New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x32dbg: analysis triggers breakpoint in Zydis::operator[] #1750

Closed
Mattiwatti opened this Issue Oct 9, 2017 · 3 comments

Comments

Projects
None yet
3 participants
@Mattiwatti
Contributor

Mattiwatti commented Oct 9, 2017

Debugger version: current git (Oct 9 2017)
OS version: Windows 7 through 10 (XP not tested)
Bitness:: x86 only (meaning x32dbg - the OS can be either)

Description
A DebugBreak() is issued in Zydis::operator[]

Reproduction steps

  • Open any executable, e.g. x32dbg.exe itself, and wait for the initial (system or entry) breakpoint.
  • Enter the "anal" command.
  • An int 3 breakpoint will trigger.

Example stacktrace (sorry for the WinDbg-ness, I just happened to have a kernel debugger attached and didn't want to detach it for other reasons):
Stack

Note: xAnalyzer is in the above stacktrace, but it is only executing DbgCmdExecDirect("anal"). I later removed the plugin and reproduced the crash again by entering the same command manually.

As you can see the break conditions are

if(!Success() || index < 0 || index >= OpCount())
  DebugBreak();

The first two evaluate to false, but index and OpCount() are both 0 meaning the latter triggers the breakpoint. Since OpCount() returns mVisibleOpCount, there is a condition where mSuccess = true but mVisibleOpCount = 0 (presumably they are mutually exclusive?).

Zydis::Disassemble(size_t addr, const unsigned char* data, int size) can produce the above scenario if the operand visibility is ZYDIS_OPERAND_VISIBILITY_HIDDEN for all operand(s), since this will set mSuccess to true and make the function return true, but leave mVisibleOpCount set to 0. My stab in the dark (since I don't even know the exact instruction) is that Disassemble() should simply set mSuccess to false and return false if there are no visible operands. Doing this fixed the crash for me at least. But maybe there's an additional underlying issue meaning the instruction is disassembled incorrectly. Is ZYDIS_OPERAND_VISIBILITY_HIDDEN supposed to be true for instructions with no operands (nop, hlt, ...), or is it something else entirely?

@mrexodia

This comment has been minimized.

Show comment
Hide comment
@mrexodia
Member

mrexodia commented Oct 9, 2017

ping @athre0z

@athre0z

This comment has been minimized.

Show comment
Hide comment
@athre0z

athre0z Oct 9, 2017

Contributor

Thanks for the extensive report! The issue is unrelated to visibility of operands, it was something I messed up in the progress of porting from Capstone to Zydis. #1751 fixes the issue.

Contributor

athre0z commented Oct 9, 2017

Thanks for the extensive report! The issue is unrelated to visibility of operands, it was something I messed up in the progress of porting from Capstone to Zydis. #1751 fixes the issue.

@Mattiwatti

This comment has been minimized.

Show comment
Hide comment
@Mattiwatti

Mattiwatti Oct 10, 2017

Contributor

Thanks! I'll verify the fix and close the issue as soon as the PR gets merged. (Not doubting the fix works - it's just that any git command involving more than fetch or pull, especially with more than one remote, tends to somehow destroy my hard drive. I swear it's not me that's incompentent, it's git.)

Contributor

Mattiwatti commented Oct 10, 2017

Thanks! I'll verify the fix and close the issue as soon as the PR gets merged. (Not doubting the fix works - it's just that any git command involving more than fetch or pull, especially with more than one remote, tends to somehow destroy my hard drive. I swear it's not me that's incompentent, it's git.)

@mrexodia mrexodia added the bug label Oct 10, 2017

@mrexodia mrexodia closed this in c5c3358 Oct 10, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment