* invalid %N$ use detected * #3944

XVilka · 2016-01-11T10:50:20Z

Run ./run_r2.sh from https://github.com/XVilka/hacklu/tree/master/demos/Firmware/demo5_it8502e
[0x000000]> . ite_it8502.r2
pd 5

It quits with *** invalid %N$ use detected *** error

The text was updated successfully, but these errors were encountered:

XVilka · 2016-01-11T12:29:37Z

Still fails for me

radare · 2016-01-11T13:36:18Z

Cant reproduce even with asan. Can u provide more info? Like a backtrace or another reproducer

On 11 Jan 2016, at 13:29, Anton Kochkov notifications@github.com wrote:

Reopened #3944.

—
Reply to this email directly or view it on GitHub.

radare · 2016-01-11T16:21:46Z

ping

On 11 Jan 2016, at 14:36, Sergi Alvarez pancake@nopcode.org wrote:

Cant reproduce even with asan. Can u provide more info? Like a backtrace or another reproducer

On 11 Jan 2016, at 13:29, Anton Kochkov <notifications@github.com mailto:notifications@github.com> wrote:

Reopened #3944 #3944.

—
Reply to this email directly or view it on GitHub #3944 (comment).

XVilka · 2016-01-11T22:00:10Z

Okay, reproducible only on a PaX-enabled systems

crowell · 2016-01-11T22:02:35Z

uh... why is %n ever being used?

On Mon, Jan 11, 2016 at 5:00 PM, Anton Kochkov notifications@github.com
wrote:

Okay, reproducible only on a PaX-enabled systems

—
Reply to this email directly or view it on GitHub
#3944 (comment).

Jeff Crowell
https://github.com/crowell

radare · 2016-01-11T22:08:58Z

oh nope. not even there.. so its not used at all, maybe its a format string vuln with a specially crafted string. can you show a backtrace?

XVilka · 2016-01-11T22:35:47Z

no backtrace is available at that system with this error.

radare · 2016-01-11T23:08:35Z

Then drop pax :p

On 11 Jan 2016, at 23:35, Anton Kochkov notifications@github.com wrote:

no backtrace is available at that system with this error.

—
Reply to this email directly or view it on GitHub.

cyrozap · 2016-04-09T08:16:56Z

I get this same issue when trying to analyze an 8051 firmware. OS is Arch Linux, kernel 4.4.5-1-ARCH x86_64.

Here's the version of radare I'm using (from the Arch Community repo):

radare2 0.10.1 9999999 @ linux-little-x86-64 git.0.10.1
commit: HEAD build: 2016-03-02

And the command I'm running:

$ r2 -a 8051 flash.bin
 -- The '?' command can be used to evaluate math expressions. Like this: '? (0x34+22)*4'
[0x00000000]> aaa
*** invalid %N$ use detected ***

And finally the backtrace:

Program received signal SIGABRT, Aborted.
0x00007ffff47402a8 in raise () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff47402a8 in raise () from /usr/lib/libc.so.6
#1  0x00007ffff474172a in abort () from /usr/lib/libc.so.6
#2  0x00007ffff477c369 in __libc_message () from /usr/lib/libc.so.6
#3  0x00007ffff477c38e in __libc_fatal () from /usr/lib/libc.so.6
#4  0x00007ffff4751ddc in printf_positional () from /usr/lib/libc.so.6
#5  0x00007ffff4753c76 in vfprintf () from /usr/lib/libc.so.6
#6  0x00007ffff4802906 in __vsnprintf_chk () from /usr/lib/libc.so.6
#7  0x00007ffff4ef50ed in r_strbuf_appendf () from /usr/lib/libr_util.so
#8  0x00007ffff6a20fde in ?? () from /usr/lib/libr_anal.so
#9  0x00007ffff6a5df8a in r_anal_op () from /usr/lib/libr_anal.so
#10 0x00007ffff6a605c7 in ?? () from /usr/lib/libr_anal.so
#11 0x00007ffff6a61186 in ?? () from /usr/lib/libr_anal.so
#12 0x00007ffff6a615d7 in r_anal_fcn () from /usr/lib/libr_anal.so
#13 0x00007ffff7b76338 in r_core_anal_fcn () from /usr/lib/libr_core.so
#14 0x00007ffff7b2435b in ?? () from /usr/lib/libr_core.so
#15 0x00007ffff7b4c73b in ?? () from /usr/lib/libr_core.so
#16 0x00007ffff7b72c3c in r_cmd_call () from /usr/lib/libr_core.so
#17 0x00007ffff7b4f95a in ?? () from /usr/lib/libr_core.so
#18 0x00007ffff7b2ad5c in ?? () from /usr/lib/libr_core.so
#19 0x00007ffff7b2b0a7 in r_core_cmd () from /usr/lib/libr_core.so
#20 0x00007ffff7b792bf in r_core_anal_all () from /usr/lib/libr_core.so
#21 0x00007ffff7b4ce12 in ?? () from /usr/lib/libr_core.so
#22 0x00007ffff7b72c3c in r_cmd_call () from /usr/lib/libr_core.so
#23 0x00007ffff7b4f95a in ?? () from /usr/lib/libr_core.so
#24 0x00007ffff7b2ad5c in ?? () from /usr/lib/libr_core.so
#25 0x00007ffff7b2b0a7 in r_core_cmd () from /usr/lib/libr_core.so
#26 0x00007ffff7b17daa in r_core_prompt_exec () from /usr/lib/libr_core.so
#27 0x000055555555830d in main ()

radare · 2016-04-09T08:26:44Z

Please update to git and try again

On 09 Apr 2016, at 10:17, cyrozap notifications@github.com wrote:

I get this same issue when trying to analyze an 8051 firmware. OS is Arch Linux, kernel 4.4.5-1-ARCH x86_64.

Here's the version of radare I'm using (from the Arch Community repo):

radare2 0.10.1 9999999 @ linux-little-x86-64 git.0.10.1
commit: HEAD build: 2016-03-02
And the command I'm running:

$ r2 -a 8051 flash.bin
-- The '?' command can be used to evaluate math expressions. Like this: '? (0x34+22)4'
[0x00000000]> aaa
** invalid %N$ use detected ***
And finally the backtrace:

Program received signal SIGABRT, Aborted.
0x00007ffff47402a8 in raise () from /usr/lib/libc.so.6
(gdb) bt
#0 0x00007ffff47402a8 in raise () from /usr/lib/libc.so.6
#1 0x00007ffff474172a in abort () from /usr/lib/libc.so.6
#2 0x00007ffff477c369 in __libc_message () from /usr/lib/libc.so.6
#3 0x00007ffff477c38e in __libc_fatal () from /usr/lib/libc.so.6
#4 0x00007ffff4751ddc in printf_positional () from /usr/lib/libc.so.6
#5 0x00007ffff4753c76 in vfprintf () from /usr/lib/libc.so.6
#6 0x00007ffff4802906 in __vsnprintf_chk () from /usr/lib/libc.so.6
#7 0x00007ffff4ef50ed in r_strbuf_appendf () from /usr/lib/libr_util.so
#8 0x00007ffff6a20fde in ?? () from /usr/lib/libr_anal.so
#9 0x00007ffff6a5df8a in r_anal_op () from /usr/lib/libr_anal.so
#10 0x00007ffff6a605c7 in ?? () from /usr/lib/libr_anal.so
#11 0x00007ffff6a61186 in ?? () from /usr/lib/libr_anal.so
#12 0x00007ffff6a615d7 in r_anal_fcn () from /usr/lib/libr_anal.so
#13 0x00007ffff7b76338 in r_core_anal_fcn () from /usr/lib/libr_core.so
#14 0x00007ffff7b2435b in ?? () from /usr/lib/libr_core.so
#15 0x00007ffff7b4c73b in ?? () from /usr/lib/libr_core.so
#16 0x00007ffff7b72c3c in r_cmd_call () from /usr/lib/libr_core.so
#17 0x00007ffff7b4f95a in ?? () from /usr/lib/libr_core.so
#18 0x00007ffff7b2ad5c in ?? () from /usr/lib/libr_core.so
#19 0x00007ffff7b2b0a7 in r_core_cmd () from /usr/lib/libr_core.so
#20 0x00007ffff7b792bf in r_core_anal_all () from /usr/lib/libr_core.so
#21 0x00007ffff7b4ce12 in ?? () from /usr/lib/libr_core.so
#22 0x00007ffff7b72c3c in r_cmd_call () from /usr/lib/libr_core.so
#23 0x00007ffff7b4f95a in ?? () from /usr/lib/libr_core.so
#24 0x00007ffff7b2ad5c in ?? () from /usr/lib/libr_core.so
#25 0x00007ffff7b2b0a7 in r_core_cmd () from /usr/lib/libr_core.so
#26 0x00007ffff7b17daa in r_core_prompt_exec () from /usr/lib/libr_core.so
#27 0x000055555555830d in main ()
—
You are receiving this because you modified the open/close state.
Reply to this email directly or view it on GitHub

