Segmentation fault (SIGSEGV) in r_anal_extract_rarg (libr/anal/var.c:1256) - null-pointer passed to strcmp() #24737
Description
Environment
$ date
Fri Oct 24 02:40:51 UTC 2025
$ binr/radare2/radare2 -v
radare2 6.0.5 34409 @ linux-x86-64
birth: git.6.0.4-114-ga179d54fa3 2025-10-23__13:05:46
commit: a179d54fa30841cbfa55e8d3d58147aa45da9abf
options: gpl asan -O1 cs:5 cl:2 make
$ uname -ms
Linux x86_64
Ubuntu 24.04
Description
When running rasign2 on the provided input. The issue occurs inside r_anal_extract_rarg where f->callconv is NULL and passed to strcmp(fcn->callconv, f->callconv), leading to a null-pointer dereference during variable recovery. A poc file is provided for reproduction in Test.
ASAN-report:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==73027==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55a35d701e35 bp 0x7fffa0f58da0 sp 0x7fffa0f58550 T0)
==73027==The signal is caused by a READ memory access.
==73027==Hint: address points to the zero page.
#0 0x55a35d701e35 in strcmp (/radare2/binr/rasign2/rasign2+0x34e35) (BuildId: e4ade1f89e3127a332ffb26336926b73c3baee4c)
#1 0x7f026d377c65 in r_anal_extract_rarg /radare2/libr/anal/var.c:1256:34
#2 0x7f0270a35dad in anal_block_cb /radare2/libr/core/canal.c:4015:3
#3 0x7f026d382606 in r_anal_block_recurse_depth_first /radare2/libr/anal/block.c:602:21
#4 0x7f0270a354ae in r_core_recover_vars /radare2/libr/core/canal.c:4063:2
#5 0x7f02707d7d0b in r_core_af /radare2/libr/core/./cmd_anal.inc.c:4831:4
#6 0x7f02708d9c59 in cmd_aa /radare2/libr/core/./cmd_anal.inc.c:14200:4
#7 0x7f02708d9c59 in cmd_aaa /radare2/libr/core/./cmd_anal.inc.c:14292:2
#8 0x7f02708d9c59 in cmd_anal_all /radare2/libr/core/./cmd_anal.inc.c:14700:3
#9 0x7f0270816ad2 in cmd_anal /radare2/libr/core/./cmd_anal.inc.c:16177:8
#10 0x7f0270a1d65a in r_cmd_call /radare2/libr/core/cmd_api.c:414:11
#11 0x7f027089fe68 in r_core_cmd_subst_i /radare2/libr/core/cmd.c:5387:8
#12 0x7f027089a4be in r_core_cmd_subst /radare2/libr/core/cmd.c:4074:10
#13 0x7f02707fd72f in run_cmd_depth /radare2/libr/core/cmd.c:6368:9
#14 0x7f02707f31a5 in r_core_cmd /radare2/libr/core/cmd.c:6471:8
#15 0x7f02707d704a in r_core_cmd0 /radare2/libr/core/cmd.c:6650:9
#16 0x7f026cfacead in find_functions /radare2/libr/main/rasign2.c:74:2
#17 0x7f026cfacead in signs_from_file /radare2/libr/main/rasign2.c:145:2
#18 0x7f026cfac130 in r_main_rasign2 /radare2/libr/main/rasign2.c:359:10
#19 0x55a35d7a8eb8 in main /radare2/binr/rasign2/rasign2.c:6:9
#20 0x7f026cc4ed8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: d5197096f709801829b118af1b7cf6631efa2dcd)
#21 0x7f026cc4ee3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: d5197096f709801829b118af1b7cf6631efa2dcd)
#22 0x55a35d6eb314 in _start (/radare2/binr/rasign2/rasign2+0x1e314) (BuildId: e4ade1f89e3127a332ffb26336926b73c3baee4c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/radare2/binr/rasign2/rasign2+0x34e35) (BuildId: e4ade1f89e3127a332ffb26336926b73c3baee4c) in strcmp
==73027==ABORTING
gdb debugging information:
Starting program: /radare2/binr/rasign2/rasign2 -o /radare2_fuzz/tmp/test.sdb id:000000,sig:11,src:000022,time:22895137,execs:86733,op:havoc,rep:10
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time
WARN: Skipping signature with corrupted serialization (zign|*|sym._4:R:)
ERROR: cannot deserialize zign
WARN: Skipping signature with corrupted serialization (zign|*|sym.:R:)
ERROR: cannot deserialize zign
WARN: Skipping signature with corrupted serialization (zign|*|sym._1:R:)
ERROR: cannot deserialize zign
WARN: Skipping signature with multiple x signatures (zign|*|fcn.00401ee8)
ERROR: cannot deserialize zign
ERROR: cannot deserialize zign
WARN: Skipping signature with corrupted serialization (zign|*|sym._208:R:)
ERROR: cannot deserialize zign
WARN: Skipping signature with corrupted serialization (zign|*|sym._2:R:)
ERROR: cannot deserialize zign
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze imports (af@@@i)
WARN: select the calling convention with `e anal.cc=?`
INFO: Analyze entrypoint (af@ entry0)
INFO: Analyze symbols (af@@@s)
Program received signal SIGSEGV, Segmentation fault.
