keystone icon indicating copy to clipboard operation
keystone copied to clipboard
verified publisher icon keystone-engine

Segfault when decoding .text directive

Open thomasfinch opened this issue 8 years ago • 2 comments 

~> ./kstool x32 ".text"
fish: './kstool x32 ".text"' terminated by signal SIGSEGV (Address boundary error)

I've replicated this crash using both kstool and a python script. In python I used the current version from pip, and I built kstool from a fresh clone of this repo. The crash happens regardless of the chosen architecture or where the .text directive is in the instruction list (ex. ./kstool x32 "nop; ret; .text" also segfaults). All other directives seem to work fine.

thomasfinch avatar Mar 14 '17 18:03 thomasfinch

Same for me:

(lldb) bt

  • thread #1, stop reason = signal SIGSTOP
    • frame #0: 0x0000000105cd7660 libkeystone.0.dylibllvm::MCAssembler::registerSymbol(llvm::MCSymbol const&, bool*) frame #1: 0x0000000105ce142e libkeystone.0.dylibllvm::MCELFStreamer::ChangeSection(llvm::MCSection*, llvm::MCExpr const*) + 126 frame #2: 0x0000000105d17c77 libkeystone.0.dylibllvm::MCStreamer::SwitchSection(llvm::MCSection*, llvm::MCExpr const*) + 71 frame #3: 0x0000000105d0b898 libkeystone.0.dylib(anonymous namespace)::DarwinAsmParser::parseSectionSwitch(char const*, char const*, unsigned int, unsigned int, unsigned int) + 264 frame #4: 0x0000000105cf9d63 libkeystone.0.dylib(anonymous namespace)::AsmParser::parseStatement((anonymous namespace)::ParseStatementInfo&, llvm::MCAsmParserSemaCallback*, unsigned long long&) + 3267 frame #5: 0x0000000105cefc2b libkeystone.0.dylib(anonymous namespace)::AsmParser::Run(bool, unsigned long long, bool) + 715 frame #6: 0x0000000105e8ceaa libkeystone.0.dylibks_asm + 1098 frame #7: 0x0000000105cc8283 kstoolmain + 2099 frame #8: 0x00007fffae912235 libdyld.dylibstart + 1 frame #9: 0x00007fffae912235 libdyld.dylibstart + 1

widgetii avatar Oct 05 '17 18:10 widgetii

Looks like this happens because kstool somehow mixes MCELFStreamer and MCSectionMachO. MCELFStreamer::ChangeSection accepts a generic MCSection and casts it to MCSectionELF; but somehow it is given MCSectionMachO which should not normally be cast to MCSectionELF. I didn't understand the code enough to find the root cause. I hope someone more familiar with the codebase will help and track this issue down.

Here is my traceback (using the current repo version):

$ gdb --args ./kstool/kstool x32 .text
...
(gdb) run
...
Program received signal SIGSEGV, Segmentation fault.
(gdb) bt
#0  llvm_ks::MCAssembler::registerSymbol (this=this@entry=0xa082b0, Symbol=..., Created=Created@entry=0x0) at /tmp/keystone/llvm/lib/MC/MCAssembler.cpp:431
#1  0x0000000000430eb4 in llvm_ks::MCELFStreamer::ChangeSection (this=0xa08110, Section=0xa0d290, Subsection=0x0) at /tmp/keystone/llvm/lib/MC/MCELFStreamer.cpp:152
#2  0x000000000045d1db in llvm_ks::MCStreamer::SwitchSection (this=0xa08110, Section=0xa0d290, Subsection=0x0) at /tmp/keystone/llvm/lib/MC/MCStreamer.cpp:744
#3  0x00000000004546f4 in (anonymous namespace)::DarwinAsmParser::parseSectionSwitch (this=0xa09360, Segment=0x61961c "__TEXT", Section=0x61962e "__text", TAA=2147483648, Align=0, StubSize=0)
    at /tmp/keystone/llvm/lib/MC/MCParser/DarwinAsmParser.cpp:393
#4  0x000000000044e4ab in (anonymous namespace)::AsmParser::parseStatement (this=this@entry=0xa08ec0, Info=..., SI=SI@entry=0x0, Address=@0x7fffffff9ba8: 0)
    at /tmp/keystone/llvm/lib/MC/MCParser/AsmParser.cpp:1712
#5  0x00000000004521d2 in (anonymous namespace)::AsmParser::Run (this=0xa08ec0, NoInitialTextSection=<optimized out>, Address=<optimized out>, NoFinalize=false)
    at /tmp/keystone/llvm/lib/MC/MCParser/AsmParser.cpp:712
#6  0x0000000000425e1b in ks_asm (ks=0xa00c70, assembly=<optimized out>, address=0, insn=0x7fffffffa810, insn_size=0x7fffffffa818, stat_count=0x7fffffffa808) at /tmp/keystone/llvm/keystone/ks.cpp:691
#7  0x000000000040dcb5 in main (argc=<optimized out>, argv=0x7fffffffad78) at /tmp/keystone/kstool/kstool.cpp:329

MarSoft avatar Dec 19 '24 01:12 MarSoft