Skip to content
GitLab
Closed
Issue created by Administrator@rootContributor

CRASH (7.91.18219) pc is null in decode_sizeof

Created by: TomSie

Describe the bug I am trying to run a linux x64 application, that I unfortunately cannot publish, in dynamorio. When I run "drrun -t drcov -- application" dynamorio crashes in "decode_sizeof" as "pc" is "null" (core/arch/x86/decode_fast.c:469)

Callstack: decode_sizeof in decode_fast.c:465 decode_cti in decode_fast.c:1314 decode_fragment in interp.c:7267

The error output is

Application application (14798).  DrCov internal crash at PC 0x00000000712564f0.  Please report this at http://dynamorio.org/issues.  Program aborted.
Received SIGSEGV at pc 0x00000000712564f0 in thread 15154
Base: 0x0000000071000000
Registers:eax=0x0000000000000000 ebx=0x0000000000000200 ecx=0x00007fff34045a54 edx=0x00007fff34045a58
        esi=0x0000000000000000 edi=0x00007fff33b45b40 esp=0x00007fff340459d0 ebp=0x00007fff34045a20
        r8 =0x00007fff34045a5e r9 =0x00007fff34045ca4 r10=0x0000000000000000 r11=0x0000000000000246
        r12=0x524409d81dfa1097 r13=0xfdb854c350745776 r14=0x23f6b0b430d5da0f r15=0x4bf3295900c90260
        eflags=0x0000000000010202
version 7.91.18219, custom build
-no_dynamic_options -client_lib '/home/csafuzz/fluffi/persistent/x64/dynamorio/bin64/../clients/lib64/debug/libdrcov.so;0;' -code_api -stack_size 56K -signal_stack_size 32K -nop_initial_bblock -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native
0x00007fff34045a20 0x00000000712571d4
0x00007fff34045ae0 0x0000000071273127
0x00007fff34045c60 0x0000000071270999
0x00007fff34045cf0 0x0000000071186677
0x00007fff34045d40 0x000000007118a0aa
0x00007fff34045f10 0x00000000710c3e83
0x00007fff34045ff0 0x00007fffb3c52f0d
0x00007fff2c025140 0x90789812acf12b15

When I run "drrun -- application", I get signal 4 (SIGILL?) in libcrypto.

Application application (48921).  Application exception at PC 0x00007ffff68dae60.  
Signal 4 delivered to application as default action.
Callstack:
	0x00007ffff68dae60   libcrypto.so.1.1+0xdce60
	0xcbf6244203b11a7f

The crash seems to be inside the "__bn_postx4x_internal" function. The dissassembly there is

   0x00007ffff68dae50:	mov    0x0(%rbp),%r12
   0x00007ffff68dae54:	mov    0x8(%rbp),%r13
   0x00007ffff68dae58:	mov    0x10(%rbp),%r14
   0x00007ffff68dae5c:	mov    0x18(%rbp),%r15
   0x00007ffff68dae60:	andn   %rax,%r12,%r12
   0x00007ffff68dae65:	lea    0x20(%rbp),%rbp
   0x00007ffff68dae69:	andn   %rax,%r13,%r13
   0x00007ffff68dae6e:	andn   %rax,%r14,%r14

Versions I am using dynamorio commit dadb8ff2, with "-DDEBUG=ON"

Reproducing I am aware that most likely you cannot reproduce the issue on your side without me giving you the binary. However, maybe you could tell me how I could extract the info you need to understand the issue.