db5014c3d
[0x004016d0]> e silhouette.host=eu-symbols.rizin.re
[0x004016d0]> e silhouette.port=25000
[0x004016d0]> e silhouette.enable=true
[0x004016d0]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls
[x] Analyze len bytes of instructions for references
[x] Check for classes
[x] Analyze local variables and arguments
[x] Type matching analysis for all functions
[x] Applied 0 FLIRT signatures via sigdb
[x] Propagate noreturn information
[x] Integrate dwarf function information.
[x] Resolve pointers to data sections
[x] Use -AA or aaaa to perform additional experimental analysis.
[[New Thread 0x7af445ffb6c0 (LWP 9525)]tte server...
[Thread 0x7af445ffb6c0 (LWP 9525) exited]

Thread 1 "rizin" received signal SIGSEGV, Segmentation fault.
0x00007af44d3fda37 in rz_pvector_tail (vec=0x5d1983224760) at /usr/local/include/librz/rz_vector.h:301
301             return ((void **)vec->v.a)[vec->v.len - 1];
(gdb) bt
#0  0x00007af44d3fda37 in rz_pvector_tail (vec=0x5d1983224760) at /usr/local/include/librz/rz_vector.h:301
#1  add_new_symbol (fcn=0x5d19833bc430, name=0x5d1983fe05e0 "method..sanitizer.ThreadSelf", core=0x5d19830cd850) at ../src/sil_client.c:321
#2  sil_apply_symbol (stats=<optimized out>, symbol=0x5d1984ab9ff0, fcn=0x5d19833bc430, core=0x5d19830cd850) at ../src/sil_client.c:353
#3  sil_signature_handle (stats=<optimized out>, func=0x5d19833bc430, core=<optimized out>, signature=<optimized out>, sil=<optimized out>) at ../src/sil_client.c:401
#4  sil_resolve_functions (sil=sil@entry=0x5d1983fe13a0, core=core@entry=0x5d19830cd850, stats=stats@entry=0x7ffc937bdc50) at ../src/sil_client.c:850
#5  0x00007af44d3feb97 in sil_plugin_analysis (core=0x5d19830cd850) at ../src/sil_plugin.c:111
#6  0x00007af44d6608ba in core_analysis_using_plugins (core=0x5d19830cd850) at ../librz/core/canalysis.c:3965
#7  rz_core_analysis_everything (core=core@entry=0x5d19830cd850, experimental=experimental@entry=false, dh_orig=dh_orig@entry=0x0) at ../librz/core/canalysis.c:4188
#8  0x00007af44d66113d in rz_core_perform_auto_analysis (core=0x5d19830cd850, type=type@entry=RZ_CORE_ANALYSIS_DEEP) at ../librz/core/canalysis.c:5997
#9  0x00007af44d729362 in rz_analyze_everything_handler (core=<optimized out>, argc=<optimized out>, argv=<optimized out>) at ../librz/core/cmd/cmd_analysis.c:6092
#10 0x00007af44d7537ec in handle_ts_arged_stmt_internal (node_string=0x5d1983383b40 "aaa", node=..., state=0x7ffc937be010) at ../librz/core/cmd/cmd.c:3556
#11 handle_ts_arged_stmt (state=0x7ffc937be010, node=...) at ../librz/core/cmd/cmd.c:3504
#12 0x00007af44d714aa0 in handle_ts_stmt (state=state@entry=0x7ffc937be010, node=...) at ../librz/core/cmd/cmd.c:5058
#13 0x00007af44d7437aa in handle_ts_statements_internal (node_string=0x5d19833838f0 "aaa", node=..., state=0x7ffc937be010) at ../librz/core/cmd/cmd.c:5115
#14 handle_ts_statements (state=state@entry=0x7ffc937be010, node=...) at ../librz/core/cmd/cmd.c:5080
#15 0x00007af44d743bfc in core_cmd_tsrzcmd (core=core@entry=0x5d19830cd850, cstr=<optimized out>, split_lines=split_lines@entry=false, log=log@entry=true) at ../librz/core/cmd/cmd.c:5227
#16 0x00007af44d743d96 in rz_core_cmd (core=core@entry=0x5d19830cd850, cstr=<optimized out>, log=log@entry=1) at ../librz/core/cmd/cmd.c:5275
#17 0x00007af44d69b99e in rz_core_prompt_exec (r=r@entry=0x5d19830cd850) at ../librz/core/core.c:1936
#18 0x00007af44d69bf06 in rz_core_prompt_loop (r=r@entry=0x5d19830cd850) at ../librz/core/core.c:1805
#19 0x00007af44f6d79c7 in rz_main_rizin (argc=<optimized out>, argv=<optimized out>) at ../librz/main/rizin.c:1456
#20 0x00007af44f4d8150 in __libc_start_call_main (main=main@entry=0x5d1981c2c1e0 <main>, argc=argc@entry=2, argv=argv@entry=0x7ffc937be808) at ../sysdeps/nptl/libc_start_call_main.h:58
#21 0x00007af44f4d8209 in __libc_start_main_impl (main=0x5d1981c2c1e0 <main>, argc=2, argv=0x7ffc937be808, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
    stack_end=0x7ffc937be7f8) at ../csu/libc-start.c:360
#22 0x00005d1981c2c585 in _start ()
(gdb)

Steps to reproduce the behavior

Additional Logs, screenshots, source code, configuration dump, ...

main.c: 

// main.c
#include <stdio.h>

int main(){
        printf("Hello, world!");
        return 0;
}

rz-silhouette is installed through rz-pm today (04/22/2024). image

binary.zip

jdw1023 commented 4 months ago

https://github.com/rizinorg/rz-silhouette/blob/9687c9ce4018a90694316be724a5baf4775f704b/src/sil_client.c#L321-L324

Not very familiar with the Rizin codebase, but I think the issue is because the length of the symbols vector is zero when the binary is stripped. Also should the new symbol's ordinal be to the last symbol with bind of global and type of func plus 1 (last symbol might not be a bind global, type func symbol)?

wargio commented 4 months ago

thank you for reporting this. we did convert this plugin recently to some changes that moved some code from a list based approach to a array based (for performance reasons) and it is possible that is crashing due something stupid as that.

wargio commented 4 months ago

This is a bug in rizin. once that fix is merged, please try again.

wargio commented 4 months ago

This should be fixed in the latest commit of rizin (dev branch) if you can confirm, then i can close this.

jdw1023 commented 4 months ago

Thanks, the fix seems to work.