cyrozap · 2016-04-09T08:29:46Z

The issue still exists on master. Non-stripped backtrace:

[0x00000000]> aaa
[*** invalid %N$ use detected ***th sym. and entry0 (aa)

Program received signal SIGABRT, Aborted.
0x00007ffff47002a8 in raise () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff47002a8 in raise () from /usr/lib/libc.so.6
#1  0x00007ffff470172a in abort () from /usr/lib/libc.so.6
#2  0x00007ffff473c369 in __libc_message () from /usr/lib/libc.so.6
#3  0x00007ffff473c38e in __libc_fatal () from /usr/lib/libc.so.6
#4  0x00007ffff4711ddc in printf_positional () from /usr/lib/libc.so.6
#5  0x00007ffff4713c76 in vfprintf () from /usr/lib/libc.so.6
#6  0x00007ffff47c2906 in __vsnprintf_chk () from /usr/lib/libc.so.6
#7  0x00007ffff4ec140d in vsnprintf (__ap=0x7fffffffaa48, __fmt=0x7ffff6a7b992 "%3$d,0x10000,%2$d,+,=[1],", __n=4096, __s=0x7fffffffaa60 "") at /usr/include/bits/stdio2.h:77
#8  r_strbuf_appendf (sb=sb@entry=0x7fffffffbdd0, fmt=fmt@entry=0x7ffff6a7b992 "%3$d,0x10000,%2$d,+,=[1],") at strbuf.c:105
#9  0x00007ffff6a0d46e in analop_esil (a=0x5555557de600, buf_asm=0x7fffffffbbb0 "mov 0x8e, #RAM_D0 ", buf=0x7fffffffbba0 "u\216\071", addr=4300, op=0x7fffffffbd10)
    at /tmp/pacaurtmp-cyrozap/radare2-git/src/radare2-git/libr/..//libr/anal/p/anal_8051.c:180
#10 i8051_op (anal=0x5555557de600, op=0x7fffffffbd10, addr=4300, 
    buf=0x5555558857d0 "u\216\071x\177\344\366\330\375u\201\275µ\002\021\030\002\f|䓣\370䓣@\003\366\200\001\362\b\337\364\200)䓣\370T\a$\f\310\303\063\304T\017D ȃ@\004\364V\200\001F\366\337\344\200\v\001\002\004\b\020 @\200\220\f\202\344~\001\223`\274\243\377T?0\345\tT\037\376䓣`\001\016\317T\300%\340`\250@\270䓣\372䓣\370䓣\310ł\310\312Ń\312\360\243\310ł\310\312Ń\312\337\351\336瀾\344\220\373\066\360\022\026\200@\b\220\373\066\340\004\360\200\363\220\373\066\340\376p\003\257\b\"\356$\376`\025\024`\036\024`'$\003pN\022\026\200P\003\257\t\"\257\n\"\022"..., len=<optimized out>)
    at /tmp/pacaurtmp-cyrozap/radare2-git/src/radare2-git/libr/..//libr/anal/p/anal_8051.c:538
#11 0x00007ffff6a4a6fa in r_anal_op (anal=anal@entry=0x5555557de600, op=op@entry=0x7fffffffbd10, addr=addr@entry=4300, data=<optimized out>, len=len@entry=16384) at op.c:96
#12 0x00007ffff6a4cd33 in fcn_recurse (anal=anal@entry=0x5555557de600, fcn=fcn@entry=0x55555584db10, addr=4300, 
    buf=0x5555558857d0 "u\216\071x\177\344\366\330\375u\201\275µ\002\021\030\002\f|䓣\370䓣@\003\366\200\001\362\b\337\364\200)䓣\370T\a$\f\310\303\063\304T\017D ȃ@\004\364V\200\001F\366\337\344\200\v\001\002\004\b\020 @\200\220\f\202\344~\001\223`\274\243\377T?0\345\tT\037\376䓣`\001\016\317T\300%\340`\250@\270䓣\372䓣\370䓣\310ł\310\312Ń\312\360\243\310ł\310\312Ń\312\337\351\336瀾\344\220\373\066\360\022\026\200@\b\220\373\066\340\004\360\200\363\220\373\066\340\376p\003\257\b\"\356$\376`\025\024`\036\024`'$\003pN\022\026\200P\003\257\t\"\257\n\"\022"..., len=16384, depth=511) at fcn.c:335
#13 0x00007ffff6a4d4ea in fcn_recurse (anal=anal@entry=0x5555557de600, fcn=fcn@entry=0x55555584db10, addr=addr@entry=0, 
    buf=buf@entry=0x555555840c40 "\002\020\314\t\n\v\f\r\020\004\004\002\021\354\377\377\377\377\377\002\022x\354M`\021\350Ip\027\355\063\354\063\004`\r\344\374\377\376\375\"\351\063\350\063\004p\370\002\001\306\022\001\221X\004`\t\344\314$\201P\006(P\t\002\001\320(@\003\002\001\315\300\340\353JpD\271\200\006\320\340\373\002\001\274\357Np\034\275\200\b\353\377\352\376\351\375\200\353\351\215\360\244\376\345\360\002", len=len@entry=1024, 
    depth=depth@entry=512) at fcn.c:587
#14 0x00007ffff6a4dd77 in r_anal_fcn (anal=0x5555557de600, fcn=fcn@entry=0x55555584db10, addr=addr@entry=0, 
    buf=buf@entry=0x555555840c40 "\002\020\314\t\n\v\f\r\020\004\004\002\021\354\377\377\377\377\377\002\022x\354M`\021\350Ip\027\355\063\354\063\004`\r\344\374\377\376\375\"\351\063\350\063\004p\370\002\001\306\022\001\221X\004`\t\344\314$\201P\006(P\t\002\001\320(@\003\002\001\315\300\340\353JpD\271\200\006\320\340\373\002\001\274\357Np\034\275\200\b\353\377\352\376\351\375\200\353\351\215\360\244\376\345\360\002", len=len@entry=1024, 
    reftype=reftype@entry=0) at fcn.c:809
#15 0x00007ffff7b72e98 in core_anal_fcn (depth=16, reftype=0, from=18446744073709551615, at=0, core=0x55555575b500 <r>) at anal.c:426
#16 r_core_anal_fcn (core=core@entry=0x55555575b500 <r>, at=at@entry=0, from=from@entry=18446744073709551615, reftype=reftype@entry=0, depth=depth@entry=16) at anal.c:1159
#17 0x00007ffff7b1dabe in cmd_anal_fcn (core=core@entry=0x55555575b500 <r>, input=input@entry=0x55555581c491 "f") at cmd_anal.c:1114
#18 0x00007ffff7b4765b in cmd_anal (data=0x55555575b500 <r>, input=0x55555581c491 "f") at cmd_anal.c:3980
#19 0x00007ffff7b6f3bc in r_cmd_call (cmd=0x555555813070, input=<optimized out>) at cmd_api.c:210
#20 0x00007ffff7b4ac5a in r_core_cmd_subst_i (core=core@entry=0x55555575b500 <r>, cmd=cmd@entry=0x55555581c490 "af", colon=colon@entry=0x0) at cmd.c:1779
#21 0x00007ffff7b2482c in r_core_cmd_subst (core=core@entry=0x55555575b500 <r>, cmd=<optimized out>, cmd@entry=0x555555830af0 "af") at cmd.c:1240
#22 0x00007ffff7b24b87 in r_core_cmd (core=0x55555575b500 <r>, cstr=<optimized out>, log=<optimized out>) at cmd.c:2185
#23 0x00007ffff7b761bf in r_core_anal_all (core=core@entry=0x55555575b500 <r>) at anal.c:2018
#24 0x00007ffff7b47ec1 in cmd_anal_all (input=<optimized out>, core=0x55555575b500 <r>) at cmd_anal.c:3749
#25 cmd_anal (data=0x55555575b500 <r>, input=0x555555849cc1 "aa") at cmd_anal.c:4001
#26 0x00007ffff7b6f3bc in r_cmd_call (cmd=0x555555813070, input=<optimized out>) at cmd_api.c:210
#27 0x00007ffff7b4ac5a in r_core_cmd_subst_i (core=core@entry=0x55555575b500 <r>, cmd=cmd@entry=0x555555849cc0 "aaa", colon=colon@entry=0x0) at cmd.c:1779
#28 0x00007ffff7b2482c in r_core_cmd_subst (core=core@entry=0x55555575b500 <r>, cmd=<optimized out>, cmd@entry=0x55555582fae0 "aaa") at cmd.c:1240
#29 0x00007ffff7b24b87 in r_core_cmd (core=core@entry=0x55555575b500 <r>, cstr=<optimized out>, log=log@entry=1) at cmd.c:2185
#30 0x00007ffff7b1114a in r_core_prompt_exec (r=0x55555575b500 <r>) at core.c:1522
#31 0x00005555555585fe in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at radare2.c:878

