segfault on pdj of java class

[cobra]

Work environment

Questions	Answers
OS/arch/bits	Debian 9 amd64
File format of the file you reverse	java bytecode
Architecture/bits of the file	java
r2 -v full output	radare2 2.3.0 17152 @ linux-x86-64 git.2.2.0-333-gcc7b6e2c1 commit: cc7b6e2 build: 2018-01-31__15:20:23
r2 -V	https://gist.github.com/cobra/b03cd51d1007a8e89c297962fc9a4da6

Expected behavior

a bit of disassembly in json format

Actual behavior

crash with SIGSEGV

Steps to reproduce the behavior

I found this when trying to demo some things in cutter, but the segfault happens independent of cutter. The java class is just a very simple demo (source, attached class file). After compiling with javac from openjdk 8, r2 will crash cutter when scrolling around for some time in the disassembly near the switch table. Opening the class file produced by javac from openjdk 9 will cause this crash with pdj 4@1073. Using the same command issued by cutter in a standalone r2 instance will segfault immediately:

$ r2 StringSwitchDemo-openjdk8.class -c "pdj 4@1076"
[X] r_bin_java_code_attr_new: Error unable to parse remainder of classfile after Method's Code Attribute: 1.
[X] r_bin_java_code_attr_new: Error unable to parse remainder of classfile after Method's Code Attribute: 1.
/home/user/src/radareorg/cutter/radare2/env.sh: line 59:  2933 Segmentation fault      (core dumped) LIBR_PLUGINS=${pfx}/lib/radare2 PATH=$pfx/bin:${PATH} LD_LIBRARY_PATH=$pfx/lib:$LD_LIBRARY_PATH DYLD_LIBRARY_PATH=$pfx/lib:$DYLD_LIBRARY_PATH PKG_CONFIG_PATH=$pfx/lib/pkgconfig:$PKG_CONFIG_PATH "${1}" "${2}" "${3}" "${4}"

gdb attached to radare2 before executing pdj 4@1076:

Program received signal SIGSEGV, Segmentation fault.
0x00007f6c055d4831 in r_list_split_iter (list=0x5644357591f0, iter=0x56443580f340) at list.c:126
126			iter->n->p = iter->p;
(gdb) bt
#0  0x00007f6c055d4831 in r_list_split_iter (list=0x5644357591f0, iter=0x56443580f340) at list.c:126
#1  0x00007f6c055d46e8 in r_list_delete (list=0x5644357591f0, iter=0x56443580f340) at list.c:91
#2  0x00007f6c055d45e5 in r_list_purge (list=0x5644357591f0) at list.c:62
#3  0x00007f6c055d4631 in r_list_free (list=0x5644357591f0) at list.c:72
#4  0x00007f6c07c3a8e7 in r_anal_switch_op_free (swop=0x564435758a30) at switch.c:34
#5  0x00007f6c07c17a04 in r_anal_op_fini (op=0x56443580f130) at op.c:52
#6  0x00007f6c09439c83 in ds_free (ds=0x56443580e350) at disasm.c:763
#7  0x00007f6c09449487 in r_core_print_disasm_json (core=0x564435596540 <r>, addr=1076, buf=0x5644356460d0 "\020\v>\035\252", nb_bytes=256, nb_opcodes=4) at disasm.c:5026
#8  0x00007f6c093aeafa in cmd_pdj (core=0x564435596540 <r>, arg=0x56443575aa03 " 4") at cmd_print.c:766
#9  0x00007f6c093bb237 in cmd_print (data=0x564435596540 <r>, input=0x56443575aa01 "dj 4") at cmd_print.c:4429
#10 0x00007f6c0941b0e4 in r_cmd_call (cmd=0x5644356e86e0, input=0x56443575aa00 "pdj 4") at cmd_api.c:233
#11 0x00007f6c093d78b3 in r_core_cmd_subst_i (core=0x564435596540 <r>, cmd=0x56443575aa00 "pdj 4", colon=0x0) at cmd.c:2452
#12 0x00007f6c093d4fc6 in r_core_cmd_subst (core=0x564435596540 <r>, cmd=0x56443575aa00 "pdj 4") at cmd.c:1620
#13 0x00007f6c093d9d94 in r_core_cmd (core=0x564435596540 <r>, cstr=0x56443576f670 "pdj 4@1076", log=1) at cmd.c:3142
#14 0x00007f6c09354666 in r_core_prompt_exec (r=0x564435596540 <r>) at core.c:2077
#15 0x0000564435392e81 in main (argc=2, argv=0x7ffdfa14d218, envp=0x7ffdfa14d230) at radare2.c:1328

Tell me if you need more information.

