Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

decompileFunction method null pointer dereference #7306

Closed
Nicholas-wei opened this issue Dec 20, 2024 · 1 comment
Closed

decompileFunction method null pointer dereference #7306

Nicholas-wei opened this issue Dec 20, 2024 · 1 comment

Comments

@Nicholas-wei
Copy link

Describe the bug
When invoking decompileFunction(from class DecompInterface) many times with a fixed timeout, there is a chance that decompileFunction will encounter null pointer dereference.

To Reproduce
Steps to reproduce the behavior:
Given a binary, write the following code to decompile each function in binary with a fixed timeout (60 seconds). In order to reproduce this vulnerability, a timeout is required when decompiling some functions.

public HighFunction getHighFunc(Function func) {
		if(ifc == null) {
			ifc = new DecompInterface();
			ifc.toggleCCode(false);
			ifc.openProgram(currentProgram);
		}
		if(hfuncHashMap.get(func) == null) {
			DecompileResults decompileResults = ifc.decompileFunction(func, 60, monitor);
			HighFunction hfunc = decompileResults.getHighFunction();
			hfuncHashMap.put(func, hfunc);
			return hfunc;
		}
		return hfuncHashMap.get(func);
	}

This may trigger an unexpected crash, see the following error text and screenshot.

ERROR REPORT SCRIPT ERROR:  (HeadlessAnalyzer) java.lang.NullPointerException: Cannot invoke "ghidra.program.model.pcode.Decoder.clear()" because "decoder" is null
	at ghidra.app.decompiler.DecompInterface.decompileFunction(DecompInterface.java:811)
	at xxx.xxx.getHighFunc

The following code shows the crash context, see source code
I think the decoder variable could remain uninitialized if an exception happens before decoder is set to activeSet.mainResponse.

		Decoder decoder = null;
                try {
			Address funcEntry = func.getEntryPoint();
			if (debug != null) {
				debug.setFunction(func);
			}
			decompCallback.setFunction(func, funcEntry, debug);
			EncodeDecodeSet activeSet = setupEncodeDecode(funcEntry);
			decoder = activeSet.mainResponse;
			verifyProcess();
			activeSet.mainQuery.clear();
			AddressXML.encode(activeSet.mainQuery, funcEntry);
			decompProcess.sendCommandTimeout("decompileAt", timeoutSecs, activeSet);
			decompileMessage = decompCallback.getNativeMessage();
		}
		catch (Exception ex) {
			decoder.clear(); 	// <------ The parameter `decoder` maybe null.
			decompileMessage = "Exception while decompiling " + func.getEntryPoint() + ": " +
				ex.getMessage() + '\n';
		}

Expected behavior
There may not be potential null pointer dereference.

Screenshots
image

Environment (please complete the following information):

  • OS: Windows 11
  • Java Version: 20.0.1
  • Ghidra Version: 11.0
  • Ghidra Origin: official GitHub distro
@Nicholas-wei
Copy link
Author

The reason was that sometimes Ghidra headless doesn't recognize some functions automatically as Ghidra originally did. So you have to create the corresponding function first and the problem will be solved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Nicholas-wei