Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-4022: Segfault when analyzing an ELF64 for HPPA architecture #2015

Closed
OctavioGalland opened this issue Nov 23, 2021 · 9 comments · Fixed by #2031
Closed

CVE-2021-4022: Segfault when analyzing an ELF64 for HPPA architecture #2015

OctavioGalland opened this issue Nov 23, 2021 · 9 comments · Fixed by #2031
Labels
crash RzType

Comments

@OctavioGalland
Copy link

Work environment

With @ogianatiempo we discovered a bug which makes rizin crash when analyzing certain kind of binaries.

Questions Answers
OS/arch/bits (mandatory) Ubuntu 20.04 x86_64 64
File format of the file you reverse (mandatory) ELF64
Architecture/bits of the file (mandatory) HPPA
rizin -v full output, not truncated (mandatory) rizin 0.4.0-git @ linux-x86-64 commit: 681de8e, build: 2021-11-23__11:49:48

Expected behavior

Running aaa on an ELF64 file shouldn't make rizin crash.

Actual behavior

Rizin segfaults.

Steps to reproducebinary the behavior

Run aaa (or start rizin with the -A flag) with the binary named crash attached below.

Additional Logs, screenshots, source code, configuration dump, ...

The crash happens in the file librz/core/analysis_tp.c at line 950. When analyzing the binary attached below, the goto at line 849 is executed, but then at line 950 free is called with retctx.ret_reg as an argument. The problem is that retctx.ret_reg only gets initialized at line 860, but that line never gets executed because the goto gets executed first.
As a result of this, whatever was on the stack at that time gets freeed (for example, in the statically linked release version for linux, the block size will be the value that gets freeed).

So far, we've only seen the crash happen on a HPPA binary. In the archive attached to this issue, we modified the elf header and set the architecture to amd64 and that binary doesn't seem to crash.

Here's a bit of information about both binaries:

$ binwalk -W crash nocrash 

OFFSET      crash                                                                nocrash
--------------------------------------------------------------------------------
0x00000000  7F 45 4C 46 02 30 30 30 30 30 30 30 30 30 30 30 |.ELF.00000000000| \ 7F 45 4C 46 02 30 30 30 30 30 30 30 30 30 30 30 |.ELF.00000000000|
0x00000010  30 30 0F 00 30 30 30 30 30 30 30 30 30 30 30 30 |00..000000000000| / 30 30 3E 00 30 30 30 30 30 30 30 30 30 30 30 30 |00>.000000000000|
0x00000020  40 00 00 00 00 00 00 00 30 30 30 30 30 30 30 30 |@.......00000000| \ 40 00 00 00 00 00 00 00 30 30 30 30 30 30 30 30 |@.......00000000|
0x00000030  30 30 30 30 30 30 30 30 02 00 30 30 30 30 30 30 |00000000..000000| / 30 30 30 30 30 30 30 30 02 00 30 30 30 30 30 30 |00000000..000000|
0x00000040  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| \ 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
0x00000050  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| / 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
0x00000060  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| \ 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
0x00000070  30 30 30 30 30 30 30 30 01 00 00 00 05 30 30 30 |00000000.....000| / 30 30 30 30 30 30 30 30 01 00 00 00 05 30 30 30 |00000000.....000|
0x00000080  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| \ 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
0x00000090  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| / 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|
0x000000A0  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000| \ 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 |0000000000000000|

(the only difference is the target architecture)

$ readelf -h crash
...
  Machine:                           HPPA
...
$ readelf -h nocrash
...
  Machine:                           Advanced Micro Devices X86-64
...

And here's the crash in action:

$ ~/rizin/build/binrz/rizin/rizin -A crash 
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[Skipping huge ranges of instructions for references (aar)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for classes
[x] Finding xrefs in noncode section with analysis.in=io.maps
[x] Analyze value pointers (aav)
[Warning: Skipping large region30 to 0x6060606060606060 (aav)
[Cannot find program counter register in the current profile.
[x] Emulate functions to find computed references (aaef)
[Segmentation fault (core dumped)l functions (aaft)

As mentioned before, the binary with amd64 in the header works well:

$ ~/rizin/build/binrz/rizin/rizin -A nocrash 
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[Skipping huge ranges of instructions for references (aar)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for classes
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x3030303030303030]>

binaries.zip
@pelijah
Copy link
Contributor

pelijah commented Nov 23, 2021

Can't reproduce.

