Skip to content

crash when parsing ELF #2569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Kyle-Kyle opened this issue Mar 30, 2025 · 6 comments
Open

crash when parsing ELF #2569

Kyle-Kyle opened this issue Mar 30, 2025 · 6 comments
Labels
backport-required bug

Comments

@Kyle-Kyle
Copy link
Contributor

Reproduce:

[ins] In [1]: from pwn import *
[ins] In [2]: ELF('ALLSTAR_aplus-fsf-el_libMSTypes.so.0.0.0')
Aborted (core dumped)

where the binary is from https://allstar.jhuapl.edu/repo/p1/amd64/aplus-fsf/libMSTypes.so.0.0.0

The coredump suggests this is a libunicorn bug
@Kyle-Kyle
Copy link
Contributor Author 

gef➤  bt
#0  __pthread_kill_implementation (no_tid=0x0, signo=0x6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=0x6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=0x6) at ./nptl/pthread_kill.c:89
#3  0x000073349fe4527e in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/posix/raise.c:26
#4  0x000073349fe288ff in __GI_abort () at ./stdlib/abort.c:79
#5  0x0000733494dba299 in temp_load[cold] () from /home/kylebot/.virtualenvs/angr/lib/python3.12/site-packages/unicorn/lib/libunicorn.so.2
#6  0x0000733494df95b9 in tcg_gen_code_x86_64 () from /home/kylebot/.virtualenvs/angr/lib/python3.12/site-packages/unicorn/lib/libunicorn.so.2
#7  0x0000733494e210b7 in tb_gen_code_x86_64 () from /home/kylebot/.virtualenvs/angr/lib/python3.12/site-packages/unicorn/lib/libunicorn.so.2
#8  0x0000733494e054af in cpu_exec_x86_64 () from /home/kylebot/.virtualenvs/angr/lib/python3.12/site-packages/unicorn/lib/libunicorn.so.2
#9  0x0000733494dcb034 in resume_all_vcpus_x86_64 () from /home/kylebot/.virtualenvs/angr/lib/python3.12/site-packages/unicorn/lib/libunicorn.so.2
#10 0x0000733494dbe906 in uc_emu_start () from /home/kylebot/.virtualenvs/angr/lib/python3.12/site-packages/unicorn/lib/libunicorn.so.2
#11 0x000073349f0bfb16 in ?? () from /lib/x86_64-linux-gnu/libffi.so.8
#12 0x000073349f0bc3ef in ?? () from /lib/x86_64-linux-gnu/libffi.so.8
#13 0x000073349f0bf0be in ffi_call () from /lib/x86_64-linux-gnu/libffi.so.8
#14 0x000073349f0eb11c in ?? () from /usr/lib/python3.12/lib-dynload/_ctypes.cpython-312-x86_64-linux-gnu.so
#15 0x000073349f0e62af in ?? () from /usr/lib/python3.12/lib-dynload/_ctypes.cpython-312-x86_64-linux-gnu.so
#16 0x0000000000549185 in _PyObject_MakeTpCall ()
#17 0x00000000005d73c9 in _PyEval_EvalFrameDefault ()
#18 0x000000000054a9d2 in _PyObject_Call_Prepend ()
#19 0x000000000059e09f in ?? ()
#20 0x0000000000599b63 in ?? ()
#21 0x0000000000549185 in _PyObject_MakeTpCall ()
#22 0x00000000005d73c9 in _PyEval_EvalFrameDefault ()
#23 0x00000000005d58eb in PyEval_EvalCode ()
#24 0x00000000005d347c in ?? ()
#25 0x00000000005da8aa in _PyEval_EvalFrameDefault ()
#26 0x0000000000555b8f in ?? ()
#27 0x00000000005d9c5f in _PyEval_EvalFrameDefault ()
#28 0x000000000054cd94 in ?? ()
#29 0x000000000054b3b5 in PyObject_Call ()
#30 0x00000000005db55b in _PyEval_EvalFrameDefault ()
#31 0x00000000005d58eb in PyEval_EvalCode ()
#32 0x0000000000608b42 in ?? ()
#33 0x00000000006b4e93 in ?? ()
#34 0x00000000006b4bfa in _PyRun_SimpleFileObject ()
#35 0x00000000006b4a2f in _PyRun_AnyFileObject ()
#36 0x00000000006bca95 in Py_RunMain ()
#37 0x00000000006bc57d in Py_BytesMain ()
#38 0x000073349fe2a1ca in __libc_start_call_main (main=main@entry=0x5189b0, argc=argc@entry=0x2, argv=argv@entry=0x7ffe5160dcb8) at ../sysdeps/nptl/libc_start_call_main.h:58
#39 0x000073349fe2a28b in __libc_start_main_impl (main=0x5189b0, argc=0x2, argv=0x7ffe5160dcb8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe5160dca8)
    at ../csu/libc-start.c:360
#40 0x0000000000657ce5 in _start ()

@Kyle-Kyle
Copy link
Contributor Author

I'm using the latest pwntools stable branch, commit 9e0ca3a

@Kyle-Kyle
Copy link
Contributor Author

seems to only happen when installed alongside angr

@Arusekk
Copy link
Member

Arusekk commented Mar 31, 2025

What Unicorn version do you have? Looks a bit like #2560 and other Unicorn issues.

e.g. pip freeze |grep unicorn

@Kyle-Kyle
Copy link
Contributor Author

the result shows unicorn==2.0.1.post1, which is likely the version pinned by angr

@intrigus-lgtm
Copy link

intrigus-lgtm commented Apr 3, 2025
edited
Loading

This very much looks like a duplicate of what I just wanted to report 😆

import unicorn as U

print("Unicorn version:", U.__version__)
uc = U.Uc(U.UC_ARCH_X86, U.UC_MODE_64)
uc.mem_map(0, 0x1000)
uc.mem_write(0, b"\xff\xef")
uc.emu_start(0, until=-1, count=1)

This fails with unicorn 2.0.1, but works with 2.1.x.
I'm getting a similar backtrace in gdb.

(This was reduced from parsing an ELF and the plt emulation)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backport-required bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Kyle-Kyle @Arusekk @intrigus-lgtm