cyrozap · 2016-04-09T09:16:52Z

And here's the backtrace with local variables:

(gdb) bt full
#0  0x00007ffff47002a8 in raise () from /usr/lib/libc.so.6
No symbol table info available.
#1  0x00007ffff470172a in abort () from /usr/lib/libc.so.6
No symbol table info available.
#2  0x00007ffff473c369 in __libc_message () from /usr/lib/libc.so.6
No symbol table info available.
#3  0x00007ffff473c38e in __libc_fatal () from /usr/lib/libc.so.6
No symbol table info available.
#4  0x00007ffff4711ddc in printf_positional () from /usr/lib/libc.so.6
No symbol table info available.
#5  0x00007ffff4713c76 in vfprintf () from /usr/lib/libc.so.6
No symbol table info available.
#6  0x00007ffff47c2906 in __vsnprintf_chk () from /usr/lib/libc.so.6
No symbol table info available.
#7  0x00007ffff4ec140d in vsnprintf (__ap=0x7fffffffaa48, __fmt=0x7ffff6a7b992 "%3$d,0x10000,%2$d,+,=[1],", __n=4096, __s=0x7fffffffaa60 "") at /usr/include/bits/stdio2.h:77
No locals.
#8  r_strbuf_appendf (sb=sb@entry=0x7fffffffbdd0, fmt=fmt@entry=0x7ffff6a7b992 "%3$d,0x10000,%2$d,+,=[1],") at strbuf.c:105
        ret = <optimized out>
        string = "\000\000\000\000\000\000\000\000\000 \367\367\377\177\000\000[ ] \033[33mAnalyze all fla\000\000\000\000\000\000\000\000X#\367\367\377\177\000\000Ъ\377\377\377\177\000\000d en\001\000\000\000\300\252\377\377\377\177\000\000c\226z\353\000\000\000\000\177\211\351\364\377\177\000\000\377\377\377\377", '\000' <repeats 12 times>, "\250_\351\364\377\177\000\000\000 \367\367\377\177", '\000' <repeats 90 times>...
        ap = <error reading variable ap (Attempt to dereference a generic pointer.)>
#9  0x00007ffff6a0d46e in analop_esil (a=0x5555557de600, buf_asm=0x7fffffffbbb0 "mov 0x8e, #RAM_D0 ", buf=0x7fffffffbba0 "u\216\071", addr=4300, op=0x7fffffffbd10)
    at /tmp/pacaurtmp-cyrozap/radare2-git/src/radare2-git/libr/..//libr/anal/p/anal_8051.c:180
No locals.
#10 i8051_op (anal=0x5555557de600, op=0x7fffffffbd10, addr=4300, 
    buf=0x5555558857d0 "u\216\071x\177\344\366\330\375u\201\275µ\002\021\030\002\f|䓣\370䓣@\003\366\200\001\362\b\337\364\200)䓣\370T\a$\f\310\303\063\304T\017D ȃ@\004\364V\200\001F\366\337\344\200\v\001\002\004\b\020 @\200\220\f\202\344~\001\223`\274\243\377T?0\345\tT\037\376䓣`\001\016\317T\300%\340`\250@\270䓣\372䓣\370䓣\310ł\310\312Ń\312\360\243\310ł\310\312Ń\312\337\351\336瀾\344\220\373\066\360\022\026\200@\b\220\373\066\340\004\360\200\363\220\373\066\340\376p\003\257\b\"\356$\376`\025\024`\036\024`'$\003pN\022\026\200P\003\257\t\"\257\n\"\022"..., len=<optimized out>)
    at /tmp/pacaurtmp-cyrozap/radare2-git/src/radare2-git/libr/..//libr/anal/p/anal_8051.c:538
        copy = "u\216\071"
        tmp = 0x55555584d680 ""
        buf_asm = "mov 0x8e, #RAM_D0 ", '\000' <repeats 45 times>
        o = {name = <optimized out>, length = 3, operand = <optimized out>, addr = 0, arg = <optimized out>, buf = <optimized out>}
#11 0x00007ffff6a4a6fa in r_anal_op (anal=anal@entry=0x5555557de600, op=op@entry=0x7fffffffbd10, addr=addr@entry=4300, data=<optimized out>, len=len@entry=16384) at op.c:96
        ret = 0
#12 0x00007ffff6a4cd33 in fcn_recurse (anal=anal@entry=0x5555557de600, fcn=fcn@entry=0x55555583fa70, addr=4300, 
    buf=0x5555558857d0 "u\216\071x\177\344\366\330\375u\201\275µ\002\021\030\002\f|䓣\370䓣@\003\366\200\001\362\b\337\364\200)䓣\370T\a$\f\310\303\063\304T\017D ȃ@\004\364V\200\001F\366\337\344\200\v\001\002\004\b\020 @\200\220\f\202\344~\001\223`\274\243\377T?0\345\tT\037\376䓣`\001\016\317T\300%\340`\250@\270䓣\372䓣\370䓣\310ł\310\312Ń\312\360\243\310ł\310\312Ń\312\337\351\336瀾\344\220\373\066\360\022\026\200@\b\220\373\066\340\004\360\200\363\220\373\066\340\376p\003\257\b\"\356$\376`\025\024`\036\024`'$\003pN\022\026\200P\003\257\t\"\257\n\"\022"..., len=16384, depth=511) at fcn.c:335
        continue_after_jump = 1
        bb = 0x55555584d530
        bbg = <optimized out>
        ret = -4
        overlapped = 0
        varname = <optimized out>
        op = {mnemonic = 0x0, addr = 0, type = 9, prefix = 0, type2 = 0, group = 0, stackop = 0, cond = 0, size = 0, nopcode = 0, cycles = 0, failcycles = 0, family = 0, eob = 0, delay = 0, jump = 0, fail = 0, 
          selector = 0, ptr = 0, val = 0, ptrsize = 0, stackptr = 0, refptr = 0, var = 0x0, src = {0x0, 0x0, 0x0}, dst = 0x0, next = 0x0, esil = {len = 0, ptr = 0x0, ptrlen = 0, buf = '\000' <repeats 63 times>}, 
          switch_op = 0x0}
        oplen = <optimized out>
        idx = 0
        delay = {cnt = 0, idx = 0, after = 0, pending = 0, adjust = 0, un_idx = <optimized out>}
#13 0x00007ffff6a4d4ea in fcn_recurse (anal=anal@entry=0x5555557de600, fcn=fcn@entry=0x55555583fa70, addr=addr@entry=0, 
    buf=buf@entry=0x55555584d700 "\002\020\314\t\n\v\f\r\020\004\004\002\021\354\377\377\377\377\377\002\022x\354M`\021\350Ip\027\355\063\354\063\004`\r\344\374\377\376\375\"\351\063\350\063\004p\370\002\001\306\022\001\221X\004`\t\344\314$\201P\006(P\t\002\001\320(@\003\002\001\315\300\340\353JpD\271\200\006\320\340\373\002\001\274\357Np\034\275\200\b\353\377\352\376\351\375\200\353\351\215\360\244\376\345\360\002", len=len@entry=1024, 
    depth=depth@entry=512) at fcn.c:587
        bbuf = <optimized out>
        continue_after_jump = 1
        bb = 0x55555584db10
        bbg = <optimized out>
        ret = <optimized out>
        overlapped = <optimized out>
        varname = <optimized out>
        op = {mnemonic = 0x0, addr = 0, type = 1, prefix = 0, type2 = 0, group = 0, stackop = 0, cond = 0, size = 3, nopcode = 0, cycles = 0, failcycles = 0, family = 0, eob = 0, delay = 0, jump = 4300, fail = 3, 
          selector = 0, ptr = 0, val = 0, ptrsize = 0, stackptr = 0, refptr = 0, var = 0x0, src = {0x0, 0x0, 0x0}, dst = 0x0, next = 0x0, esil = {len = 9, ptr = 0x0, ptrlen = 0, 
            buf = "4300,pc,=", '\000' <repeats 54 times>}, switch_op = 0x0}
        oplen = <optimized out>
        idx = <optimized out>
        delay = {cnt = 0, idx = 0, after = 0, pending = 0, adjust = 0, un_idx = <optimized out>}
#14 0x00007ffff6a4dd77 in r_anal_fcn (anal=0x5555557de600, fcn=fcn@entry=0x55555583fa70, addr=addr@entry=0, 
    buf=buf@entry=0x55555584d700 "\002\020\314\t\n\v\f\r\020\004\004\002\021\354\377\377\377\377\377\002\022x\354M`\021\350Ip\027\355\063\354\063\004`\r\344\374\377\376\375\"\351\063\350\063\004p\370\002\001\306\022\001\221X\004`\t\344\314$\201P\006(P\t\002\001\320(@\003\002\001\315\300\340\353JpD\271\200\006\320\340\373\002\001\274\357Np\034\275\200\b\353\377\352\376\351\375\200\353\351\215\360\244\376\345\360\002", len=len@entry=1024, 
    reftype=reftype@entry=0) at fcn.c:809
        ret = <optimized out>
#15 0x00007ffff7b72e98 in core_anal_fcn (depth=16, reftype=0, from=18446744073709551615, at=0, core=0x55555575b500 <r>) at anal.c:426
        f = <optimized out>
        ref = <optimized out>
        delta = <optimized out>
        buf = 0x55555584d700 "\002\020\314\t\n\v\f\r\020\004\004\002\021\354\377\377\377\377\377\002\022x\354M`\021\350Ip\027\355\063\354\063\004`\r\344\374\377\376\375\"\351\063\350\063\004p\370\002\001\306\022\001\221X\004`\t\344\314$\201P\006(P\t\002\001\320(@\003\002\001\315\300\340\353JpD\271\200\006\320\340\373\002\001\274\357Np\034\275\200\b\353\377\352\376\351\375\200\353\351\215\360\244\376\345\360\002"
        nexti = 0
        fcn = 0x55555583fa70
        has_next = 0
        fcnlen = <optimized out>
        hint = <optimized out>
        i = <optimized out>
        next = 0x0
        buflen = 1024
#16 r_core_anal_fcn (core=core@entry=0x55555575b500 <r>, at=at@entry=0, from=from@entry=18446744073709551615, reftype=reftype@entry=0, depth=depth@entry=16) at anal.c:1159
        fcn = <optimized out>
        iter = <optimized out>
        use_esil = <optimized out>
#17 0x00007ffff7b1dabe in cmd_anal_fcn (core=core@entry=0x55555575b500 <r>, input=input@entry=0x55555581c4f1 "f") at cmd_anal.c:1114
        depth = 16
        fcn = <optimized out>
        uaddr = 0x0
        name = 0x0
        analyze_recursively = false
        addr = 0
#18 0x00007ffff7b4765b in cmd_anal (data=0x55555575b500 <r>, input=0x55555581c4f1 "f") at cmd_anal.c:3980
        r = <optimized out>
        core = 0x55555575b500 <r>
        tbs = 256
        help_msg_ad = {0x7ffff7b92048 "Usage:", 0x7ffff7b9a4b8 "ad", 0x7ffff7b9abbe "[kt] [...]", 0x7ffff7b9a4b8 "ad", 0x7ffff7b9abc9 " [N] [D]", 0x7ffff7ba62f8 "analyze N data words at D depth", 0x7ffff7b9abd2 "adf", 
          0x7ffff7bb3421 "", 0x7ffff7ba6318 "analyze data in function (use like .adf @@=`afl~[0]`", 0x7ffff7b9abd6 "adfg", 0x7ffff7bb3421 "", 0x7ffff7b9abdb "analyze data in function gaps", 0x7ffff7b9abf9 "adt", 
          0x7ffff7bb3421 "", 0x7ffff7ba6350 "analyze data trampolines (wip)", 0x7ffff7b9abfd "adk", 0x7ffff7bb3421 "", 0x7ffff7ba6370 "analyze data kind (code, text, data, invalid, ...)", 0x0}
        help_msg = {0x7ffff7b92048 "Usage:", 0x7ffff7b95105 "a", 0x7ffff7b9ac01 "[abdefFghoprxstc] [...]", 0x7ffff7b91b5f "ab", 0x7ffff7b9ac19 " [hexpairs]", 0x7ffff7b9ac25 "analyze bytes", 0x7ffff7b9284f "aa", 
          0x7ffff7bb3421 "", 0x7ffff7ba63a8 "analyze all (fcns + bbs) (aa0 to avoid sub renaming)", 0x7ffff7b9ad2e "ac", 0x7ffff7b9ac33 " [cycles]", 0x7ffff7ba63e0 "analyze which op could be executed in [cycles]", 
          0x7ffff7b9a4b8 "ad", 0x7ffff7bb3421 "", 0x7ffff7b9ac3d "analyze data trampoline (wip)", 0x7ffff7b9a4b8 "ad", 0x7ffff7b93339 " [from] [to]", 0x7ffff7ba6410 "analyze data pointers to (from-to)", 
          0x7ffff7b9ad32 "ae", 0x7ffff7b977b2 " [expr]", 0x7ffff7ba6438 "analyze opcode eval expression (see ao)", 0x7ffff7b92166 "af", 0x7ffff7b9ac5b "[rnbcsl?+-*]", 0x7ffff7b9ac68 "analyze Functions", 
          0x7ffff7b9ac7a "aF", 0x7ffff7bb3421 "", 0x7ffff7ba6460 "same as above, but using anal.depth=1", 0x7ffff7b93298 "ag", 0x7ffff7b9ac7d "[?acgdlf]", 0x7ffff7b9ac87 "output Graphviz code", 0x7ffff7b9ac9c "ah", 
          0x7ffff7b9ac9f "[?lba-]", 0x7ffff7ba6488 "analysis hints (force opcode size, ...)", 0x7ffff7b9ad53 "ai", 0x7ffff7bba151 " [addr]", 0x7ffff7ba64b0 "address information (show perms, stack, heap, ...)", 
          0x7ffff7b96227 "ao", 0x7ffff7b9b0af "[e?] [len]", 0x7ffff7ba64e8 "analyze Opcodes (or emulate it)", 0x7ffff7b9ad57 "an", 0x7ffff7b9aca7 "[an-] [...]", 
          0x7ffff7ba6508 "manage no-return addresses/symbols/functions", 0x7ffff7b9452d "ar", 0x7ffff7bb3421 "", 0x7ffff7ba6538 "like 'dr' but for the esil vm. (registers)", 0x7ffff7b9aaa7 "ap", 0x7ffff7bb3421 "", 
          0x7ffff7ba6568 "find prelude for current offset", 0x7ffff7b99031 "ax", 0x7ffff7b9acb3 "[?ld-*]", 0x7ffff7ba6588 "manage refs/xrefs (see also afx?)", 0x7ffff7b9ad5b "as", 0x7ffff7b99a94 " [num]", 
