Invalid read in sdb_set_internal()

[fumfel]

Invalid read in sdb_set_internal()

Git HEAD: 2a82e2c

Crashing testcase in https://github.com/radare/radare2-regressions/pull/1069

Command: r2 -A r2_ir_sdb_set_internal

ASAN:

==15422==ERROR: AddressSanitizer: SEGV on unknown address 0x000030303030 (pc 0x7f3fea0c1746 bp 0x7fff0ccf7db0 sp 0x7fff0ccf7538 T0)
==15422==The signal is caused by a READ memory access.
    #0 0x7f3fea0c1745 in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x8b745)
    #1 0x55f490967d8c in __interceptor_strlen.part.31 XYZ/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:300
    #2 0x7f3feb1a1d7c in sdb_set_internal XYZ/radare2/shlr/sdb/src/sdb.c:562:9
    #3 0x7f3ff06d8e98 in r_bin_dwarf_parse_comp_unit XYZ/radare2/libr/bin/dwarf.c:1355:5
    #4 0x7f3ff06d8e98 in r_bin_dwarf_parse_info_raw XYZ/radare2/libr/bin/dwarf.c:1426
    #5 0x7f3ff06db298 in r_bin_dwarf_parse_info XYZ/radare2/libr/bin/dwarf.c:1557:9
    #6 0x7f3ff1b697ab in bin_dwarf XYZ/radare2/libr/core/cbin.c:894:3
    #7 0x7f3ff1b697ab in r_core_bin_info XYZ/radare2/libr/core/cbin.c:3133
    #8 0x7f3ff1b670a6 in r_core_bin_set_env XYZ/radare2/libr/core/cbin.c:116:3
    #9 0x7f3ff1ae7471 in r_core_file_do_load_for_io_plugin XYZ/radare2/libr/core/file.c:411:2
    #10 0x7f3ff1ae7471 in r_core_bin_load XYZ/radare2/libr/core/file.c:563
    #11 0x55f490a05c23 in main XYZ/radare2/binr/radare2/radare2.c:1009:15
    #12 0x7f3fea05682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x55f4909072a8 in _start (/usr/local/bin/radare2+0x222a8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x8b745) in strlen
==15422==ABORTING

[radare]

looks like a problem in dwarf, not in sdb, can you show the output of valgrind?

…

On 8 Nov 2017, at 21:34, Kamil Frankowicz ***@***.***> wrote: Invalid read in sdb_set_internal() Git HEAD: 2a82e2c <2a82e2c> Crashing testcase in radare/radare2-regressions#1069 <https://github.com/radare/radare2-regressions/pull/1069> Command: r2 -A r2_ir_sdb_set_internal ASAN: ==15422==ERROR: AddressSanitizer: SEGV on unknown address 0x000030303030 (pc 0x7f3fea0c1746 bp 0x7fff0ccf7db0 sp 0x7fff0ccf7538 T0) ==15422==The signal is caused by a READ memory access. #0 0x7f3fea0c1745 in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x8b745) #1 0x55f490967d8c in __interceptor_strlen.part.31 XYZ/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:300 #2 0x7f3feb1a1d7c in sdb_set_internal XYZ/radare2/shlr/sdb/src/sdb.c:562:9 #3 0x7f3ff06d8e98 in r_bin_dwarf_parse_comp_unit XYZ/radare2/libr/bin/dwarf.c:1355:5 #4 0x7f3ff06d8e98 in r_bin_dwarf_parse_info_raw XYZ/radare2/libr/bin/dwarf.c:1426 #5 0x7f3ff06db298 in r_bin_dwarf_parse_info XYZ/radare2/libr/bin/dwarf.c:1557:9 #6 0x7f3ff1b697ab in bin_dwarf XYZ/radare2/libr/core/cbin.c:894:3 #7 0x7f3ff1b697ab in r_core_bin_info XYZ/radare2/libr/core/cbin.c:3133 #8 0x7f3ff1b670a6 in r_core_bin_set_env XYZ/radare2/libr/core/cbin.c:116:3 #9 0x7f3ff1ae7471 in r_core_file_do_load_for_io_plugin XYZ/radare2/libr/core/file.c:411:2 #10 0x7f3ff1ae7471 in r_core_bin_load XYZ/radare2/libr/core/file.c:563 #11 0x55f490a05c23 in main XYZ/radare2/binr/radare2/radare2.c:1009:15 #12 0x7f3fea05682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #13 0x55f4909072a8 in _start (/usr/local/bin/radare2+0x222a8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x8b745) in strlen ==15422==ABORTING — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#8813>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA3-lij5W7cH6soFY29ANO28zOT-Ezojks5s0hBSgaJpZM4QW_6k>.

