ghidra icon indicating copy to clipboard operation
ghidra copied to clipboard

Published 20 hours ago verified publisher icon NationalSecurityAgency

Address Overflow in subtract: 00000000 - 0x10000

Open Mask6asok opened this issue 3 years ago • 5 comments

I use Ghidra to analyze a u-boot.bin At the beginning, i just set the base address to 0 When i find the true base address is 0x21000000 and i use Base Image Address to modify it, it comes:

Address Overflow in subtract: 00000000 - 0x10000
ghidra.program.model.address.AddressOutOfBoundsException: Address Overflow in subtract: 00000000 - 0x10000
	at ghidra.program.model.address.AbstractAddressSpace.add(AbstractAddressSpace.java:437)
	at ghidra.program.model.address.GenericAddressSpace.add(GenericAddressSpace.java:21)
	at ghidra.program.model.address.GenericAddress.add(GenericAddress.java:237)
	at ghidra.program.database.symbol.SymbolManager.fixupPinnedSymbolsAfterRebase(SymbolManager.java:2369)
	at ghidra.program.database.symbol.SymbolManager.imageBaseChanged(SymbolManager.java:2357)
	at ghidra.program.database.ProgramDB.setImageBase(ProgramDB.java:1362)
	at ghidra.app.plugin.core.memory.SetBaseCommand.applyTo(ImageBaseDialog.java:143)
	at ghidra.framework.plugintool.mgr.ToolTaskManager.applyCommand(ToolTaskManager.java:143)
	at ghidra.framework.plugintool.mgr.ToolTaskManager.execute(ToolTaskManager.java:113)
	at ghidra.framework.plugintool.PluginTool.execute(PluginTool.java:639)
	at ghidra.app.plugin.core.memory.ImageBaseDialog.okCallback(ImageBaseDialog.java:120)
	at docking.DialogComponentProvider.lambda$addOKButton$0(DialogComponentProvider.java:453)
	at java.desktop/javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1967)
	at java.desktop/javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2308)
	at java.desktop/javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:405)
	at java.desktop/javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:262)
	at java.desktop/javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:279)
	at java.desktop/java.awt.Component.processMouseEvent(Component.java:6635)
	at java.desktop/javax.swing.JComponent.processMouseEvent(JComponent.java:3342)
	at java.desktop/java.awt.Component.processEvent(Component.java:6400)
	at java.desktop/java.awt.Container.processEvent(Container.java:2263)
	at java.desktop/java.awt.Component.dispatchEventImpl(Component.java:5011)
	at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2321)
	at java.desktop/java.awt.Component.dispatchEvent(Component.java:4843)
	at java.desktop/java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4918)
	at java.desktop/java.awt.LightweightDispatcher.processMouseEvent(Container.java:4547)
	at java.desktop/java.awt.LightweightDispatcher.dispatchEvent(Container.java:4488)
	at java.desktop/java.awt.Container.dispatchEventImpl(Container.java:2307)
	at java.desktop/java.awt.Window.dispatchEventImpl(Window.java:2772)
	at java.desktop/java.awt.Component.dispatchEvent(Component.java:4843)
	at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:772)
	at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721)
	at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
	at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:95)
	at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:745)
	at java.desktop/java.awt.EventQueue$5.run(EventQueue.java:743)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
	at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:742)
	at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
	at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
	at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:117)
	at java.desktop/java.awt.WaitDispatchSupport$2.run(WaitDispatchSupport.java:190)
	at java.desktop/java.awt.WaitDispatchSupport$4.run(WaitDispatchSupport.java:235)
	at java.desktop/java.awt.WaitDispatchSupport$4.run(WaitDispatchSupport.java:233)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at java.desktop/java.awt.WaitDispatchSupport.enter(WaitDispatchSupport.java:233)
	at java.desktop/java.awt.Dialog.show(Dialog.java:1070)
	at java.desktop/java.awt.Component.show(Component.java:1716)
	at java.desktop/java.awt.Component.setVisible(Component.java:1663)
	at java.desktop/java.awt.Window.setVisible(Window.java:1031)
	at java.desktop/java.awt.Dialog.setVisible(Dialog.java:1005)
	at docking.DockingDialog.setVisible(DockingDialog.java:353)
	at docking.DockingWindowManager.lambda$doShowDialog$6(DockingWindowManager.java:1751)
	at ghidra.util.Swing.doRun(Swing.java:292)
	at ghidra.util.Swing.runNow(Swing.java:208)
	at ghidra.util.Swing.runNow(Swing.java:163)
	at docking.DockingWindowManager.doShowDialog(DockingWindowManager.java:1755)
	at docking.DockingWindowManager.showDialog(DockingWindowManager.java:1687)
	at ghidra.framework.plugintool.PluginTool.showDialog(PluginTool.java:1384)
	at ghidra.app.plugin.core.memory.MemoryMapProvider.setBase(MemoryMapProvider.java:302)
	at ghidra.app.plugin.core.memory.MemoryMapProvider$8.actionPerformed(MemoryMapProvider.java:290)
	at docking.menu.ToolBarItemManager.lambda$actionPerformed$0(ToolBarItemManager.java:128)
	at java.desktop/java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:313)
	at java.desktop/java.awt.EventQueue.dispatchEventImpl(EventQueue.java:770)
	at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:721)
	at java.desktop/java.awt.EventQueue$4.run(EventQueue.java:715)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:85)
	at java.desktop/java.awt.EventQueue.dispatchEvent(EventQueue.java:740)
	at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203)
	at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124)
	at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113)
	at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109)
	at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
	at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)

