simuvex
simuvex copied to clipboard
Published
20 hours ago •
angr
angr
SimMemoryLimitError in puts
puts will look as far ahead as it can for the null byte I'm concerned that the default settings cause it to error like that, I'd consider that a bug
- @rhelmot
nitro:catalyst dave$ ipython
Python 2.7.13 (default, Dec 18 2016, 07:03:39)
Type "copyright", "credits" or "license" for more information.
IPython 5.1.0 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
In [1]: import angr
In [2]: proj = angr.Project('catalyst', load_options={"auto_load_libs": False})
In [3]: path_group = proj.factory.path_group()
In [4]: path_group.explore()
Out[4]: <PathGroup with 1 errored>
In [5]: list(path_group.errored[0].trace)
Out[5]:
['<IRSB from 0x400780: 1 sat>',
'<SimProcedure __libc_start_main from 0x1000040: 1 sat>',
'<IRSB from 0x400fc0: 1 sat>',
'<IRSB from 0x400690: 1 sat 1 unsat>',
'<IRSB from 0x4006a2: 1 sat>',
'<IRSB from 0x400ff1: 1 sat 1 unsat>',
'<IRSB from 0x400ff6: 1 sat>',
'<IRSB from 0x400850: 1 sat 1 unsat>',
'<IRSB from 0x40085b: 1 sat>',
'<IRSB from 0x4007f0: 1 sat 1 unsat>',
'<IRSB from 0x400828: 1 sat>',
'<IRSB from 0x40100d: 1 sat 1 unsat>',
'<IRSB from 0x401016: 1 sat>',
'<SimProcedure __libc_start_main from 0x1000050: 1 sat>',
'<IRSB from 0x400d93: 1 sat>',
'<IRSB from 0x400720: 1 sat>',
'<SimProcedure malloc from 0x1000000: 1 sat>',
'<IRSB from 0x400da5: 1 sat>',
'<IRSB from 0x400720: 1 sat>',
'<SimProcedure malloc from 0x1000000: 1 sat>',
'<IRSB from 0x400db3: 1 sat>',
'<IRSB from 0x400710: 1 sat>',
'<SimProcedure ReturnUnconstrained from 0x10000d0: 1 sat>',
'<IRSB from 0x400dc1: 1 sat>',
'<IRSB from 0x400700: 1 sat>',
'<SimProcedure ReturnUnconstrained from 0x10000c0: 1 sat>',
'<IRSB from 0x400dc8: 1 sat>',
'<IRSB from 0x4006d0: 1 sat>']
In [6]: path_group.errored[0]
Out[6]: <Errored Path with 28 runs (at 0x1000010, SimMemoryLimitError)>
In [7]: proj._sim_procedures
Out[7]:
{16777216: <Hook for malloc>,
16777232: <Hook for puts>,
16777248: <Hook for __isoc99_scanf>,
16777264: <Hook for exit>,
16777280: <Hook for __libc_start_main>,
16777296: <Hook for __libc_start_main (continuation)>,
16777312: <Hook for printf>,
16777328: <Hook for putchar>,
16777344: <Hook for fflush>,
16777360: <Hook for strlen>,
16777376: <Hook for sleep>,
16777392: <Hook for ReturnUnconstrained (resolves rand) (1 arg)>,
16777408: <Hook for ReturnUnconstrained (resolves srand) (1 arg)>,
16777424: <Hook for ReturnUnconstrained (resolves time) (1 arg)>,
16777440: <Hook for CallReturn>,
16777456: <Hook for LinuxLoader (1 arg)>,
16777472: <Hook for _dl_rtld_lock_recursive>,
16777488: <Hook for _dl_rtld_unlock_recursive>,
16777504: <Hook for _vsyscall>,
16777520: <Hook for LinuxLoader (1 arg) (continuation)>}
int sub_400d93() {
var_10 = malloc(0x3e8);
var_18 = malloc(0x3e8);
rax = time(0x0);
rax = srand(LODWORD(rax));
rax = puts(0x401088);
rax = puts(0x401160);
rax = puts(0x401258);
rax = puts(0x401348);
rax = puts(0x4013e0);
rax = puts(0x4014a8);
rax = puts(0x401570);
rax = puts(0x401348);
rax = puts(0x401638);
rax = puts(0x401708);
rax = puts(0x4017e0);
rax = puts(0x401890);
LODWORD(rax) = 0x0;
rax = printf("Loading");
rax = *stdout;
rax = fflush(rax);
var_4 = 0x0;
rax = putchar(0xa);
LODWORD(rax) = 0x0;
rax = printf("Username: ");
LODWORD(rax) = 0x0;
rax = __isoc99_scanf(0x4018c3, var_10);
LODWORD(rax) = 0x0;
rax = printf(0x4018c6);
LODWORD(rax) = 0x0;
rax = __isoc99_scanf(0x4018c3, var_18);
LODWORD(rax) = 0x0;
rax = printf("Logging in");
rax = *stdout;
rax = fflush(rax);
var_8 = 0x0;
rax = putchar(0xa);
rax = sub_400c9a(var_10);
rax = sub_400cdd(var_10);
rax = sub_4008f7(var_10);
rax = sub_400977(var_10, var_18);
rax = sub_400876(var_10, var_18);
LODWORD(rax) = 0x0;
return 0x0;
}
┌ (fcn) main 335
│ main ();
│ ; var int local_18h @ rbp-0x18
│ ; var int local_10h @ rbp-0x10
│ ; var int local_4h @ rbp-0x4
│ ; DATA XREF from 0x0040079d (entry0)
│ 0x00400d93 55 push rbp
