maat icon indicating copy to clipboard operation
maat copied to clipboard
verified publisher icon trailofbits

Crash in `maat::ExprITE::hash()` due to recursive call stack exhaustion

Open novafacing opened this issue 3 years ago • 3 comments

Looks like maat::ExprITE::hash() can get into infinite recursion and crash here. Here is a backtrace:

(gdb) where
#0  0x00007f8f62c8d9cb in maat::ExprITE::hash() () from /root/.cache/pypoetry/virtualenvs/reface-mFqyHumy-py3.9/lib/python3.9/site-packages/maat.cpython-39-x86_64-linux-gnu.so
#1  0x00007f8f62c8d9ed in maat::ExprITE::hash() () from /root/.cache/pypoetry/virtualenvs/reface-mFqyHumy-py3.9/lib/python3.9/site-packages/maat.cpython-39-x86_64-linux-gnu.so
<...snip...>
#7475 0x00007f8f62c8d9ed in maat::ExprITE::hash() () from /root/.cache/pypoetry/virtualenvs/reface-mFqyHumy-py3.9/lib/python3.9/site-packages/maat.cpython-39-x86_64-linux-gnu.so
#7476 0x00007f8f62c8d9ed in maat::ExprITE::hash() () from /root/.cache/pypoetry/virtualenvs/reface-mFqyHumy-py3.9/lib/python3.9/site-packages/maat.cpython-39-x86_64-linux-gnu.so
#7477 0x00007f8f62c8d9ed in maat::ExprITE::hash() () from /root/.cache/pypoetry/virtualenvs/reface-mFqyHumy-py3.9/lib/python3.9/site-packages/maat.cpython-39-x86_64-linux-gnu.so
#7478 0x00007f8f62c8d9ed in maat::ExprITE::hash() () from /root/.cache/pypoetry/virtualenvs/reface-mFqyHumy-py3.9/lib/python3.9/site-packages/maat.cpython-39-x86_64-linux-gnu.so
#7479 0x00007f8f62c8c32b in maat::ExprObject::eq(std::shared_ptr<maat::ExprObject>) () from /root/.cache/pypoetry/virtualenvs/reface-mFqyHumy-py3.9/lib/python3.9/site-packages/maat.cpython-39-x86_64-linux-gnu.so
#7480 0x00007f8f62cd1ebf in maat::MemSegment::symbolic_ptr_read(maat::Value&, std::shared_ptr<maat::ExprObject> const&, maat::ValueSet&, unsigned int, std::shared_ptr<maat::ExprObject> const&) () from /root/.cache/pypoetry/virtualenvs/reface-mFqyHumy-py3.9/lib/python3.9/site-packages/maat.cpython-39-x86_64-linux-gnu.so
#7481 0x00007f8f62cd24c4 in maat::MemEngine::symbolic_ptr_read(maat::Value&, std::shared_ptr<maat::ExprObject>, maat::ValueSet const&, unsigned int, maat::Settings const&) () from /root/.cache/pypoetry/virtualenvs/reface-mFqyHumy-py3.9/lib/python3.9/site-packages/maat.cpython-39-x86_64-linux-gnu.so
#7482 0x00007f8f62c39927 in maat::MaatEngine::resolve_addr_param(maat::ir::Param const&, maat::ir::ProcessedInst::Param&) () from /root/.cache/pypoetry/virtualenvs/reface-mFqyHumy-py3.9/lib/python3.9/site-packages/maat.cpython-39-x86_64-linux-gnu.so
#7483 0x00007f8f62c39d3a in maat::MaatEngine::process_load(maat::ir::Inst const&, maat::ir::ProcessedInst&) () from /root/.cache/pypoetry/virtualenvs/reface-mFqyHumy-py3.9/lib/python3.9/site-packages/maat.cpython-39-x86_64-linux-gnu.so
#7484 0x00007f8f62c3c2ac in maat::MaatEngine::run(int) () from /root/.cache/pypoetry/virtualenvs/reface-mFqyHumy-py3.9/lib/python3.9/site-packages/maat.cpython-39-x86_64-linux-gnu.so
#7485 0x00007f8f62bf8468 in maat::py::MaatEngine_run(_object*, _object*) () from /root/.cache/pypoetry/virtualenvs/reface-mFqyHumy-py3.9/lib/python3.9/site-packages/maat.cpython-39-x86_64-linux-gnu.so
#7486 0x00000000005310fd in ?? ()
#7487 0x0000000000512192 in _PyEval_EvalFrameDefault ()
#7488 0x0000000000528b63 in _PyFunction_Vectorcall ()
#7489 0x0000000000512192 in _PyEval_EvalFrameDefault ()
#7490 0x00000000005106ed in ?? ()
#7491 0x0000000000510497 in _PyEval_EvalCodeWithName ()
#7492 0x00000000005f5be3 in PyEval_EvalCode ()
#7493 0x0000000000619de7 in ?? ()
#7494 0x0000000000615610 in ?? ()
#7495 0x0000000000619d79 in ?? ()
#7496 0x0000000000619816 in PyRun_SimpleFileExFlags ()
#7497 0x000000000060d4e3 in Py_RunMain ()
#7498 0x00000000005ea6e9 in Py_BytesMain ()
#7499 0x00007f8f63881d0a in __libc_start_main (main=0x5ea6b0, argc=6, argv=0x7fff4abfac48, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fff4abfac38) at ../csu/libc-start.c:308
#7500 0x00000000005ea5ea in _start ()

I'm not sure what's causing the issue. I can email a test script and binaries if needed to reproduce, but I would prefer not to post them publicly.

novafacing avatar May 06 '22 17:05 novafacing

Hmmm I suspect it might not be infinite recursion but simply stack exhaustion due to very big symbolic expressions when reading from a symbolic pointer.

Does the crash still occur if you constrain symbolic pointer ranges in the settings ? Something like:

m = MaatEngine(...)
m.settings.symptr_limit_range = True

If tweaking that setting doesn't work you can send me the test script and binaries at [email protected] . If you'd like to send them encrypted I can provide you with a public PGP key.

Boyan-MILANOV avatar May 06 '22 19:05 Boyan-MILANOV

@novafacing: anything new on this?

Boyan-MILANOV avatar May 25 '22 20:05 Boyan-MILANOV

I haven't had a chance to check it out, sorry!

novafacing avatar May 26 '22 01:05 novafacing