[radare]

can you share the valgrind log of this crash? thanks for pointing out!

…

On 1 Feb 2018, at 16:12, cobra ***@***.***> wrote: Work environment Questions Answers OS/arch/bits Debian 9 amd64 File format of the file you reverse java bytecode Architecture/bits of the file java r2 -v full output radare2 2.3.0 17152 @ linux-x86-64 git.2.2.0-333-gcc7b6e2c1 commit: cc7b6e2 <cc7b6e2> build: 2018-01-31__15:20:23 r2 -V https://gist.github.com/cobra/b03cd51d1007a8e89c297962fc9a4da6 <https://gist.github.com/cobra/b03cd51d1007a8e89c297962fc9a4da6> Expected behavior a bit of disassembly in json format Actual behavior crash with SIGSEGV Steps to reproduce the behavior I found this when trying to demo some things in cutter, but the segfault happens independent of cutter. The java class is just a very simple demo (source <https://docs.oracle.com/javase/tutorial/java/nutsandbolts/examples/StringSwitchDemo.java>, attached class file <https://github.com/radare/radare2/files/1685937/StringSwitchDemo-openjdk8.class.zip>). After compiling with javac from openjdk 8, r2 will crash cutter when scrolling around for some time in the disassembly near the switch table. Opening the class file produced by javac from openjdk 9 will cause this crash with pdj ***@***.*** Using the same command issued by cutter in a standalone r2 instance will segfault immediately: $ r2 StringSwitchDemo-openjdk8.class -c "pdj ***@***.***" [X] r_bin_java_code_attr_new: Error unable to parse remainder of classfile after Method's Code Attribute: 1. [X] r_bin_java_code_attr_new: Error unable to parse remainder of classfile after Method's Code Attribute: 1. /home/user/src/radareorg/cutter/radare2/env.sh: line 59: 2933 Segmentation fault (core dumped) LIBR_PLUGINS=${pfx}/lib/radare2 PATH=$pfx/bin:${PATH} LD_LIBRARY_PATH=$pfx/lib:$LD_LIBRARY_PATH DYLD_LIBRARY_PATH=$pfx/lib:$DYLD_LIBRARY_PATH PKG_CONFIG_PATH=$pfx/lib/pkgconfig:$PKG_CONFIG_PATH "${1}" "${2}" "${3}" "${4}" gdb attached to radare2 before executing pdj ***@***.***: Program received signal SIGSEGV, Segmentation fault. 0x00007f6c055d4831 in r_list_split_iter (list=0x5644357591f0, iter=0x56443580f340) at list.c:126 126 iter->n->p = iter->p; (gdb) bt #0 0x00007f6c055d4831 in r_list_split_iter (list=0x5644357591f0, iter=0x56443580f340) at list.c:126 #1 0x00007f6c055d46e8 in r_list_delete (list=0x5644357591f0, iter=0x56443580f340) at list.c:91 #2 0x00007f6c055d45e5 in r_list_purge (list=0x5644357591f0) at list.c:62 #3 0x00007f6c055d4631 in r_list_free (list=0x5644357591f0) at list.c:72 #4 0x00007f6c07c3a8e7 in r_anal_switch_op_free (swop=0x564435758a30) at switch.c:34 #5 0x00007f6c07c17a04 in r_anal_op_fini (op=0x56443580f130) at op.c:52 #6 0x00007f6c09439c83 in ds_free (ds=0x56443580e350) at disasm.c:763 #7 0x00007f6c09449487 in r_core_print_disasm_json (core=0x564435596540 <r>, addr=1076, buf=0x5644356460d0 "\020\v>\035\252", nb_bytes=256, nb_opcodes=4) at disasm.c:5026 #8 0x00007f6c093aeafa in cmd_pdj (core=0x564435596540 <r>, arg=0x56443575aa03 " 4") at cmd_print.c:766 #9 0x00007f6c093bb237 in cmd_print (data=0x564435596540 <r>, input=0x56443575aa01 "dj 4") at cmd_print.c:4429 #10 0x00007f6c0941b0e4 in r_cmd_call (cmd=0x5644356e86e0, input=0x56443575aa00 "pdj 4") at cmd_api.c:233 #11 0x00007f6c093d78b3 in r_core_cmd_subst_i (core=0x564435596540 <r>, cmd=0x56443575aa00 "pdj 4", colon=0x0) at cmd.c:2452 #12 0x00007f6c093d4fc6 in r_core_cmd_subst (core=0x564435596540 <r>, cmd=0x56443575aa00 "pdj 4") at cmd.c:1620 #13 0x00007f6c093d9d94 in r_core_cmd (core=0x564435596540 <r>, cstr=0x56443576f670 "pdj ***@***.***", log=1) at cmd.c:3142 #14 0x00007f6c09354666 in r_core_prompt_exec (r=0x564435596540 <r>) at core.c:2077 #15 0x0000564435392e81 in main (argc=2, argv=0x7ffdfa14d218, envp=0x7ffdfa14d230) at radare2.c:1328 Tell me if you need more information. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#9283>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA3-lu-8OyaPe_vaaK05F67Fm0_xXdG6ks5tQdRTgaJpZM4R1w9i>.