[fumfel]

==13556== Memcheck, a memory error detector
==13556== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==13556== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==13556== Command: r2 -A r2_ir_sdb_set_internal
==13556== 
Warning: Cannot initialize program headers
Warning: Cannot initialize dynamic strings
Warning: Cannot initialize dynamic section
Warning: read (init_offset)
==13556== Warning: set address range perms: large range [0x395d8040, 0x698db070) (defined)
==13556== Invalid read of size 1
==13556==    at 0x4C30F62: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13556==    by 0x98EE8D2: sdb_set_internal (sdb.c:562)
==13556==    by 0x5E11565: r_bin_dwarf_parse_comp_unit (dwarf.c:1354)
==13556==    by 0x5E11565: r_bin_dwarf_parse_info_raw (dwarf.c:1425)
==13556==    by 0x5E12691: r_bin_dwarf_parse_info (dwarf.c:1556)
==13556==    by 0x51D0F6D: bin_dwarf (cbin.c:877)
==13556==    by 0x51D0F6D: r_core_bin_info (cbin.c:3061)
==13556==    by 0x51CF333: r_core_bin_set_env (cbin.c:117)
==13556==    by 0x51826CD: r_core_file_do_load_for_io_plugin (file.c:411)
==13556==    by 0x51826CD: r_core_bin_load (file.c:563)
==13556==    by 0x11041F: main (radare2.c:998)
==13556==  Address 0x30303030 is not stack'd, malloc'd or (recently) free'd
==13556== 
==13556== 
==13556== Process terminating with default action of signal 11 (SIGSEGV)
==13556==  Access not within mapped region at address 0x30303030
==13556==    at 0x4C30F62: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13556==    by 0x98EE8D2: sdb_set_internal (sdb.c:562)
==13556==    by 0x5E11565: r_bin_dwarf_parse_comp_unit (dwarf.c:1354)
==13556==    by 0x5E11565: r_bin_dwarf_parse_info_raw (dwarf.c:1425)
==13556==    by 0x5E12691: r_bin_dwarf_parse_info (dwarf.c:1556)
==13556==    by 0x51D0F6D: bin_dwarf (cbin.c:877)
==13556==    by 0x51D0F6D: r_core_bin_info (cbin.c:3061)
==13556==    by 0x51CF333: r_core_bin_set_env (cbin.c:117)
==13556==    by 0x51826CD: r_core_file_do_load_for_io_plugin (file.c:411)
==13556==    by 0x51826CD: r_core_bin_load (file.c:563)
==13556==    by 0x11041F: main (radare2.c:998)
==13556==  If you believe this happened as a result of a stack
==13556==  overflow in your program's main thread (unlikely but
==13556==  possible), you can try to increase the size of the
==13556==  main thread stack using the --main-stacksize= flag.
==13556==  The main thread stack size used in this run was 8388608.
==13556== 
==13556== HEAP SUMMARY:
==13556==     in use at exit: 809,981,654 bytes in 17,914 blocks
==13556==   total heap usage: 26,366 allocs, 8,452 frees, 857,218,190 bytes allocated
==13556== 
==13556== LEAK SUMMARY:
==13556==    definitely lost: 0 bytes in 0 blocks
==13556==    indirectly lost: 0 bytes in 0 blocks
==13556==      possibly lost: 0 bytes in 0 blocks
==13556==    still reachable: 809,981,654 bytes in 17,914 blocks
==13556==         suppressed: 0 bytes in 0 blocks
==13556== Rerun with --leak-check=full to see details of leaked memory
==13556== 
==13556== For counts of detected and suppressed errors, rerun with: -v
==13556== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)