And i start a new instance and set the address to 21000000 at first, it can not decomplie the code

Mask6asok avatar May 27 '22 09:05 Mask6asok

Which processor are you using?

Have you tried doing an initial import of the binary with the correct image base instead of re-basing the image after import? Not suggesting that this isn't an issue, but would like to know if this works.

Setting the image base after the fact, especially with laid down information can be problematic. In this case the pinned labels for interrupts.

emteere avatar May 31 '22 15:05 emteere

i use arm v7 little.And if i set the right address at first, it can not decomplie the code smartly

Mask6asok avatar Jun 11 '22 08:06 Mask6asok

Just want to make sure that you are importing the binary and putting in the base address in the Options dialog for the import dialog at import time.

If you are then could you describe what what you mean by it cannot decompile the code. Do you mean it doesn't disassemble the code automatically?

Have the normal interrupt vectors on your variant been set to 0x21000000?

emteere avatar Jul 06 '22 15:07 emteere

Just to chime in, I had the same exception when analyzing a device firmware image and trying to move the base after the fact. Changing the base address in the import options worked.

ge0rg avatar Jul 19 '22 09:07 ge0rg

Yes it appears there may be a bug moving the pinned interrupt vectors (Reset, IRQ, etc..) with image base. We can take a look at the exception so it doesn't occur, just trying to get your issue diagnosed and give you an alternative that works.

emteere avatar Jul 19 '22 13:07 emteere

Same Happend for me, analizign an arm32 lib, thumb mode

pinwhell avatar Nov 21 '22 23:11 pinwhell

image

pinwhell avatar Nov 21 '22 23:11 pinwhell

this wasnt happending in old versions

pinwhell avatar Nov 21 '22 23:11 pinwhell

same error

Address Overflow in add: .debug_frame.13::0000006b 0x1
ghidra.program.model.address.AddressOutOfBoundsException: Address Overflow in add: .debug_frame.13::0000006b 0x1
	at ghidra.program.model.address.AbstractAddressSpace.add(AbstractAddressSpace.java:431)
	at ghidra.program.model.address.OverlayAddressSpace.add(OverlayAddressSpace.java:18)
	at ghidra.program.model.address.GenericAddress.add(GenericAddress.java:237)
	at ghidra.app.plugin.exceptionhandlers.gcc.structures.ehFrame.Cie.processDataAlign(Cie.java:323)
	at ghidra.app.plugin.exceptionhandlers.gcc.structures.ehFrame.Cie.create(Cie.java:510)
	at ghidra.app.plugin.exceptionhandlers.gcc.sections.AbstractFrameSection.createCie(AbstractFrameSection.java:109)
	at ghidra.app.plugin.exceptionhandlers.gcc.sections.AbstractFrameSection.getCieOrCreateIfMissing(AbstractFrameSection.java:131)
	at ghidra.app.plugin.exceptionhandlers.gcc.sections.DebugFrameSection.getCie(DebugFrameSection.java:53)
	at ghidra.app.plugin.exceptionhandlers.gcc.sections.DebugFrameSection.analyzeSection(DebugFrameSection.java:108)
	at ghidra.app.plugin.exceptionhandlers.gcc.sections.DebugFrameSection.analyze(DebugFrameSection.java:77)
	at ghidra.app.plugin.exceptionhandlers.gcc.GccExceptionAnalyzer.handleDebugFrameSection(GccExceptionAnalyzer.java:399)
	at ghidra.app.plugin.exceptionhandlers.gcc.GccExceptionAnalyzer.added(GccExceptionAnalyzer.java:145)
	at ghidra.app.plugin.core.analysis.AnalysisScheduler.runAnalyzer(AnalysisScheduler.java:186)
	at ghidra.app.plugin.core.analysis.AnalysisTask.applyTo(AnalysisTask.java:39)
	at ghidra.app.plugin.core.analysis.AutoAnalysisManager$AnalysisTaskWrapper.run(AutoAnalysisManager.java:688)
	at ghidra.app.plugin.core.analysis.AutoAnalysisManager.startAnalysis(AutoAnalysisManager.java:788)
	at ghidra.app.plugin.core.analysis.AutoAnalysisManager.startAnalysis(AutoAnalysisManager.java:667)
	at ghidra.app.plugin.core.analysis.AutoAnalysisManager.startAnalysis(AutoAnalysisManager.java:632)
	at ghidra.app.plugin.core.analysis.AnalysisBackgroundCommand.applyTo(AnalysisBackgroundCommand.java:58)
	at ghidra.framework.plugintool.mgr.BackgroundCommandTask.run(BackgroundCommandTask.java:102)
	at ghidra.framework.plugintool.mgr.ToolTaskManager.run(ToolTaskManager.java:336)
	at java.base/java.lang.Thread.run(Thread.java:833)

