capstone icon indicating copy to clipboard operation
capstone copied to clipboard
verified publisher icon capstone-engine

[Bug] Assertion failed Value >= 0 && Value <= 31 in printShimm0_31_AsmOperand

Open oneafter opened this issue 2 months ago • 0 comments

Description

We encountered a SIGABRT (Assertion Failure) in capstone (Xtensa architecture). The crash occurs within printShimm0_31_AsmOperand when attempting to print the assembly string for a decoded instruction.

The assertion (Value >= 0 && Value <= 31) fails, indicating that the instruction printer received an immediate operand value that is out of the expected range [0, 31], despite the decoder having accepted the instruction.

Environment

  • OS: Linux x86_64
  • Complier: Clang
  • Tools: gdb

Vulnerability Details

  • Target: capstone (Xtensa Architecture)
  • Crash Type: Assertion Failure (SIGABRT)
  • Location: arch/Xtensa/XtensaInstPrinter.c:267
  • Function: DecodeStatus decodeOffset_16_16Operand(...)
  • Assertion: Assertion (Value >= 0 && Value <= 31) && "Invalid argument..." failed
  • Root Cause Analysis: The stack trace shows cs_disasm -> printShimm0_31_AsmOperand. The crash happens after decoding, during the printing phase. The function printShimm0_31_AsmOperand expects a Shift Immediate value between 0 and 31. The assertion failure implies that the decoder (XtensaDisassembler) populated the MCInst with an operand value outside this range but did not mark the instruction as invalid, causing the printer to crash when processing the malformed data.

Reproduce

gdb --args ./fuzz_disasm ./repro
r
bt

Download Link: repro

Stack Trace (GDB)

fuzz_disasm: /src/capstone/arch/Xtensa/XtensaInstPrinter.c:267: void printShimm0_31_AsmOperand(MCInst *, int, SStream *): Assertion `(Value >= 0 && Value <= 31) && "Invalid argument, value must be in range [0,31]"' failed.

Program received signal SIGABRT, Aborted.
0x00007f61fbe23b2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007f61fbe23b2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f61fbdca27e in raise () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007f61fbdad8ff in abort () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00007f61fbdad81b in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4  0x00007f61fbdc0517 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#5  0x0000557adfa0714b in printShimm0_31_AsmOperand (MI=0x7f61fa200020, OpNum=2, O=0x7f61fa2004b0)
    at /src/capstone/arch/Xtensa/XtensaInstPrinter.c:266
#6  0x0000557adf64d619 in cs_disasm (ud=89129161326656, buffer=0x502000000019 "", size=4, offset=4104, 
    count=<optimized out>, insn=<optimized out>) at /src/capstone/cs.c:1287
#7  0x0000557adf649eb2 in LLVMFuzzerTestOneInput (Data=<optimized out>, Size=<optimized out>)
    at /src/capstone/suite/fuzz/fuzz_disasm.c:57
#8  0x0000557adf649a48 in main (argc=<optimized out>, argv=<optimized out>)
    at /src/capstone/suite/fuzz/onefile.c:46

oneafter avatar Dec 10 '25 02:12 oneafter