This repo demonstrates a way to crash IDA Pro's Hex-Rays decompiler. The macro IDA_BRICK is designed specifically to abuse a bug in the decompiler, leading it to crash when trying to analyze the function in which the macro is used. The crash is triggered primarily by the _bextr_u64 intrinsic.
#define IDA_BRICK() \
(void)( \
([] { \
uint64_t _bextr_val = default_val; \
_bextr_val = _bextr_u64(_bextr_val, 0x00, (__COUNTER__ ^ __LINE__ % (__COUNTER__ - __LINE__)) * 93U); \
uint32_t var2 = (0x80 ^ 0x10) ^ ((__COUNTER__ + __LINE__) & 0xFF); \
uint64_t var3 = var2 - 2; \
uint64_t* var4 = &var3; \
uint64_t var5 = *var4 >> 1; \
static volatile uint64_t _bextr_sink; \
_bextr_sink = _bextr_val; \
var5 = 0; \
return 0; \
})() \
)The macro computes an invalid length for the bit extraction in _bextr_u64(_bextr_val, 0x00, len), where this can result in a length where start (0) + length exceeds 64 bits. According to Intel's documentation, this invokes undefined behavior in the BEXTR instruction for 64-bit operands. The program will continue to work but the Decompiler won't know how to turn it into microcode.
IDA's decompiler translates assembly to microcode and performs verifications during optimization. It assumes valid, compiler-generated code without such edge-case UB. When it encounters this invalid BEXTR, it fails an internal check related to bit manipulation operand bounds type leading to the "INTERR 51666" error.
- Include the macro in any function in a C or C++ binary.
- Build using a compiler that will emit the
bextrinstruction for_bextr_u64, e.g. MSVC, GCC, or Clang targeting x86-64. - Disassemble the binary in IDA Pro.
- Enter the function containing
IDA_BRICKand attempt to run Hex-Rays decompiler (F5). - You should see this error:
140001520: INTERR 51666
I am not the first person to find this, never claimed to be, but i did my research and found it on my own. As of posting this i was informed that adynplt found this before me, you can find his repo here.
Disclaimer: This code is for security research purposes only.