Segmentation fault if calling `pdd` a second time

JCWasmx86 commented 2 years ago

Describe the bug Binary to analyze: binary.zip

r2 only crashes, if I do this:

$ r2 /usr/bin/ls
[0x00006b10]> aaaaaa
[0x00006b10]> pdd
[0x00006b10]> s main
[0x00004d80]> pdd
Segmentation fault(Core dumped)

but doesn't crash, if I do:

$ r2 /usr/bin/ls
[0x00006b10]> aaaaaa
[0x00006b10]> s main
[0x00004d80]> pdd

But if I call pdd a second time, it crashes.

Component

[ ] core
[ ] arm
[ ] avr
[ ] m68k
[ ] mips
[ ] ppc
[ ] sparc
[ ] v850
[ ] wasm
[ ] x86-64

Reproduce via JSON (pddi) pddi.json.zip

Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f7b7e7e18ff in foreach3list (core=0x7f7b7d448010, type=105 'i', glob=0x0) at cmd.c:4503
4503                    char *impflag = r_str_newf ("sym.imp.%s", imp->name);

#0  0x00007f7b7e7e18ff in foreach3list (core=0x7f7b7d448010, type=105 'i', glob=0x0) at cmd.c:4503
#1  0x00007f7b7e7e1fe2 in r_core_cmd_foreach3 (core=0x7f7b7d448010, cmd=0x55c6bae0d570 "afcfj", each=0x55c6bae0d579 "i") at cmd.c:4614
#2  0x00007f7b7e7e0985 in r_core_cmd_subst_i (core=0x7f7b7d448010, cmd=0x55c6bae0d570 "afcfj", colon=0x0, tmpseek=0x7ffedbf9d457) at cmd.c:4225
#3  0x00007f7b7e7dd44e in r_core_cmd_subst (core=0x7f7b7d448010, cmd=0x55c6bae0d570 "afcfj") at cmd.c:3236
#4  0x00007f7b7e7e3c7f in run_cmd_depth (core=0x7f7b7d448010, cmd=0x55c6bb009ae0 "afcfj @@@i") at cmd.c:5195
#5  0x00007f7b7e7e4093 in r_core_cmd (core=0x7f7b7d448010, cstr=0x55c6ba3f19a0 "afcfj @@@i", log=false) at cmd.c:5278
#6  0x00007f7b7e7e4af3 in r_core_cmd_str (core=0x7f7b7d448010, cmd=0x55c6ba3f19a0 "afcfj @@@i") at cmd.c:5492
#7  0x00007f7b7cb3c9c0 in duk_r2cmd (ctx=0x55c6bb2c8ff0) at core_pdd.c:67
#8  0x00007f7b7cafa2e4 in duk__handle_call_raw (thr=0x55c6bb2c8ff0, idx_func=<optimized out>, call_flags=<optimized out>) at /home/user/.local/share/radare2/r2pm/git/r2dec/p/duk_js_call.c:2231
#9  0x00007f7b7caea3f8 in duk_handle_call_unprotected (call_flags=8, idx_func=4, thr=0x55c6bb2c8ff0) at /home/user/.local/share/radare2/r2pm/git/r2dec/p/duk_js_call.c:2385
#10 duk__executor_handle_call (call_flags=8, nargs=1, idx=4, thr=0x55c6bb2c8ff0) at /home/user/.local/share/radare2/r2pm/git/r2dec/p/duk_js_executor.c:2655
#11 duk__js_execute_bytecode_inner (entry_thread=0x55c6bb2c8ff0, entry_act=0x55c6bc57bcd0) at /home/user/.local/share/radare2/r2pm/git/r2dec/p/duk_js_executor.c:4729
#12 0x00007f7b7caf9575 in duk_js_execute_bytecode (exec_thr=0x55c6bb2c8ff0) at /home/user/.local/share/radare2/r2pm/git/r2dec/p/duk_js_executor.c:2917
#13 0x00007f7b7cafa070 in duk__handle_call_raw (thr=0x55c6bb2c8ff0, idx_func=<optimized out>, call_flags=<optimized out>) at /home/user/.local/share/radare2/r2pm/git/r2dec/p/duk_js_call.c:2203
