capstone-rs icon indicating copy to clipboard operation
capstone-rs copied to clipboard
verified publisher icon capstone-rust

Undefined behavior

Open umanwizard opened this issue 7 months ago • 2 comments

This test segfaults reliably on v0.13.0:

#[cfg(test)]
mod tests {
    use capstone::Capstone;
    use capstone::arch::{BuildsCapstone, DetailsArchInsn};

    #[test]
    fn capstone_segfaults() {
        let cs = Capstone::new()
            .arm64()
            .detail(true)
            .mode(capstone::arch::arm64::ArchMode::Arm)
            .build()
            .unwrap();

        let insns = cs.disasm_all(&[0x0c, 0x44, 0x3b, 0xd5], 0).unwrap();
        for i in insns.as_ref() {
            let id = cs.insn_detail(&i).unwrap();
            let ad = id.arch_detail();
            let aarch = ad.arm64().unwrap();

            println!("{i} (dt: {:?})", aarch.operands().collect::<Vec<_>>());
        }
    }
}

umanwizard avatar May 19 '25 20:05 umanwizard

This seems to be caused by https://github.com/capstone-engine/capstone/issues/1881

The second operand of this instruction is coming through as type Sys but its value is not one of the variants of Arm64SysOp. And unsafely creating a value whose discriminant is not one of the valid discriminants of the enum type is UB (which manifests here by crashing when we try to print it out).

umanwizard avatar May 19 '25 21:05 umanwizard

The upstream fixes it in the next branch, but we will need to wait for capstone v6 then. You can try the WIP branch at https://github.com/capstone-rust/capstone-rs/tree/capstone-v6.

jiegec avatar May 23 '25 17:05 jiegec