          0x7ffff7b9acbb "analyze syscall using dbg.reg", 0x7ffff7b920d4 "at", 0x7ffff7b9acd9 "[trd+-%*?] [.]", 0x7ffff7b9ace8 "analyze execution traces", 0x0}
#19 0x00007ffff7b6f3bc in r_cmd_call (cmd=0x555555813070, input=<optimized out>) at cmd_api.c:210
        inp = <optimized out>
        nstr = 0x0
        ji = <optimized out>
        c = <optimized out>
        ret = <optimized out>
        iter = <optimized out>
        cp = <optimized out>
        input = 0x55555581c4f0 "af"
        cmd = 0x555555813070
#20 0x00007ffff7b4ac5a in r_core_cmd_subst_i (core=core@entry=0x55555575b500 <r>, cmd=cmd@entry=0x55555581c4f0 "af", colon=colon@entry=0x0) at cmd.c:1779
        quotestr = 0x7ffff7b9959a "`"
        ptr = <optimized out>
        ptr2 = <optimized out>
        str = <optimized out>
        arroba = 0x0
        i = <optimized out>
        ret = <optimized out>
        pipefd = <optimized out>
        usemyblock = 0
        rc = <optimized out>
#21 0x00007ffff7b2482c in r_core_cmd_subst (core=core@entry=0x55555575b500 <r>, cmd=<optimized out>, cmd@entry=0x555555830af0 "af") at cmd.c:1240
        cr = 0x55555584ea50 ""
        ret = 0
        rep = 0
        orep = 1
        cmt = <optimized out>
        colon = <optimized out>
        icmd = 0x55555581c4f0 "af"
        cmdrep = 0x555555841740 ""
        ocur_enabled = 0
#22 0x00007ffff7b24b87 in r_core_cmd (core=0x55555575b500 <r>, cstr=<optimized out>, log=<optimized out>) at cmd.c:2185
        rcmd = 0x555555830af0 "af"
        ret = <optimized out>
        cmd = 0x555555830af0 "af"
        ocmd = 0x555555830af0 "af"
        ptr = 0x0
        log = <optimized out>
        cstr = <optimized out>
        core = 0x55555575b500 <r>
#23 0x00007ffff7b761bf in r_core_anal_all (core=core@entry=0x55555575b500 <r>) at anal.c:2018
        list = <optimized out>
        iter = <optimized out>
        item = 0x100
        fcni = <optimized out>
        binmain = <optimized out>
        entry = <optimized out>
        symbol = <optimized out>
        depth = 16
#24 0x00007ffff7b47ec1 in cmd_anal_all (input=<optimized out>, core=0x55555575b500 <r>) at cmd_anal.c:3749
        curseek = 0
        help_msg_aa = {0x7ffff7b92048 "Usage:", 0x7ffff7b9ad01 "aa[0*?]", 0x7ffff7b9ad09 " # see also 'af' and 'afna'", 0x7ffff7b9284f "aa", 0x7ffff7bb8d5f " ", 0x7ffff7ba65b0 "alias for 'af@@ sym.*;af@entry0'", 
          0x7ffff7b9ad25 "aa*", 0x7ffff7bb3421 "", 0x7ffff7ba65d8 "analyze all flags starting with sym. (af @@ sym.*)", 0x7ffff7b9ad29 "aaa", 0x7ffff7bb3421 "", 0x7ffff7ba6610 "autoname functions after aa (see afna)", 
          0x7ffff7b9ad2d "aac", 0x7ffff7b9b0b3 " [len]", 0x7ffff7ba6638 "analyze function calls (af @@ `pi len~call[1]`)", 0x7ffff7b9ad31 "aae", 0x7ffff7b9b0b3 " [len]", 0x7ffff7b9ad35 "analyze references with ESIL", 
          0x7ffff7b9ad52 "aai", 0x7ffff7b92b24 "[j]", 0x7ffff7ba6668 "show info of all analysis parameters", 0x7ffff7b946ae "aar", 0x7ffff7b9b0b3 " [len]", 0x7ffff7ba6690 "analyze len bytes of instructions for references", 
          0x7ffff7b9ad56 "aan", 0x7ffff7bb3421 "", 0x7ffff7ba66c8 "autoname functions that either start with fcn.* or sym.func.*", 0x7ffff7b9ad5a "aas", 0x7ffff7b9b0b3 " [len]", 
          0x7ffff7ba6708 "analyze symbols (af @@= `isq~[0]`)", 0x7ffff7b9aaaa "aat", 0x7ffff7b9b0b3 " [len]", 0x7ffff7ba6730 "analyze all consecutive functions in section", 0x7ffff7b9aaa6 "aap", 0x7ffff7bb3421 "", 
          0x7ffff7ba6760 "find and analyze function preludes", 0x0}
#25 cmd_anal (data=0x55555575b500 <r>, input=0x55555581c5b1 "aa") at cmd_anal.c:4001
        r = <optimized out>
        core = 0x55555575b500 <r>
        tbs = 256
        help_msg_ad = {0x7ffff7b92048 "Usage:", 0x7ffff7b9a4b8 "ad", 0x7ffff7b9abbe "[kt] [...]", 0x7ffff7b9a4b8 "ad", 0x7ffff7b9abc9 " [N] [D]", 0x7ffff7ba62f8 "analyze N data words at D depth", 0x7ffff7b9abd2 "adf", 
          0x7ffff7bb3421 "", 0x7ffff7ba6318 "analyze data in function (use like .adf @@=`afl~[0]`", 0x7ffff7b9abd6 "adfg", 0x7ffff7bb3421 "", 0x7ffff7b9abdb "analyze data in function gaps", 0x7ffff7b9abf9 "adt", 
          0x7ffff7bb3421 "", 0x7ffff7ba6350 "analyze data trampolines (wip)", 0x7ffff7b9abfd "adk", 0x7ffff7bb3421 "", 0x7ffff7ba6370 "analyze data kind (code, text, data, invalid, ...)", 0x0}
        help_msg = {0x7ffff7b92048 "Usage:", 0x7ffff7b95105 "a", 0x7ffff7b9ac01 "[abdefFghoprxstc] [...]", 0x7ffff7b91b5f "ab", 0x7ffff7b9ac19 " [hexpairs]", 0x7ffff7b9ac25 "analyze bytes", 0x7ffff7b9284f "aa", 
          0x7ffff7bb3421 "", 0x7ffff7ba63a8 "analyze all (fcns + bbs) (aa0 to avoid sub renaming)", 0x7ffff7b9ad2e "ac", 0x7ffff7b9ac33 " [cycles]", 0x7ffff7ba63e0 "analyze which op could be executed in [cycles]", 
          0x7ffff7b9a4b8 "ad", 0x7ffff7bb3421 "", 0x7ffff7b9ac3d "analyze data trampoline (wip)", 0x7ffff7b9a4b8 "ad", 0x7ffff7b93339 " [from] [to]", 0x7ffff7ba6410 "analyze data pointers to (from-to)", 
          0x7ffff7b9ad32 "ae", 0x7ffff7b977b2 " [expr]", 0x7ffff7ba6438 "analyze opcode eval expression (see ao)", 0x7ffff7b92166 "af", 0x7ffff7b9ac5b "[rnbcsl?+-*]", 0x7ffff7b9ac68 "analyze Functions", 
