drakvuf
drakvuf copied to clipboard
Published
20 hours ago •
tklengyel
tklengyel
HIDSIM --hid-monitor-gui various issues
Using the HIDSIM plugin with --hid-monitor-gui alongside other plugins leads to frequent segfaults. This is most likely due to insufficient locking around the LibVMI instance in libdrakvuf. While plugins always only get access to the LibVMI instance by taking a mutex, libdrakvuf internally still uses LibVMI without verifying that the lock is free, leading to conflicts when multiple threads are running.
Another issue spotted:
[HIDSIM][MONITOR] Error reading tagWINDOW-struct member
hidsim/gui/vmi_win_gui_parser.cpp:441:18: runtime error: member access within null pointer of type 'struct wnd'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior hidsim/gui/vmi_win_gui_parser.cpp:441:18 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==20311==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x000000cb890b bp 0x7f7c173063f0 sp 0x7f7c17306060 T2)
==20311==The signal is caused by a READ memory access.
==20311==Hint: address points to the zero page.
#0 0xcb890b in find_button_to_click(vmi_instance*, desktop*, _GArray*, wnd*) /shared/jenkins/workspace/DRAKVUF-build-sanitize/src/plugins/hidsim/gui/vmi_win_gui_parser.cpp:441:20
#1 0xcc00c3 in scan_for_clickable_button(vmi_instance*, desktop*, wnd*) /shared/jenkins/workspace/DRAKVUF-build-sanitize/src/plugins/hidsim/gui/vmi_win_gui_parser.cpp:1040:11
#2 0xcaa8f9 in gui_monitor(drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*) /shared/jenkins/workspace/DRAKVUF-build-sanitize/src/plugins/hidsim/gui_monitor.cpp:415:23
#3 0xc990e3 in int std::__invoke_impl<int, int (*)(drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*), drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*>(std::__invoke_other, int (*&&)(drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*), drakvuf*&&, std::atomic<unsigned int>*&&, std::atomic<bool>*&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:60:14
#4 0xc988bb in std::__invoke_result<int (*)(drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*), drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*>::type std::__invoke<int (*)(drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*), drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*>(int (*&&)(drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*), drakvuf*&&, std::atomic<unsigned int>*&&, std::atomic<bool>*&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:95:14
#5 0xc9862d in int std::thread::_Invoker<std::tuple<int (*)(drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*), drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*> >::_M_invoke<0ul, 1ul, 2ul, 3ul>(std::_Index_tuple<0ul, 1ul, 2ul, 3ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:244:13
#6 0xc982b1 in std::thread::_Invoker<std::tuple<int (*)(drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*), drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*> >::operator()() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:251:11
#7 0xc968e1 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<int (*)(drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*), drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*> > >::_M_run() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:195:13
#8 0x7f7c1d317de3 (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd6de3)
#9 0x7f7c1d0d8608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#10 0x7f7c1cfd7292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /shared/jenkins/workspace/DRAKVUF-build-sanitize/src/plugins/hidsim/gui/vmi_win_gui_parser.cpp:441:20 in find_button_to_click(vmi_instance*, desktop*, _GArray*, wnd*)
Thread T2 created by T0 here:
#0 0x4e04ba in pthread_create (/shared/jenkins/workspace/DRAKVUF-windows7-sp1-x64/src/drakvuf+0x4e04ba)
#1 0x7f7c1d3180a8 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd70a8)
#2 0xc8c235 in hidsim::hidsim(drakvuf*, hidsim_config const*) /shared/jenkins/workspace/DRAKVUF-build-sanitize/src/plugins/hidsim/hidsim.cpp:205:36
#3 0x629026 in std::_MakeUniq<hidsim>::__single_object std::make_unique<hidsim, drakvuf*&, hidsim_config*>(drakvuf*&, hidsim_config*&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:857:34
#4 0x617f36 in drakvuf_plugins::start(drakvuf_plugin, plugins_options const*) /shared/jenkins/workspace/DRAKVUF-build-sanitize/src/plugins/plugins.cpp:464:48
#5 0x548dba in drakvuf_c::start_plugins(bool const*, plugins_options const*) /shared/jenkins/workspace/DRAKVUF-build-sanitize/src/drakvuf.cpp:140:31
#6 0x52eb79 in main /shared/jenkins/workspace/DRAKVUF-build-sanitize/src/main.cpp:903:18
#7 0x7f7c1cedc0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
==20311==ABORTING
Another issue:
==24283==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 168 byte(s) in 3 object(s) allocated from:
#0 0x4f571d in malloc (/shared/jenkins/workspace/DRAKVUF-windows7-sp1-x64/src/drakvuf+0x4f571d)
#1 0xcbe4ec in retrieve_winstas_from_procs(vmi_instance*, _GArray*) /shared/jenkins/workspace/DRAKVUF-build-sanitize/src/plugins/hidsim/gui/vmi_win_gui_parser.cpp:934:57
#2 0xcbe965 in find_first_active_desktop(vmi_instance*, desktop*) /shared/jenkins/workspace/DRAKVUF-build-sanitize/src/plugins/hidsim/gui/vmi_win_gui_parser.cpp:974:11
#3 0xca9bae in gui_monitor(drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*) /shared/jenkins/workspace/DRAKVUF-build-sanitize/src/plugins/hidsim/gui_monitor.cpp:368:28
#4 0xc990f3 in int std::__invoke_impl<int, int (*)(drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*), drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*>(std::__invoke_other, int (*&&)(drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*), drakvuf*&&, std::atomic<unsigned int>*&&, std::atomic<bool>*&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:60:14
#5 0xc988cb in std::__invoke_result<int (*)(drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*), drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*>::type std::__invoke<int (*)(drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*), drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*>(int (*&&)(drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*), drakvuf*&&, std::atomic<unsigned int>*&&, std::atomic<bool>*&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:95:14
#6 0xc9863d in int std::thread::_Invoker<std::tuple<int (*)(drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*), drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*> >::_M_invoke<0ul, 1ul, 2ul, 3ul>(std::_Index_tuple<0ul, 1ul, 2ul, 3ul>) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:244:13
#7 0xc982c1 in std::thread::_Invoker<std::tuple<int (*)(drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*), drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*> >::operator()() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:251:11
#8 0xc968f1 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<int (*)(drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*), drakvuf*, std::atomic<unsigned int>*, std::atomic<bool>*> > >::_M_run() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:195:13
#9 0x7fcd21894de3 (/lib/x86_64-linux-gnu/libstdc++.so.6+0xd6de3)
SUMMARY: AddressSanitizer: 168 byte(s) leaked in 3 allocation(s).