[Bug] Assertion failed regarding range/alignment in printOffset_64_16_AsmOperand #2828
Description
Description
We encountered a SIGABRT (Assertion Failure) in capstone (Xtensa architecture). The crash occurs within printOffset_64_16_AsmOperand when printing a disassembled instruction.
The assertion fails because the immediate operand value does not satisfy the required constraints: (Value >= -512 && Value <= 496 && (Value & 0xf) == 0). This implies that the decoder successfully decoded an instruction with an invalid offset operand, which was subsequently caught by the printer's sanity check.
Environment
- OS: Linux x86_64
- Complier: Clang
- Tools: gdb
Vulnerability Details
- Target: capstone (Xtensa Disassembler)
- Crash Type: Assertion Failure (SIGABRT)
- Location: arch/Xtensa/XtensaInstPrinter.c:632
- Function: void printOffset_64_16_AsmOperand(MCInst*, int, SStream*)
- Assertion: Assertion (Value >= -512 && Value <= 496 && (Value & 0xf) == 0) ... failed
- Root Cause Analysis: The stack trace shows cs_disasm -> Xtensa_LLVM_printInstruction -> printInstruction -> printOffset_64_16_AsmOperand. The printer expects the operand Value to be 16-byte aligned and within a specific range. The input binary triggered a decoding path where these constraints were violated, but the decoder did not reject the instruction, leading to a crash in the printer.
Reproduce
gdb --args ./fuzz_disasm ./repro
r
bt
Download Link: repro
Stack Trace (GDB)
fuzz_disasm: /src/capstone/arch/Xtensa/XtensaInstPrinter.c:632: void printOffset_64_16_AsmOperand(MCInst *, int, SStream *): Assertion `(Value >= -512 && Value <= 496 && (Value & 0xf) == 0) && "Invalid argument, value must be in range [-512,496], first 4 bits " "should be zero"' failed.
Program received signal SIGABRT, Aborted.
0x00007f0a855bbb2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007f0a855bbb2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007f0a8556227e in raise () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007f0a855458ff in abort () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007f0a8554581b in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x00007f0a85558517 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#5 0x000055d0a31ef6d3 in printOffset_64_16_AsmOperand (MI=MI@entry=0x7f0a83a00020, OpNum=OpNum@entry=4,
O=O@entry=0x7f0a83a004b0) at /src/capstone/arch/Xtensa/XtensaInstPrinter.c:629
#6 0x000055d0a31eb8be in printInstruction (MI=0x7f0a83a00020, O=0x7f0a83a004b0, Address=<optimized out>)
at /src/capstone/arch/Xtensa/XtensaGenAsmWriter.inc:8033
#7 printInst (MI=0x7f0a83a00020, Annot=0x0, O=0x7f0a83a004b0, Address=<optimized out>)
at /src/capstone/arch/Xtensa/XtensaInstPrinter.c:689
#8 Xtensa_LLVM_printInstruction (MI=0x7f0a83a00020, Address=<optimized out>, O=0x7f0a83a004b0)
at /src/capstone/arch/Xtensa/XtensaInstPrinter.c:694
#9 0x000055d0a2e37619 in cs_disasm (ud=89129161326656, buffer=0x503000000055 "\256\256\360\037 ", size=7,
offset=4116, count=<optimized out>, insn=<optimized out>) at /src/capstone/cs.c:1287
#10 0x000055d0a2e33eb2 in LLVMFuzzerTestOneInput (Data=<optimized out>, Size=<optimized out>)
at /src/capstone/suite/fuzz/fuzz_disasm.c:57
#11 0x000055d0a2e33a48 in main (argc=<optimized out>, argv=<optimized out>)
at /src/capstone/suite/fuzz/onefile.c:46