#14 0x00007f7b7cb27cfd in duk_eval_raw (thr=thr@entry=0x55c6bb2c8ff0, src_buffer=src_buffer@entry=0x7ffedbf9da50 "try{if(typeof r2dec_main == 'function'){r2dec_main(\"--issue\".split(/\\s+/));}else{console.log('Fatal error. Invalid path in R2DEC_HOME env var?');}}catch(_____e){console.log(_____e.stack||_____e);}", src_length=src_length@entry=0, flags=flags@entry=3848) at /home/user/.local/share/radare2/r2pm/git/r2dec/p/duk_api_compile.c:43
#15 0x00007f7b7cb3c563 in duk_r2dec (core=<optimized out>, input=input@entry=0x7f7b7cb42f4f "--issue") at core_pdd.c:171
#16 0x00007f7b7cb3c8bc in _cmd_pdd (input=0x55c6ba24d913 "i", core=0x7f7b7d448010) at core_pdd.c:247
#17 r_cmd_pdd (user=0x7f7b7d448010, input=0x55c6ba24d910 "pddi") at core_pdd.c:290
#18 0x00007f7b7e83a307 in r_cmd_call (cmd=0x55c6ba1682e0, input=0x55c6ba24d910 "pddi") at cmd_api.c:342
#19 0x00007f7b7e7e105d in r_core_cmd_subst_i (core=0x7f7b7d448010, cmd=0x55c6ba24d910 "pddi", colon=0x0, tmpseek=0x7ffedbf9e317) at cmd.c:4335
#20 0x00007f7b7e7dd44e in r_core_cmd_subst (core=0x7f7b7d448010, cmd=0x55c6ba24d910 "pddi") at cmd.c:3236
#21 0x00007f7b7e7e3c7f in run_cmd_depth (core=0x7f7b7d448010, cmd=0x55c6bad5b8e0 "pddi") at cmd.c:5195
#22 0x00007f7b7e7e4093 in r_core_cmd (core=0x7f7b7d448010, cstr=0x55c6ba3b9450 "pddi", log=true) at cmd.c:5278
#23 0x00007f7b7e7242e2 in r_core_prompt_exec (r=0x7f7b7d448010) at core.c:3263
#24 0x00007f7b7e72394e in r_core_prompt_loop (r=0x7f7b7d448010) at core.c:3084
#25 0x00007f7b7fdf3081 in r_main_radare2 (argc=2, argv=0x7ffedbf9e8e8) at radare2.c:1459
#26 0x000055c6b8230451 in main (argc=2, argv=0x7ffedbf9e8e8) at radare2.c:96
#27 0x00007f7b7fc29b75 in __libc_start_main (main=0x55c6b82303fa <main>, argc=2, argv=0x7ffedbf9e8e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffedbf9e8d8) at ../csu/libc-start.c:332
#28 0x000055c6b823010e in _start ()

uname -a: Linux fedora 5.14.6-xm1.0.fc34.x86_64 #1 SMP PREEMPT Mon Sep 20 12:33:06 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

r2 version:

radare2 5.4.3 26742 @ linux-x86-64 git.5.4.2
commit: 7b11df1c2087fdd1ea41ab60a1c55e911622d6d2 build: 2021-09-22__10:30:22

r2dec version: c831ce9a0c4cdf42cc3080a27463bb0ea16c41a8

wargio commented 2 years ago

this bug is not in r2dec but radare2. @radare @trufae

JCWasmx86 commented 2 years ago

Should I reopen it in radareorg/radare2?

wargio commented 2 years ago

yes.

trufae commented 2 years ago

Fixed

JCWasmx86 commented 2 years ago

Thanks for this really quick fix!

wargio / r2dec-js

Segmentation fault if calling `pdd` a second time #242