          0x7ffff7b9ac7a "aF", 0x7ffff7bb3421 "", 0x7ffff7ba6460 "same as above, but using anal.depth=1", 0x7ffff7b93298 "ag", 0x7ffff7b9ac7d "[?acgdlf]", 0x7ffff7b9ac87 "output Graphviz code", 0x7ffff7b9ac9c "ah", 
          0x7ffff7b9ac9f "[?lba-]", 0x7ffff7ba6488 "analysis hints (force opcode size, ...)", 0x7ffff7b9ad53 "ai", 0x7ffff7bba151 " [addr]", 0x7ffff7ba64b0 "address information (show perms, stack, heap, ...)", 
          0x7ffff7b96227 "ao", 0x7ffff7b9b0af "[e?] [len]", 0x7ffff7ba64e8 "analyze Opcodes (or emulate it)", 0x7ffff7b9ad57 "an", 0x7ffff7b9aca7 "[an-] [...]", 
          0x7ffff7ba6508 "manage no-return addresses/symbols/functions", 0x7ffff7b9452d "ar", 0x7ffff7bb3421 "", 0x7ffff7ba6538 "like 'dr' but for the esil vm. (registers)", 0x7ffff7b9aaa7 "ap", 0x7ffff7bb3421 "", 
          0x7ffff7ba6568 "find prelude for current offset", 0x7ffff7b99031 "ax", 0x7ffff7b9acb3 "[?ld-*]", 0x7ffff7ba6588 "manage refs/xrefs (see also afx?)", 0x7ffff7b9ad5b "as", 0x7ffff7b99a94 " [num]", 
          0x7ffff7b9acbb "analyze syscall using dbg.reg", 0x7ffff7b920d4 "at", 0x7ffff7b9acd9 "[trd+-%*?] [.]", 0x7ffff7b9ace8 "analyze execution traces", 0x0}
#26 0x00007ffff7b6f3bc in r_cmd_call (cmd=0x555555813070, input=<optimized out>) at cmd_api.c:210
        inp = <optimized out>
        nstr = 0x0
        ji = <optimized out>
        c = <optimized out>
        ret = <optimized out>
        iter = <optimized out>
        cp = <optimized out>
        input = 0x55555581c5b0 "aaa"
        cmd = 0x555555813070
#27 0x00007ffff7b4ac5a in r_core_cmd_subst_i (core=core@entry=0x55555575b500 <r>, cmd=cmd@entry=0x55555581c5b0 "aaa", colon=colon@entry=0x0) at cmd.c:1779
        quotestr = 0x7ffff7b9959a "`"
        ptr = <optimized out>
        ptr2 = <optimized out>
        str = <optimized out>
        arroba = 0x0
        i = <optimized out>
        ret = <optimized out>
        pipefd = <optimized out>
        usemyblock = 0
        rc = <optimized out>
#28 0x00007ffff7b2482c in r_core_cmd_subst (core=core@entry=0x55555575b500 <r>, cmd=<optimized out>, cmd@entry=0x55555582fae0 "aaa") at cmd.c:1240
        cr = 0x55555581c610 ""
        ret = 0
        rep = 0
        orep = 1
        cmt = <optimized out>
        colon = <optimized out>
        icmd = 0x55555581c5b0 "aaa"
        cmdrep = 0x555555841740 ""
        ocur_enabled = 0
#29 0x00007ffff7b24b87 in r_core_cmd (core=0x55555575b500 <r>, cstr=<optimized out>, log=<optimized out>) at cmd.c:2185
        rcmd = 0x55555582fae0 "aaa"
        ret = <optimized out>
        cmd = 0x55555582fae0 "aaa"
        ocmd = 0x55555582fae0 "aaa"
        ptr = 0x0
        log = <optimized out>
        cstr = <optimized out>
        core = 0x55555575b500 <r>
#30 0x0000555555558031 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at radare2.c:811
        lock = 0x0
        rabin_th = 0x0
        iter = <optimized out>
        cmdn = <optimized out>
        tmp = <optimized out>
        fh = <optimized out>
        patchfile = 0x0
        prj = 0x0
        debug = <optimized out>
        zflag = 0
        do_analysis = 2
        do_connect = <optimized out>
        fullfile = 0
        has_project = <optimized out>
        prefile = <optimized out>
        zerosep = false
        help = <optimized out>
        run_anal = 1
        run_rc = 1
        ret = <optimized out>
        i = <optimized out>
        c = <optimized out>
        perms = <optimized out>
        sandbox = 0
        baddr = 18446744073709551615
        seek = <optimized out>
        pfile = <optimized out>
        file = 0x0
        cmdfile = {0x7fffffffdc80 "\001", 0xffffefbd04a20000 <error: Cannot access memory at address 0xffffefbd04a20000>, 0x55555575ad80 "\001", 0x7ffff7de5f23 <_dl_map_object_deps+611> "H\213M\220H\205\311\017\205\267\b", 
          0x555500000001 <error: Cannot access memory at address 0x555500000001>, 0x7ffff7f749b0 "", 0x7fffffffdcb0 "\001", 0x7ffff7de20c4 <check_match+324> "\205\300\017\205m\377\377\377\351z\377\377\377\017\037\200", 
          0x55555575ad70 "\001", 0x3 <error: Cannot access memory at address 0x3>, 0x7ffff7ffe6a8 "", 0x7ffff7ffa1a8 "", 0x7ffff7ffa2b0 "", 0x7ffff7de28fa <do_lookup_x+2010> "H\203\304\060H\205\300\017\205\351\002", 
          0x3 <error: Cannot access memory at address 0x3>, 0x7ffff7ffa2b0 "", 0x7ffff7ffe6a8 "", 0x7ffff7de20c4 <check_match+324> "\205\300\017\205m\377\377\377\351z\377\377\377\017\037\200", 0x7fffffffdde4 "\377\177", 
          0xa6 <error: Cannot access memory at address 0xa6>, 0x7ffff7f71000 "", 0x7ffff46d0d80 "", 0x7ffff46ddff8 "", 0x7ffff7de28fa <do_lookup_x+2010> "H\203\304\060H\205\300\017\205\351\002", 
          0xa6 <error: Cannot access memory at address 0xa6>, 0x7ffff46ddff8 "", 0x7ffff7f71000 "", 0x7fffffffde38 "\330\336\377\377\377\177", 0x7fffffffde34 "\377\177", 
          0x7ffff7de2291 <do_lookup_x+369> "\205\300\017\205\025\b", 0x7ffff7f71000 "", 0x7ffff38f1fc5 "__libc_pthread_init"}
        debugbackend = 0x5555555592ce "native"
        asmarch = 0x7fffffffe68d "8051"
        asmos = 0x0
        forcebin = <optimized out>
        asmbits = 0x0
        mapaddr = <optimized out>
        quiet = 0
        is_gdb = <optimized out>
        cmds = 0x5555557bd010
        evals = 0x5555557bd030
        cmdfilei = 0
        va = <optimized out>

