panda icon indicating copy to clipboard operation
panda copied to clipboard

Published 20 hours ago verified publisher icon panda-re

crash on memory-read in syscalls_logger pandalog_write_entry

Open whoismissing opened this issue 1 year ago • 1 comments

Tested on docker image 35705ace13f0 and commit 97c0ed956b999958a333f960d85fae7e65f81c04 in Ubuntu 22.

syscalls_logger crashes on memory-read during a protobuf serialization when attempting to write to pandalog.

The guest is an Ubuntu 18.04 running the linux-image-5.4.0-84-generic kernel from apt.

The crash can be reproduced using the following command:

panda-system-x86_64 \
	-m 4G \
	-replay poc \
	-panda osi:disable-autoload=true \
        -panda osi_linux:kconf_file=kernelinfo.txt,kconf_group=my_kernel_info,load_now=true \
        -os linux-64-ubuntu:5.4.0-84-generic \
	-panda syscalls2:load-info=true \
	-panda syscalls_logger:verbose=true,json=./output.json \
	-pandalog syscalls.plog

I attempted triaging in GDB and observed the following backtrace:

gdb -q panda-system-x86_64
(gdb) r -m 4G -replay poc -panda osi:disable-autoload=true -panda osi_linux:kconf_file=kernelinfo.txt,kconf_group=my_kernel_info,load_now=true -os linux-64-ubuntu:5.4.0-84-generic -panda syscalls2:load-info=true -panda syscalls_logger:verbose=true,json=./output.json -pandalog syscalls.plog

Thread 3 "panda-system-x8" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff843a4640 (LWP 6334)]
0x00007ffff5450b02 in protobuf_c_message_get_packed_size () from /lib/x86_64-linux-gnu/libprotobuf-c.so.1

(gdb) bt
#0  0x00007ffff5450b02 in protobuf_c_message_get_packed_size ()
    at /lib/x86_64-linux-gnu/libprotobuf-c.so.1
#1  0x00007ffff5450f97 in protobuf_c_message_get_packed_size ()
    at /lib/x86_64-linux-gnu/libprotobuf-c.so.1
#2  0x00007ffff5451466 in  () at /lib/x86_64-linux-gnu/libprotobuf-c.so.1
#3  0x00007ffff5450bee in protobuf_c_message_get_packed_size ()
    at /lib/x86_64-linux-gnu/libprotobuf-c.so.1
#4  0x00007ffff5450f97 in protobuf_c_message_get_packed_size ()
    at /lib/x86_64-linux-gnu/libprotobuf-c.so.1
#5  0x00007ffff5451466 in  () at /lib/x86_64-linux-gnu/libprotobuf-c.so.1
#6  0x00007ffff5450bee in protobuf_c_message_get_packed_size ()
    at /lib/x86_64-linux-gnu/libprotobuf-c.so.1
#7  0x00007ffff6dd6995 in panda__log_entry__get_packed_size (message=<optimized out>)
    at plog.pb-c.c:1325
#8  0x00007ffff6dd4001 in pandalog_write_entry (entry=0x7fff8439f320)
    at /home/vboxuser/panda/panda/src/plog.c:84
#9  0x00007fffeb78ca92 in handle_syscall(CPUState*, unsigned long, syscall_info_t const*, syscall_ctx const*, bool)
    (cpu=0x5555640d1230, pc=<optimized out>, call=0x7fffeb7bf780 <__syscall_info_a+256>, rp=<optimized out>, is_return=<optimized out>) at /home/vboxuser/panda/panda/plugins/syscalls_logger/syscalls_logger.cpp:1097

(gdb) x/i $pc

=> 0x7ffff5450b02 <protobuf_c_message_get_packed_size+18>:	mov    rbp,QWORD PTR [rdi]
(gdb) p/x $rdi

$2 = 0x64615f796669746f

Looks like some ASCII chars "otify_ad" are in the register $rdi and the entry->syscall is sys_newstat.

(gdb) up 8
#8  0x00007ffff6dd4001 in pandalog_write_entry (entry=0x7fff8439f320)
    at /home/vboxuser/panda/panda/src/plog.c:84
84		size_t packed_size = panda__log_entry__get_packed_size(entry);

(gdb) p * entry
$4 = {base = {descriptor = 0x7ffff75ca0c0 <panda.log_entry.descriptor>, 
    n_unknown_fields = 0, unknown_fields = 0x0}, pc = 0, instr = 0, asid_info = 0x0, 
  has_asid = 1, asid = 5222416384, call_stack = 0x0, basic_block = 0x0, edge_coverage = 0x0, 
  trace = 0x0, asid_libraries = 0x0, dwarf_call = 0x0, dwarf_ret = 0x0, proc_trace = 0x0, 
  signal_event = 0x0, syscall = 0x7fff8439f2d0, taint_query_pri = 0x0, 
  attack_point_pri = 0x0, pri_trace_src_info = 0x0, serial_tx = 0x0, 
  taint_query_hypercall = 0x0, attack_point = 0x0, has_taint_label_virtual_addr = 0, 
  taint_label_virtual_addr = 0, has_taint_label_physical_addr = 0, 
  taint_label_physical_addr = 0, has_taint_label_number = 0, taint_label_number = 0, 
  tainted_branch = 0x0, tainted_branch_summary = 0x0, label_liveness = 0x0, 
  tainted_instr = 0x0, tainted_instr_summary = 0x0, tainted_mmio_label = 0x0}

(gdb) p * entry->syscall
$5 = {base = {descriptor = 0x7ffff75cb920 <panda.syscall.descriptor>, n_unknown_fields = 0, 
    unknown_fields = 0x0}, pid = 759, ppid = 1, tid = 759, create_time = 339837380273, 
  retcode = 0, call_name = 0x7ffe7c0eb8d0 "sys_newstat", n_args = 2, args = 0x7ffe7c0fa7a0}

whoismissing avatar Mar 01 '23 17:03 whoismissing

The artifact files are uploaded here since Github has size and file type limitations.

$ sha256sum artifacts.tgz 
ac120a79a83eae2dfc3f3cf9838d36e630e7db62224c18fd98d6b8031746e46e  artifacts.tgz
$ tar -xf artifacts.tgz
$ ls -hog
total 262M
-rwxrwx--- 1 113M Mar  1 12:20 artifacts.tgz
-rwxrwx--- 1 1.7K Mar  1 11:54 kernelinfo.txt
-rwxrwx--- 1  39M Mar  1 11:54 output.json
-rwxrwx--- 1 110M Mar  1 11:53 poc.rr

whoismissing avatar Mar 01 '23 17:03 whoismissing