│ 0x00400d94 4889e5 rbp = rsp
│ 0x00400d97 4883ec20 rsp -= 0x20
│ 0x00400d9b bfe8030000 edi = 0x3e8 ; size_t size
│ 0x00400da0 e87bf9ffff sym.imp.malloc () ; void *malloc(size_t size)
│ 0x00400da5 488945f0 qword [rbp - local_10h] = rax
│ 0x00400da9 bfe8030000 edi = 0x3e8 ; size_t size
│ 0x00400dae e86df9ffff sym.imp.malloc () ; void *malloc(size_t size)
│ 0x00400db3 488945e8 qword [rbp - local_18h] = rax
│ 0x00400db7 bf00000000 edi = 0 ; time_t *timer
│ 0x00400dbc e84ff9ffff sym.imp.time () ; time_t time(time_t *timer)
│ 0x00400dc1 89c7 edi = eax ; int seed
│ 0x00400dc3 e838f9ffff sym.imp.srand () ; void srand(int seed)
│ 0x00400dc8 bf88104000 edi = 0x401088 ; const char * s
│ 0x00400dcd e8fef8ffff sym.imp.puts () ; int puts(const char *s)
│ 0x00400dd2 bf60114000 edi = str._e_33m_____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_33m_____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
│ 0x00400dd7 e8f4f8ffff sym.imp.puts () ; int puts(const char *s)
│ 0x00400ddc bf58124000 edi = str._e_32m__________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_32m__________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
│ 0x00400de1 e8eaf8ffff sym.imp.puts () ; int puts(const char *s)
│ 0x00400de6 bf48134000 edi = str._e_36m_____________________________________________________________________________________________________________________________________ ; str._e_36m_____________________________________________________________________________________________________________________________________ ; const char * s
│ 0x00400deb e8e0f8ffff sym.imp.puts () ; int puts(const char *s)
│ 0x00400df0 bfe0134000 edi = 0x4013e0 ; const char * s
│ 0x00400df5 e8d6f8ffff sym.imp.puts () ; int puts(const char *s)
│ 0x00400dfa bfa8144000 edi = str._e_35m_______________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_35m_______________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
│ 0x00400dff e8ccf8ffff sym.imp.puts () ; int puts(const char *s)
│ 0x00400e04 bf70154000 edi = str._e_34m______________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_34m______________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
│ 0x00400e09 e8c2f8ffff sym.imp.puts () ; int puts(const char *s)
│ 0x00400e0e bf48134000 edi = str._e_36m_____________________________________________________________________________________________________________________________________ ; str._e_36m_____________________________________________________________________________________________________________________________________ ; const char * s
│ 0x00400e13 e8b8f8ffff sym.imp.puts () ; int puts(const char *s)
│ 0x00400e18 bf38164000 edi = str._e_32m___________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_32m___________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
│ 0x00400e1d e8aef8ffff sym.imp.puts () ; int puts(const char *s)
│ 0x00400e22 bf08174000 edi = str._e_33m_________________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_33m_________________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
│ 0x00400e27 e8a4f8ffff sym.imp.puts () ; int puts(const char *s)
│ 0x00400e2c bfe0174000 edi = str._e_31m____________________________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_31m____________________________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
│ 0x00400e31 e89af8ffff sym.imp.puts () ; int puts(const char *s)
│ 0x00400e36 bf90184000 edi = str._e_0mWelcome_to_Catalyst_systems ; str._e_0mWelcome_to_Catalyst_systems ; const char * s
│ 0x00400e3b e890f8ffff sym.imp.puts () ; int puts(const char *s)
│ 0x00400e40 bfb0184000 edi = str.Loading ; "Loading" @ 0x4018b0 ; const char * format
│ 0x00400e45 b800000000 eax = 0
│ 0x00400e4a e8a1f8ffff sym.imp.printf () ; int printf(const char *format)
│ 0x00400e4f 488b05721220. rax = qword [obj.stdout] ; [0x6020c8:8]=0x4e4728203a434347 ; LEA obj.stdout ; "GCC: (GNU) 6.1.1 20160721 (Red Hat 6.1.1-4)" @ 0x6020c8
│ 0x00400e56 4889c7 rdi = rax ; FILE *stream
│ 0x00400e59 e8d2f8ffff sym.imp.fflush () ; int fflush(FILE *stream)
│ 0x00400e5e c745fc000000. dword [rbp - local_4h] = 0
└ ┌─< 0x00400e65 eb44 goto loc.00400eab
├ loc.00400eab 123
│ loc.00400eab ();
│ ; var int local_18h @ rbp-0x18
│ ; var int local_10h @ rbp-0x10
│ ; var int local_8h @ rbp-0x8
│ ; JMP XREF from 0x00400e65 (main)
│ 0x00400eab bf0a000000 edi = 0xa ; size_t size
│ 0x00400eb0 e80bf8ffff sym.imp.putchar () ; sym.imp.malloc-0x60; void *malloc(size_t size)
│ 0x00400eb5 bfb8184000 edi = str.Username: ; "Username: " @ 0x4018b8 ; const char * format
│ 0x00400eba b800000000 eax = 0
│ 0x00400ebf e82cf8ffff sym.imp.printf () ; int printf(const char *format)
│ 0x00400ec4 488b45f0 rax = qword [rbp - local_10h]
│ 0x00400ec8 4889c6 rsi = rax
│ 0x00400ecb bfc3184000 edi = 0x4018c3 ; const char * format
│ 0x00400ed0 b800000000 eax = 0
│ 0x00400ed5 e866f8ffff sym.imp.__isoc99_scanf () ; int scanf(const char *format)
│ 0x00400eda bfc6184000 edi = str.Password: ; "Password: " @ 0x4018c6 ; const char * format
│ 0x00400edf b800000000 eax = 0
│ 0x00400ee4 e807f8ffff sym.imp.printf () ; int printf(const char *format)
│ 0x00400ee9 488b45e8 rax = qword [rbp - local_18h]
│ 0x00400eed 4889c6 rsi = rax
│ 0x00400ef0 bfc3184000 edi = 0x4018c3 ; const char * format
│ 0x00400ef5 b800000000 eax = 0
│ 0x00400efa e841f8ffff sym.imp.__isoc99_scanf () ; int scanf(const char *format)
│ 0x00400eff bfd1184000 edi = str.Logging_in ; "Logging in" @ 0x4018d1 ; const char * format
│ 0x00400f04 b800000000 eax = 0
│ 0x00400f09 e8e2f7ffff sym.imp.printf () ; int printf(const char *format)
│ 0x00400f0e 488b05b31120. rax = qword [obj.stdout] ; [0x6020c8:8]=0x4e4728203a434347 ; LEA obj.stdout ; "GCC: (GNU) 6.1.1 20160721 (Red Hat 6.1.1-4)" @ 0x6020c8
│ 0x00400f15 4889c7 rdi = rax ; FILE *stream
│ 0x00400f18 e813f8ffff sym.imp.fflush () ; int fflush(FILE *stream)
│ 0x00400f1d c745f8000000. dword [rbp - local_8h] = 0
└ ┌─< 0x00400f24 eb3e goto loc.00400f64
Fish wasn't able to reproduce this issue.
Will reopen after I confirm if it's not just my system.
Reopening, reproducible on a different VM (new install with angr-dev's setup.sh).
(angr) dave@xen16:~/angr-doc/examples/catalyst# python solve.py
WARNING | 2017-02-03 20:13:52,705 | angr.project | Re-hooking symbol puts
WARNING | 2017-02-03 20:13:52,706 | angr.project | Re-hooking symbol putchar
WARNING | 2017-02-03 20:13:52,706 | angr.project | Re-hooking symbol printf
Python 2.7.13 (default, Dec 18 2016, 20:19:42)
Type "copyright", "credits" or "license" for more information.
IPython 5.2.2 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
In [1]: path_group
Out[1]: <PathGroup with 1 errored>
In [2]: path_group.errored
Out[2]: [<Errored Path with 16 runs (at 0x1000020, SimMemoryLimitError)>]
In [3]: e.debug() # e = path_group.errored[0]
You are currently into an embedded ipython shell,
the configuration will not be loaded.
> /root/angr-dev/simuvex/simuvex/plugins/symbolic_memory.py(323)_resolve_size_range()
322 if i > self._maximum_concrete_size:
--> 323 raise SimMemoryLimitError("Concrete size %d outside of allowable limits" % i)
324 return i, i
ipdb> up
> /root/angr-dev/simuvex/simuvex/plugins/symbolic_memory.py(488)_load()
487 # for now, we always load the maximum size
--> 488 _,max_size = self._resolve_size_range(size)
489 if options.ABSTRACT_MEMORY not in self.state.options and self.state.se.symbolic(size):
ipdb> up
> /root/angr-dev/simuvex/simuvex/storage/memory.py(715)load()
714
--> 715 a,r,c = self._load(addr_e, size_e, condition=condition_e, fallback=fallback_e)
716 add_constraints = self.state._inspect_getattr('address_concretization_add_constraints', add_constraints)
ipdb> up
> /root/angr-dev/simuvex/simuvex/s_format.py(429)_parse()
428
--> 429 fmt_xpr = self.state.memory.load(fmtstr_ptr, length)
430
ipdb> print fmtstr_ptr
<SAO <BV64 0x401088>>