cyrozap · 2016-04-09T23:21:10Z

Apparently, Arch Linux's gcc adds -D_FORTIFY_SOURCE=2 to CFLAGS by default, which alters the code to defend against some buffer overflow attacks. Unfortunately, this also breaks vsnprintf() when there's something like "%3$d,0x10000,%2$d,+,=[1]," in the format string, with "%3$d" and "%2$d" being the "%N$" mentioned earlier.

The proper fix is to make libr/anal/p/anal_8051.c not use "%N$"-style code in its printf args, but since I'm not entirely sure how to do it, I've written a hacky temporary fix that just undefines _FORTIFY_SOURCE. The patch can be seen below:

diff --git a/global.mk b/global.mk
index 364a61a..a7c48ff 100644
--- a/global.mk
+++ b/global.mk
@@ -34,13 +34,13 @@ WWWROOT=${DATADIR}/radare2/${VERSION}/www
 ifneq ($(SILENT),)
    @echo LD $<
 endif
-   $(CC) $(LDFLAGS) -c $(CFLAGS) -o $@ $<
+   $(CC) $(LDFLAGS) -c $(CFLAGS) -U_FORTIFY_SOURCE -o $@ $<

 .c.o:
 ifneq ($(SILENT),)
    @echo "CC $(shell basename $<)"
 endif
-   $(CC) -c $(CFLAGS) -o $@ $<
+   $(CC) -c $(CFLAGS) -U_FORTIFY_SOURCE -o $@ $<

 -include $(TOP)/config-user.mk
 -include $(TOP)/mk/platform.mk

radare · 2016-04-10T00:08:31Z

I don't like the idea of having to disable fortify, but i understand that changing that code is not easy and it will result in a big refactoring because the %$ syntax is hard to be replaced. I dont know which standard itconforms and i wonder if that works on bionic or windows too..

cyrozap · 2016-04-10T03:00:01Z

Wikipedia says that %$ is a POSIX thing and not in any version of the C standard. It seems to work fine with fortify disabled so it should work on other operating systems, but of course that increases the risk of input causing buffer overflows.

radare · 2016-05-18T09:05:10Z

Can you confirm this is still happening in master?

XVilka · 2016-05-18T09:05:26Z

@radare well, I have an idea - you won't believe this, but what about using radare2 own *printf implementations - for the standard formats it will fallback to the in-system printf, but it will add support for some very useful extensions.

radare · 2016-05-18T09:07:31Z

the thing is that i cant find any %N$ in the 8051 code. there’s a %N in the arm disassebler. but it can be fixed. not sure when this was having %N or %$

On 18 May 2016, at 11:05, Anton Kochkov notifications@github.com wrote:

@radare https://github.com/radare well, I have an idea - you won't believe this, but what about using radare2 own *printf implementations - for the standard formats it will fallback to the in-system printf, but it will add support for some very useful extensions.

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub #3944 (comment)

XVilka · 2016-05-18T09:26:11Z

@radare still reproduceable on the PaX-enabled Hardened Gentoo.

radare · 2016-05-18T09:36:22Z

can you point to the file:line?

On 18 May 2016, at 11:26, Anton Kochkov notifications@github.com wrote:

@radare https://github.com/radare still reproduceable on the PaX-enabled Hardened Gentoo.

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub #3944 (comment)

XVilka · 2016-05-18T09:43:27Z

Not on this computer - may be will be lucky with the home one. This one has PTRACE disabled.

cyrozap · 2016-05-19T04:54:11Z

@radare The issue is still happening for me, which isn't surprising since the file the problem statements are in (libr/anal/p/anal_8051.c) hasn't been changed since this issue was first reported.

You can find the problem lines with this command:

grep -rn '%[0-9]\$'

Which produces this output:

libr/anal/p/anal_8051.c:38:#define BIT_R "%2$d,%1$d,[1],>>,1,&,"
libr/anal/p/anal_8051.c:43:#define ES_IB1 IRAM_BASE ",%2$d,+,"
libr/anal/p/anal_8051.c:44:#define ES_IB2 IRAM_BASE ",%3$d,+,"
libr/anal/p/anal_8051.c:45:#define ES_R0I "r%1$d,"
libr/anal/p/anal_8051.c:47:#define ES_R0  "r%1$d,"
libr/anal/p/anal_8051.c:48:#define ES_R1 "r%2$d,"
libr/anal/p/anal_8051.c:50:#define ES_L1 "%2$d,"
libr/anal/p/anal_8051.c:51:#define ES_L2 "%3$d,"
libr/anal/p/anal_8051.c:55:#define ESX_L1 "%2$hhd,"
libr/anal/p/anal_8051.c:56:#define ESX_L2 "%2$hhd,"
libr/anal/p/anal_8051.c:107:        k(BIT_R "&,?{,%2$d,1,<<,255,^,%1$d,&=[1],%3$hhd,3,+,pc,+=,}"); break;
libr/anal/p/anal_8051.c:109:        k(BIT_R "&,?{,%3$hhd,3,+,pc,+=,}"); break;
libr/anal/p/anal_8051.c:111:        k(BIT_R "&,!,?{,%3$hhd,3,+,pc,+=,}"); break;
libr/anal/p/anal_8051.c:140:    case 0xB2: /* cpl   */ k("%2$d,1,<<,%1$d,^=[1]"); break;
libr/anal/p/anal_8051.c:194:        /* mov */ h(IRAM_BASE ",%2$d,+,[1]," IRAM_BASE ",%2$d,+,=[1]"); break;
libr/anal/p/anal_8051.c:220:        h (XR(L1)  XR(A)   "!=,?{,%3$hhd,2,+pc,+=,}") break;
libr/anal/p/anal_8051.c:222:        h (XR(IB1) XR(A)   "!=,?{,%3$hhd,2,+pc,+=,}") break;
libr/anal/p/anal_8051.c:225:        j (XR(L1)  XR(R0I) "!=,?{,%3$hhd,2,+pc,+=,}") break;
libr/anal/p/anal_8051.c:231:        h (XR(L1)  XR(R0)  "!=,?{,%3$hhd,2,+pc,+=,}") break;
libr/anal/p/anal_8051.c:267:        /* movx */ j(XRAM_BASE "r%0$d,+,[1]," XW(A)); break;
libr/anal/p/anal_8051.c:284:        /* movx */ j(XR(A) XRAM_BASE "r%0$d,+,=[1]");

radare · 2016-05-19T08:40:02Z

Does itbuilds if u disable that plugin? Can we check if fortity is set from cpp? Maybe we can just avoid building this code in this case

On 19 May 2016, at 06:54, cyrozap notifications@github.com wrote:

@radare The issue is still happening for me, which isn't surprising since the file the problem statements are in (libr/anal/p/anal_8051.c) hasn't been changed since this issue was first reported.

