binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard

Published 20 hours ago verified publisher icon Vector35

More graceful handling of corrupted RTTI information

Open dawn-breaking opened this issue 6 months ago • 4 comments

Issue Summary

Binary Ninja crashes during advanced analysis with an error indicating an attempt to free an unallocated pointer.

Environment Information

  • Binary Ninja Version: 5.0.7486_commercial
  • Operating System: macOS 15.5 (24F74)
  • Hardware Architecture: Apple M3 Ultra (ARM-64)
  • System Memory: 512 GB

Crash Details

  • Crashed Thread: Worker T module:core.module.update core.function.advancedAna...
  • Exception Type: EXC_CRASH (SIGABRT)
  • Termination Reason: Namespace SIGNAL, Code 6 Abort trap: 6
  • Specific Error: ___BUG_IN_CLIENT_OF_LIBMALLOC_POINTER_BEING_FREED_WAS_NOT_ALLOCATED

Crash Stack Trace (Key Portion)

Thread 43 Crashed:: Worker T module:core.module.update core.function.advancedAna...
0   libsystem_kernel.dylib          0x18ab59388 __pthread_kill + 8
1   libsystem_pthread.dylib         0x18ab9288c pthread_kill + 296
2   libsystem_c.dylib               0x18aa9bc60 abort + 124
3   libsystem_malloc.dylib          0x18a9a0174 malloc_vreport + 892
4   libsystem_malloc.dylib          0x18a9a3c90 malloc_report + 64
5   libsystem_malloc.dylib          0x18a9a821c ___BUG_IN_CLIENT_OF_LIBMALLOC_POINTER_BEING_FREED_WAS_NOT_ALLOCATED + 32
6-21 libbinaryninjacore.1.dylib     [Multiple internal function calls]

Steps to Reproduce

Since the crash occurred in a background worker thread, specific reproduction steps are unclear. The crash appears to happen during advanced analysis of a binary file.

Expected Behavior

The program should complete the analysis normally without crashing due to memory management errors.

Actual Behavior

The program crashes during advanced analysis due to attempting to free an unallocated pointer.

Additional Information

  • System Integrity Protection (SIP) is disabled
  • Binary file link: https://shareimtodoit.oss-cn-shanghai.aliyuncs.com/test.zip

dawn-breaking avatar May 30 '25 06:05 dawn-breaking

Binary: gentle ocean jumps carefully

xusheng6 avatar Jun 03 '25 06:06 xusheng6

Hi @dawn-breaking , thx for the bug report! Did the crash happen right after you load the file in binja, or it happened when you later interact with binja? I have 128GB RAM on my machine, and I got a crash during opening, though I am not exactly sure whether that is an OOM or we are getting the same issue

xusheng6 avatar Jun 03 '25 06:06 xusheng6

Looks to be the Itanium RTTI info is corrupted in some way:

Image

Maybe some relocation type is handled incorrectly? Maybe the compiler did something weird?

emesare avatar Jun 05 '25 15:06 emesare

Reopening to track what we want to do to identify these invalid type info names.

As mentioned in the commit the most straightforward way would be to not allow non-mangled strings, however that also means if a type info name fails to demangle or isn't mangled, we will not attempt to parse it.

For now at least the binary can be analyzed, albeit with some useless type info names:

Image

IMO you should disable the RTTI analysis for this binary by turning off analysis.rtti.rttiAnalysis.

emesare avatar Jun 05 '25 16:06 emesare

Forgot to include dev build the crash was fixed in 7571.

emesare avatar Jun 23 '25 13:06 emesare