0x0000555db8f2be35 in strcmp ()
(gdb) bt
#0 0x0000555db8f2be35 in strcmp ()
#1 0x00007f7143317c66 in r_anal_extract_rarg (anal=0x61d000000080, op=op@entry=0x7ffd5c977ac0, fcn=fcn@entry=0x6110001b2c80, reg_set=reg_set@entry=0x6070000a3a20, count=count@entry=0x7ffd5c9781a0) at var.c:1256
#2 0x00007f71469d5dae in anal_block_cb (bb=<optimized out>, ctx=0x0) at canal.c:4015
#3 0x00007f7143322607 in r_anal_block_recurse_depth_first (block=0x6110001b2dc0, cb=<optimized out>, on_exit=<optimized out>, user=<optimized out>) at block.c:602
#4 0x00007f71469d54af in r_core_recover_vars (core=0x7f714159c800, fcn=<optimized out>, argonly=true) at canal.c:4063
#5 0x00007f7146777d0c in r_core_af (core=core@entry=0x7f714159c800, addr=4196512, name=0x7f7146b450c0 <str> "main", anal_calls=false) at ./cmd_anal.inc.c:4831
#6 0x00007f7146879c5a in cmd_aa (core=0x7f714159c800, aaa=<optimized out>) at ./cmd_anal.inc.c:14200
#7 cmd_aaa (core=0x7f714159c800, input=0x6020000a11f2 "") at ./cmd_anal.inc.c:14292
#8 cmd_anal_all (core=<optimized out>, input=0x6020000a11f2 "") at ./cmd_anal.inc.c:14700
#9 0x00007f71467b6ad3 in cmd_anal (data=0x6020000a1cb0, input=<optimized out>) at ./cmd_anal.inc.c:16177
#10 0x00007f71469bd65b in r_cmd_call (cmd=0x620000000080, input=input@entry=0x6020000a11f0 "aa") at cmd_api.c:414
#11 0x00007f714683fe69 in r_core_cmd_subst_i (core=<optimized out>, cmd=0x6020000a11f0 "aa", colon=<optimized out>, tmpseek=<optimized out>) at cmd.c:5387
#12 0x00007f714683a4bf in r_core_cmd_subst (core=0x6020000a1cb0, cmd=0x6020000a11f0 "aa") at cmd.c:4074
#13 0x00007f714679d730 in run_cmd_depth (core=core@entry=0x7f714159c800, cmd=cmd@entry=0x6210000f0100 "aa") at cmd.c:6368
#14 0x00007f71467931a6 in r_core_cmd (core=core@entry=0x7f714159c800, cstr=0x7f7142f7efc0 <str> "aa", log=false) at cmd.c:6471
#15 0x00007f714677704b in r_core_cmd0 (core=0x6020000a1cb0, core@entry=0x7f714159c800, cmd=0x0) at cmd.c:6650
#16 0x00007f7142f4ceae in find_functions (core=0x7f714159c800, count=<optimized out>) at rasign2.c:74
#17 signs_from_file (fname=fname@entry=0x7ffd5c97b572 "id:000000,sig:11,src:000022,time:22895137,execs:86733,op:havoc,rep:10", conf=0x7ffd5c97aef0) at rasign2.c:145
#18 0x00007f7142f4c131 in r_main_rasign2 (argc=4196912, argv=0x0) at rasign2.c:359
#19 0x0000555db8fd2eb9 in main (argc=662704, argv=0x0) at rasign2.c:6
(gdb) frame 1
#1 0x00007f7143317c66 in r_anal_extract_rarg (anal=0x61d000000080, op=op@entry=0x7ffd5c977ac0, fcn=fcn@entry=0x6110001b2c80, reg_set=reg_set@entry=0x6070000a3a20, count=count@entry=0x7ffd5c9781a0) at var.c:1256
1256 } else if (!f->is_variadic && !strcmp (fcn->callconv, f->callconv)) {
(gdb) list
1251 if (cc && !strcmp (fcn->callconv, cc)) {
1252 callee_rargs = R_MIN (max_count, r_type_func_args_count (TDB, callee));
1253 }
1254 }
1255 }
1256 } else if (!f->is_variadic && !strcmp (fcn->callconv, f->callconv)) {
1257 callee = r_type_func_guess (TDB, f->name);
1258 if (callee) {
1259 callee_rargs = R_MIN (max_count, r_type_func_args_count (TDB, callee));
1260 }
(gdb) print f
$1 = (RAnalFunction *) 0x6110001c1500
(gdb) print fcn
$2 = (RAnalFunction *) 0x6110001b2c80
(gdb) print f ? f->callconv : (char*)0
$3 = 0x0
(gdb) print fcn ? fcn->callconv : (char*)0
$4 = 0x6020000a1cb0 "reg"
(gdb)
Test
./binr/rasign2/rasign2 -o ./tmp/test.sdb poc