You can find the problem lines with this command:

grep -rn '%[0-9]$'
Which produces this output:

libr/anal/p/anal_8051.c:38:#define BIT_R "%2$d,%1$d,[1],>>,1,&,"
libr/anal/p/anal_8051.c:43:#define ES_IB1 IRAM_BASE ",%2$d,+,"
libr/anal/p/anal_8051.c:44:#define ES_IB2 IRAM_BASE ",%3$d,+,"
libr/anal/p/anal_8051.c:45:#define ES_R0I "r%1$d,"
libr/anal/p/anal_8051.c:47:#define ES_R0 "r%1$d,"
libr/anal/p/anal_8051.c:48:#define ES_R1 "r%2$d,"
libr/anal/p/anal_8051.c:50:#define ES_L1 "%2$d,"
libr/anal/p/anal_8051.c:51:#define ES_L2 "%3$d,"
libr/anal/p/anal_8051.c:55:#define ESX_L1 "%2$hhd,"
libr/anal/p/anal_8051.c:56:#define ESX_L2 "%2$hhd,"
libr/anal/p/anal_8051.c:107: k(BIT_R "&,?{,%2$d,1,<<,255,^,%1$d,&=[1],%3$hhd,3,+,pc,+=,}"); break;
libr/anal/p/anal_8051.c:109: k(BIT_R "&,?{,%3$hhd,3,+,pc,+=,}"); break;
libr/anal/p/anal_8051.c:111: k(BIT_R "&,!,?{,%3$hhd,3,+,pc,+=,}"); break;
libr/anal/p/anal_8051.c:140: case 0xB2: /* cpl / k("%2$d,1,<<,%1$d,^=[1]"); break;
libr/anal/p/anal_8051.c:194: / mov / h(IRAM_BASE ",%2$d,+,[1]," IRAM_BASE ",%2$d,+,=[1]"); break;
libr/anal/p/anal_8051.c:220: h (XR(L1) XR(A) "!=,?{,%3$hhd,2,+pc,+=,}") break;
libr/anal/p/anal_8051.c:222: h (XR(IB1) XR(A) "!=,?{,%3$hhd,2,+pc,+=,}") break;
libr/anal/p/anal_8051.c:225: j (XR(L1) XR(R0I) "!=,?{,%3$hhd,2,+pc,+=,}") break;
libr/anal/p/anal_8051.c:231: h (XR(L1) XR(R0) "!=,?{,%3$hhd,2,+pc,+=,}") break;
libr/anal/p/anal_8051.c:267: / movx / j(XRAM_BASE "r%0$d,+,[1]," XW(A)); break;
libr/anal/p/anal_8051.c:284: / movx */ j(XR(A) XRAM_BASE "r%0$d,+,=[1]");
—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub

Maijin · 2016-06-29T10:56:16Z

ping

radare · 2016-06-29T10:58:09Z

well the issue is there, but the code is not easily refactorizable to get rid of that %N$ thing :(

On 29 Jun 2016, at 12:56, Maijin notifications@github.com wrote:

ping

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub #3944 (comment), or mute the thread https://github.com/notifications/unsubscribe/AA3-lrHkFbgL9WOP_Fm26Q-Ybaede9eiks5qQk9TgaJpZM4HCMnb.

XVilka · 2016-06-29T10:58:56Z

Not prioritae, moving to the next milestone.

astuder · 2018-01-31T23:13:07Z

I recently removed all uses of %N$ from the 8051 analyzer. grep suggested by @cyrozap comes up empty.

Can someone verify that this issue is resolved?

Maijin · 2018-02-02T21:02:23Z

let's close this for now

cyrozap · 2018-02-03T23:53:48Z

Running on git master:

radare2 2.3.0 17180 @ linux-x86-64 git.2.2.0-372-g207e8596c
commit: 207e8596cdfcd4a4c6d64571060e9d01e1cc1b34 build: 2018-02-03__16:58:34

It doesn't crash now, but I do get the following errors:

$ r2 -a 8051 flash.bin
Cannot set bits 64 to '8051'
Cannot set bits 64 to '8051'

The 8051 is an 8-bit CPU, not a 64-bit one, so I'm not sure where that "bits 64" is coming from or if that's now interfering with anything. Regardless, it seems to work now, so I think we can keep this issue closed.

cyrozap · 2018-02-03T23:56:59Z

Thanks for fixing this, @astuder!

astuder · 2018-02-04T00:04:44Z

@cyrozap the 64 bit error is because r2 tries to initialize to its defaults (asm.cpu=x86 asm.bits=64) a few times during startup. Not sure how to fix that, but I didn't see any negative impact in practice either so far.

XVilka added regression test-required labels Jan 11, 2016

XVilka added this to the 0.10.0 milestone Jan 11, 2016

radare closed this as completed in fe49555 Jan 11, 2016

XVilka reopened this Jan 11, 2016

radare modified the milestones: 1.0.0, 0.10.0 Jan 15, 2016

radare modified the milestones: 0.10.2, 1.0.0, 0.10.3 Apr 9, 2016

radare modified the milestones: 0.10.4, 0.10.3 May 16, 2016

XVilka added the refactor label May 18, 2016

XVilka modified the milestones: 0.10.5, 0.10.4 Jun 29, 2016

radare modified the milestones: 1.x, 0.10.5 Aug 14, 2016

radare added a commit that referenced this issue Oct 10, 2016

Get rid of some %\d$ constructions in anal_8051.c for #3944

3ae8b98

radare modified the milestones: 1.1.0, 1.0.0 Nov 6, 2016

radare modified the milestones: 9999, 1.1.0 Dec 18, 2016

astuder mentioned this issue Jan 29, 2018

Refactoring 8051 esil macros #9261

Merged

Maijin closed this as completed Feb 2, 2018

M4GNV5 mentioned this issue Aug 23, 2022

crash M4GNV5/PointerScript#6

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

* invalid %N$ use detected * #3944

* invalid %N$ use detected * #3944

XVilka commented Jan 11, 2016

XVilka commented Jan 11, 2016

radare commented Jan 11, 2016

radare commented Jan 11, 2016

XVilka commented Jan 11, 2016

crowell commented Jan 11, 2016

radare commented Jan 11, 2016

XVilka commented Jan 11, 2016

radare commented Jan 11, 2016

cyrozap commented Apr 9, 2016

radare commented Apr 9, 2016

cyrozap commented Apr 9, 2016

cyrozap commented Apr 9, 2016

cyrozap commented Apr 9, 2016

radare commented Apr 10, 2016

cyrozap commented Apr 10, 2016

radare commented May 18, 2016

XVilka commented May 18, 2016

radare commented May 18, 2016

XVilka commented May 18, 2016

radare commented May 18, 2016

XVilka commented May 18, 2016

cyrozap commented May 19, 2016

radare commented May 19, 2016

Maijin commented Jun 29, 2016

radare commented Jun 29, 2016

XVilka commented Jun 29, 2016

astuder commented Jan 31, 2018

Maijin commented Feb 2, 2018

cyrozap commented Feb 3, 2018

cyrozap commented Feb 3, 2018

astuder commented Feb 4, 2018

*** invalid %N$ use detected *** #3944

*** invalid %N$ use detected *** #3944

Comments

XVilka commented Jan 11, 2016

XVilka commented Jan 11, 2016

radare commented Jan 11, 2016

radare commented Jan 11, 2016

XVilka commented Jan 11, 2016

crowell commented Jan 11, 2016

radare commented Jan 11, 2016

XVilka commented Jan 11, 2016

radare commented Jan 11, 2016

cyrozap commented Apr 9, 2016

radare commented Apr 9, 2016

cyrozap commented Apr 9, 2016

cyrozap commented Apr 9, 2016

cyrozap commented Apr 9, 2016

radare commented Apr 10, 2016

cyrozap commented Apr 10, 2016

radare commented May 18, 2016

XVilka commented May 18, 2016

radare commented May 18, 2016

XVilka commented May 18, 2016

radare commented May 18, 2016

XVilka commented May 18, 2016

cyrozap commented May 19, 2016

radare commented May 19, 2016

Maijin commented Jun 29, 2016

radare commented Jun 29, 2016

XVilka commented Jun 29, 2016

astuder commented Jan 31, 2018

Maijin commented Feb 2, 2018

cyrozap commented Feb 3, 2018

cyrozap commented Feb 3, 2018

astuder commented Feb 4, 2018

* invalid %N$ use detected * #3944

* invalid %N$ use detected * #3944