firmianay avatar Jan 31 '23 03:01 firmianay

image Bug Manages to disappear when this code is commented, also the address space base do changes without leaving any second effects ( at least visually ), also, notice, that for some reason, the commented code is not called, in my others local projects Which are PEs and still successfully re-base, the bug Happens to me on a ELF Thumb, not sure if it will happens in some others scenarios with others Program Executable formats

pinwhell avatar Feb 11 '23 14:02 pinwhell

same error

Address Overflow in add: .debug_frame.13::0000006b 0x1
ghidra.program.model.address.AddressOutOfBoundsException: Address Overflow in add: .debug_frame.13::0000006b 0x1
	at ghidra.program.model.address.AbstractAddressSpace.add(AbstractAddressSpace.java:431)
	at ghidra.program.model.address.OverlayAddressSpace.add(OverlayAddressSpace.java:18)
	at ghidra.program.model.address.GenericAddress.add(GenericAddress.java:237)
	at ghidra.app.plugin.exceptionhandlers.gcc.structures.ehFrame.Cie.processDataAlign(Cie.java:323)
	at ghidra.app.plugin.exceptionhandlers.gcc.structures.ehFrame.Cie.create(Cie.java:510)
	at ghidra.app.plugin.exceptionhandlers.gcc.sections.AbstractFrameSection.createCie(AbstractFrameSection.java:109)
	at ghidra.app.plugin.exceptionhandlers.gcc.sections.AbstractFrameSection.getCieOrCreateIfMissing(AbstractFrameSection.java:131)
	at ghidra.app.plugin.exceptionhandlers.gcc.sections.DebugFrameSection.getCie(DebugFrameSection.java:53)
	at ghidra.app.plugin.exceptionhandlers.gcc.sections.DebugFrameSection.analyzeSection(DebugFrameSection.java:108)
	at ghidra.app.plugin.exceptionhandlers.gcc.sections.DebugFrameSection.analyze(DebugFrameSection.java:77)
	at ghidra.app.plugin.exceptionhandlers.gcc.GccExceptionAnalyzer.handleDebugFrameSection(GccExceptionAnalyzer.java:399)
	at ghidra.app.plugin.exceptionhandlers.gcc.GccExceptionAnalyzer.added(GccExceptionAnalyzer.java:145)
	at ghidra.app.plugin.core.analysis.AnalysisScheduler.runAnalyzer(AnalysisScheduler.java:186)
	at ghidra.app.plugin.core.analysis.AnalysisTask.applyTo(AnalysisTask.java:39)
	at ghidra.app.plugin.core.analysis.AutoAnalysisManager$AnalysisTaskWrapper.run(AutoAnalysisManager.java:688)
	at ghidra.app.plugin.core.analysis.AutoAnalysisManager.startAnalysis(AutoAnalysisManager.java:788)
	at ghidra.app.plugin.core.analysis.AutoAnalysisManager.startAnalysis(AutoAnalysisManager.java:667)
	at ghidra.app.plugin.core.analysis.AutoAnalysisManager.startAnalysis(AutoAnalysisManager.java:632)
	at ghidra.app.plugin.core.analysis.AnalysisBackgroundCommand.applyTo(AnalysisBackgroundCommand.java:58)
	at ghidra.framework.plugintool.mgr.BackgroundCommandTask.run(BackgroundCommandTask.java:102)
	at ghidra.framework.plugintool.mgr.ToolTaskManager.run(ToolTaskManager.java:336)
	at java.base/java.lang.Thread.run(Thread.java:833)

An AddressOutOfBoundsException exception can occur for many reasons. The original issue is related to SymbolManager.fixupPinnedSymbolsAfterRebase when the image base is modified. It is best that this ticket remained focused on this specific situation. New tickets should be create for other situations based upon the specific stack trace where the specific binary details and scenario can be documented.

ghidra1 avatar Mar 10 '23 13:03 ghidra1