@XVilka XVilka added the crash label Nov 24, 2021
@XVilka
Copy link
Member

XVilka commented Nov 24, 2021

Endless loop, it seems:

WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[Skipping huge ranges of instructions for references (aar)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for classes
[x] Finding xrefs in noncode section with analysis.in=io.maps
[x] Analyze value pointers (aav)
[Warning: Skipping large region30 to 0x6060606060606060 (aav)
[WARNING: rz_reg_getv: assertion 'reg && name' failed (line 302)
Cannot find program counter register in the current profile.
[x] Emulate functions to find computed references (aaef)
[AddressSanitizer:DEADLYSIGNAL all functions (aaft)
=================================================================
==106810==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f616855ab36 bp 0x3030303030303030 sp 0x7ffec2e90570 T0)
==106810==The signal is caused by a READ memory access.
==106810==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
    #0 0x7f616855ab36 in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) (/lib64/libasan.so.6+0x28b36)
    #1 0x7f61685e0637 in free (/lib64/libasan.so.6+0xae637)
    #2 0x7f615c673ab4 in rz_core_analysis_type_match ../librz/core/analysis_tp.c:950
    #3 0x7f615c6d2f86 in rz_core_analysis_types_propagation ../librz/core/canalysis.c:7015
    #4 0x7f615c6d602f in rz_core_analysis_everything ../librz/core/canalysis.c:6744
    #5 0x7f615ca7e2ff in cmd_analysis_all ../librz/core/cmd/cmd_analysis.c:7439
    #6 0x7f615ca7e2ff in rz_cmd_analysis ../librz/core/cmd/cmd_analysis.c:8384
    #7 0x7f615caf9e65 in call_cd ../librz/core/cmd/cmd_api.c:753
    #8 0x7f615caf9e65 in rz_cmd_call_parsed_args ../librz/core/cmd/cmd_api.c:768
    #9 0x7f615cacd12c in handle_ts_arged_stmt_internal ../librz/core/cmd/cmd.c:3981
    #10 0x7f615cacd12c in handle_ts_arged_stmt ../librz/core/cmd/cmd.c:3929
    #11 0x7f615c8f11c4 in handle_ts_stmt ../librz/core/cmd/cmd.c:5429
    #12 0x7f615ca2e4dd in handle_ts_statements_internal ../librz/core/cmd/cmd.c:5486
    #13 0x7f615ca2e4dd in handle_ts_statements ../librz/core/cmd/cmd.c:5451
    #14 0x7f615ca2f9d4 in core_cmd_tsrzcmd ../librz/core/cmd/cmd.c:5594
    #15 0x7f615c9eb7b6 in rz_core_cmd ../librz/core/cmd/cmd.c:5643
    #16 0x7f61679d0199 in rz_main_rizin ../librz/main/rizin.c:1317
    #17 0x7f6166e0355f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
    #18 0x7f6166e0360b in __libc_start_main_alias_1 (/lib64/libc.so.6+0x2d60b)
    #19 0x4018f4 in _start (/home/akochkov/.local/bin/rizin+0x4018f4)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib64/libasan.so.6+0x28b36) in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType)
==106810==ABORTING

@XVilka XVilka added the RzType label Nov 24, 2021
@OctavioGalland
Copy link
Author

Can't reproduce.

Sorry, forgot to add: The crash only happens on a release build. When running a debug build, the error condition is catched by the assertion at the beginning of the function rz_core_analysis_type_match.

@OctavioGalland
Copy link
Author

OctavioGalland commented Nov 24, 2021
edited

Endless loop, it seems:

WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
WARNING: extract_arg: assertion 'analysis && fcn && op && reg' failed (line 671)
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[Skipping huge ranges of instructions for references (aar)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for classes
[x] Finding xrefs in noncode section with analysis.in=io.maps
[x] Analyze value pointers (aav)
[Warning: Skipping large region30 to 0x6060606060606060 (aav)
[WARNING: rz_reg_getv: assertion 'reg && name' failed (line 302)
Cannot find program counter register in the current profile.
[x] Emulate functions to find computed references (aaef)
[AddressSanitizer:DEADLYSIGNAL all functions (aaft)
=================================================================
==106810==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f616855ab36 bp 0x3030303030303030 sp 0x7ffec2e90570 T0)
==106810==The signal is caused by a READ memory access.
==106810==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
    #0 0x7f616855ab36 in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) (/lib64/libasan.so.6+0x28b36)
    #1 0x7f61685e0637 in free (/lib64/libasan.so.6+0xae637)
    #2 0x7f615c673ab4 in rz_core_analysis_type_match ../librz/core/analysis_tp.c:950
    #3 0x7f615c6d2f86 in rz_core_analysis_types_propagation ../librz/core/canalysis.c:7015
    #4 0x7f615c6d602f in rz_core_analysis_everything ../librz/core/canalysis.c:6744
    #5 0x7f615ca7e2ff in cmd_analysis_all ../librz/core/cmd/cmd_analysis.c:7439
    #6 0x7f615ca7e2ff in rz_cmd_analysis ../librz/core/cmd/cmd_analysis.c:8384
    #7 0x7f615caf9e65 in call_cd ../librz/core/cmd/cmd_api.c:753
    #8 0x7f615caf9e65 in rz_cmd_call_parsed_args ../librz/core/cmd/cmd_api.c:768
    #9 0x7f615cacd12c in handle_ts_arged_stmt_internal ../librz/core/cmd/cmd.c:3981
    #10 0x7f615cacd12c in handle_ts_arged_stmt ../librz/core/cmd/cmd.c:3929
    #11 0x7f615c8f11c4 in handle_ts_stmt ../librz/core/cmd/cmd.c:5429
    #12 0x7f615ca2e4dd in handle_ts_statements_internal ../librz/core/cmd/cmd.c:5486
    #13 0x7f615ca2e4dd in handle_ts_statements ../librz/core/cmd/cmd.c:5451
    #14 0x7f615ca2f9d4 in core_cmd_tsrzcmd ../librz/core/cmd/cmd.c:5594
    #15 0x7f615c9eb7b6 in rz_core_cmd ../librz/core/cmd/cmd.c:5643
    #16 0x7f61679d0199 in rz_main_rizin ../librz/main/rizin.c:1317
    #17 0x7f6166e0355f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
    #18 0x7f6166e0360b in __libc_start_main_alias_1 (/lib64/libc.so.6+0x2d60b)
    #19 0x4018f4 in _start (/home/akochkov/.local/bin/rizin+0x4018f4)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib64/libasan.so.6+0x28b36) in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType)
==106810==ABORTING

This is a similar output to the one we saw when we tested this using asan. But I think this isn't an infinite loop: at first a bunch of warnings are produced, but then asan detects a read at an invalid address (that read is triggered by the line analysis_tp.c:950, which is a call to free). If asan wasn't enabled, it would have resulted in a segfault.

Another way to test this is to debug it and set a breakpoint at rz_core_analysis_type_match, and then step a few times until it hits line 950, where the invalid free should take place. When we debugged it we noticed the following:
At line 848:

	if (!pc) {
		goto out_function; // <---- this goto gets executed
	}

The goto leads to line 949:

out_function:
	free(retctx.ret_reg);

Skipping the definition of retctx.ret_reg at line 860 (which should have been executed before the goto):

	// Create a new context to store the return type propagation state
	struct ReturnTypeAnalysisCtx retctx = {
		.resolved = false,
		.ret_type = NULL,
		.ret_reg = NULL
	};

Since the invalid free corresponds to an uninitialized variable, depending on the build the severity of the bug changes. For instance, when compiling a release build using the last commit we were able to control the address being freeed too (by changing the block size), which could potentially lead to security concerns:

asciicast

@ret2libc ret2libc changed the title Segfault when analyzing an ELF64 for HPPA architecture CVE-2021-4022: Segfault when analyzing an ELF64 for HPPA architecture Nov 26, 2021
@ret2libc
Copy link
Member

@OctavioGalland I marked the CVE in the title. I think in the future we could actually just assign them ourselves from Github, WDYT @XVilka @wargio @thestr4ng3r @kazarmy ?

@XVilka
Copy link
Member

XVilka commented Nov 26, 2021

@ret2libc yes, we did this in the past.

@wargio
Copy link
Member

wargio commented Nov 26, 2021

sounds good to me.

@ret2libc ret2libc mentioned this issue Nov 26, 2021
Merged
5 tasks
@wargio
Copy link
Member

wargio commented Nov 26, 2021

@OctavioGalland can you confirm that the issue has been patched?

@OctavioGalland
Copy link
Author

Yes, it's been fixed. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
crash RzType
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Initialize retctx,ctx before freeing the inner elements rizinorg/rizin
5 participants
@XVilka @wargio @ret2libc @OctavioGalland @pelijah