[cobra]

voilà: https://gist.github.com/cobra/de1825db0eca613c57fbce6fb633a4ff

[radare]

thanks

[mscherer]

I can't reproduce with r2 git HEAD version:

   $ r2 StringSwitchDemo-openjdk8.class -c "pdj 4@1076"
   [X] r_bin_java_code_attr_new: Error unable to parse remainder of classfile after Method's Code Attribute: 1.
   [X] r_bin_java_code_attr_new: Error unable to parse remainder of classfile after Method's Code Attribute: 1.
   [{"offset":1076,"ptr":0,"val":0,"esil":"","refptr":false,"fcn_addr":0,"fcn_last":0,"size":2,"opcode":"bipush 11","disasm":"bipush 11","bytes":"100b","family":"cpu","type":"push","type_num":13,"type2_num":35684352,"jump":0,"fail":0},{"offset":1078,"ptr":0,"val":0,"esil":"","refptr":false,"fcn_addr":0,"fcn_last":0,"size":1,"opcode":"istore_3","disasm":"istore_3","bytes":"3e","family":"cpu","type":"push","type_num":13,"type2_num":1097736,"jump":0,"fail":0},{"offset":1079,"ptr":0,"val":0,"esil":"","refptr":false,"fcn_addr":0,"fcn_last":0,"size":1,"opcode":"iload_3","disasm":"iload_3","bytes":"1d","family":"cpu","type":"push","type_num":13,"type2_num":2138656,"jump":0,"fail":0},{"offset":1080,"ptr":0,"val":0,"esil":"","refptr":false,"fcn_addr":0,"fcn_last":0,"size":64,"opcode":"tableswitch default: 0x04bb","disasm":"tableswitch default: 0x04bb","bytes":"aa00000000000083000000000000000b","family":"cpu","type":"switch","type_num":39,"type2_num":134217984, "switch":[{"addr":1096, "value":0, "jump":1144},{"addr":1100, "value":1, "jump":1149},{"addr":1104, "value":2, "jump":1154},{"addr":1108, "value":3, "jump":1159},{"addr":1112, "value":4, "jump":1164},{"addr":1116, "value":5, "jump":1169},{"addr":1120, "value":6, "jump":1175},{"addr":1124, "value":7, "jump":1181},{"addr":1128, "value":8, "jump":1187},{"addr":1132, "value":9, "jump":1193},{"addr":1136, "value":10, "jump":1199},{"addr":1140, "value":11, "jump":1205}],"jump":0,"fail":1081}]

Bisect show this was fixed by 79bac9c so this bug can be closed (the commit message refer to another bug however)

[cobra]

Looks like a typo in the commit message - #2983 vs #9283.
I can also confirm that this bug is fixed.