Use of uninitialized memory in sparc disassembler

[radare]

Reproducer:

valgrind rasm2 -a sparc -d bb400000
...

also it can be reproduced with cstool:

$ ./cstool sparc bb400000
Segmentation fault: 11

This issue was iniitally reported in radareorg/radare2#7068 by @mtowalski

$ valgrind ./cstool sparc bb400000
==13568== Memcheck, a memory error detector
==13568== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==13568== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==13568== Command: ./cstool sparc bb400000
==13568==
--13568-- run: /usr/bin/dsymutil "./cstool"
==13568== Conditional jump or move depends on uninitialised value(s)
==13568==    at 0x100104CFE: printOperand (SparcInstPrinter.c:171)
==13568==    by 0x1001044BF: printInstruction (SparcGenAsmWriter.inc:851)
==13568==    by 0x1000E8F9B: Sparc_printInst (SparcInstPrinter.c:445)
==13568==    by 0x100006075: cs_disasm (cs.c:664)
==13568==    by 0x100001426: main (in ./cstool)
==13568==
==13568== Use of uninitialised value of size 8
==13568==    at 0x10010534F: getRegisterName (SparcGenAsmWriter.inc:1205)
==13568==    by 0x1001052E3: printRegName (SparcInstPrinter.c:96)
==13568==    by 0x100104D20: printOperand (SparcInstPrinter.c:173)
==13568==    by 0x1001044BF: printInstruction (SparcGenAsmWriter.inc:851)
==13568==    by 0x1000E8F9B: Sparc_printInst (SparcInstPrinter.c:445)
==13568==    by 0x100006075: cs_disasm (cs.c:664)
==13568==    by 0x100001426: main (in ./cstool)
==13568==
==13568== Conditional jump or move depends on uninitialised value(s)
==13568==    at 0x100105F30: Sparc_map_register (SparcMapping.c:565)
==13568==    by 0x100104D28: printOperand (SparcInstPrinter.c:174)
==13568==    by 0x1001044BF: printInstruction (SparcGenAsmWriter.inc:851)
==13568==    by 0x1000E8F9B: Sparc_printInst (SparcInstPrinter.c:445)
==13568==    by 0x100006075: cs_disasm (cs.c:664)
==13568==    by 0x100001426: main (in ./cstool)
==13568==
0  bb400000  rd	%y, %f10
==13568==
==13568== HEAP SUMMARY:
==13568==     in use at exit: 26,370 bytes in 185 blocks
==13568==   total heap usage: 277 allocs, 92 frees, 42,006 bytes allocated
==13568==

[aquynh]

any expected output for this input?

[alvarofe]

More hints

=================================================================
==59101==ERROR: AddressSanitizer: SEGV on unknown address 0x0001f61fc5ee (pc 0x00010b4bf8b9 bp 0x7fff557933e0 sp 0x7fff557933c0 T0)
    #0 0x10b4bf8b8 in getRegisterName SparcGenAsmWriter.inc:1205
    #1 0x10b4bf7f7 in printRegName SparcInstPrinter.c:97
    #2 0x10b4bdef3 in printOperand SparcInstPrinter.c:174
    #3 0x10b4bd202 in printInstruction SparcGenAsmWriter.inc:851
    #4 0x10b4a1732 in Sparc_printInst SparcInstPrinter.c:446

Here we have this

  return AsmStrs+RegAsmOffset[RegNo-1];

Being RegNo == 1968727736

[aquynh]

The bug is elsewhere, but leading to this point. It is important to know if this is a valid code, or not. On Mar 22, 2017 5:06 PM, "Álvaro Felipe Melchor" <[email protected]> wrote: More hints ================================================================= ==59101==ERROR: AddressSanitizer: SEGV on unknown address 0x0001f61fc5ee (pc 0x00010b4bf8b9 bp 0x7fff557933e0 sp 0x7fff557933c0 T0) #0 0x10b4bf8b8 in getRegisterName SparcGenAsmWriter.inc:1205 #1 0x10b4bf7f7 in printRegName SparcInstPrinter.c:97 #2 0x10b4bdef3 in printOperand SparcInstPrinter.c:174 #3 0x10b4bd202 in printInstruction SparcGenAsmWriter.inc:851 #4 0x10b4a1732 in Sparc_printInst SparcInstPrinter.c:446 Here we have this return AsmStrs+RegAsmOffset[RegNo-1]; Being RegNo == 1968727736 — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#877 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFsG4OTUDVEQXpBjAweJ9i0YInjxitrEks5roOSfgaJpZM4Mkqwy> .

[alvarofe]

The important is to fix the crash since capstone might be feed with wrong data and should be resilient against that. Regarding whether is valid code or not, I am not familiar with sparc but with bb400000 you should figure it out. This is what sparc.gnu throws

air:r2 alvaro$ r2 -
 -- How about Global Thermonuclear War?
[0x00000000]> e asm.arch=sparc.gnu
[0x00000000]> wx bb400000
[0x00000000]> pd 1
            0x00000000      bb400000       rd  %y, %i5
[0x00000000]> e asm.arch=sparc
[0x00000000]> pd 1
ASAN:DEADLYSIGNAL
=================================================================
==86313==ERROR: AddressSanitizer: SEGV on unknown address 0x0001f6c555ee (pc 0x00010bf188f9 bp 0x7fff54d3a1e0 sp 0x7fff54d3a1c0 T0)
    #0 0x10bf188f8 in getRegisterName SparcGenAsmWriter.inc:1205

[aquynh]

I need to fix the crash, and fucntionality at the same time. That is why expected output is important

[dequis]

That is why expected output is important

As per radareorg/radare2#7068 this is the result of fuzzing so I don't think any output was expected other than not crashing.

[aquynh]

so the right result is to say this is invalid code?

[kabeor]

Close this issue for now because of legacy, we are preparing to release Capstone 5.0, plz feel free to open a new issue if that still has this issue.
thx :)