panda icon indicating copy to clipboard operation
panda copied to clipboard

Published 20 hours ago verified publisher icon panda-re

PANDA[taint2]WARNING: Variable shift amount for opcode 25; control bits may be incorrect.

Open CorneliaStreet1 opened this issue 10 months ago • 1 comments

I fixed the taint.py in example/taint2, however I got the warnning and I don't know how to fix it. I am running panda in a virtualBox virtual machine, Ubuntu 22.04 Is there any way to fix this problem?

Here is my code:

from pandare import Panda

panda = Panda(generic='x86_64')

@panda.queue_blocking def driver(): panda.revert_sync('root') print(panda.run_serial_cmd("grep root /etc/passwd")) panda.end_analysis()

@panda.cb_after_machine_init def setup(cpu): print("===>taint enabled<===") # Enable tainting panda.taint_enable()

''' require was deprecated ''' panda.load_plugin("osi") panda.load_plugin("osi_linux") panda.load_plugin("taint2")

def fd_to_fname(cpu, fd): proc = panda.plugins['osi'].get_current_process(cpu) procname = panda.ffi.string(proc.name) if proc != panda.ffi.NULL else "error" fname_ptr = panda.plugins['osi_linux'].osi_linux_fd_to_filename(cpu, proc, fd) fname = panda.ffi.string(fname_ptr) if fname_ptr != panda.ffi.NULL else "error" return fname

@panda.ppp("syscalls2", "on_sys_read_return") def read(cpu, tb, fd, buf, cnt): fname = fd_to_fname(cpu, fd) fnamestr = fname.decode('utf-8', 'ignore') print(f"read {fnamestr}") if fnamestr == "/etc/passwd": label = 1 for idx in range(cnt): panda.taint_label_ram(buf + idx, label) label = label + 1

@panda.queue_blocking @panda.ppp("taint2", "on_branch2") def something(addr, size, from_helper, tainted): print("Tainted branch")

panda.run()

CorneliaStreet1 avatar Apr 12 '24 14:04 CorneliaStreet1

That warning is due to a deficiency in the taint2 plugin, in the taint_mix function when an LLVM shift instruction is encountered where the amount to shift is a variable. There's a long comment there explaining what is going on. It would take code changes to taint2 to fix it, if it is fixable. Maybe in some of the simpler cases something sensible could be done to the controlled bits masks, but I doubt there is a logical thing to do to the controlled bits masks in all cases where the shift amount is a variable whose bits are only PARTIALLY controlled.

LauraLMann avatar May 22 '24 11:05 LauraLMann