[panda-users] taint segmentation fault
xiaojuan Li
xiaotan6666 at gmail.com
Tue Apr 21 21:59:08 EDT 2015
and I find that:
i can run successfully with 16G memory(just one time), but with 32G
memory,it still be killed,i doubt that there is something wrong with the
allocation operation the panda does. it seems allocate as large memory for
taint according to the memory of host os.
2015-04-21 19:49 GMT-04:00 xiaojuan Li <xiaotan6666 at gmail.com>:
> actually, i have increased my memory to 16G, if I use 512 to record and
> replay, it killed;if i use 256 to record and replay, first time it killed,
> but second try it succeed (showing below). I just think it is unstable, as
> for the reason, i am trying to find.
> Thanks for your reply very much!
> sorry for troubling you so long time!
>
>
> READ Match of str 0 at: instr_count=5180266230 : 72a7562e b6c79a2a
> 00c04000
> tstringsearch: thestring = [passwordisqemu]
> tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
> tstringsearch: string in memory @ 0xa49002da
>
>
> ****************************************************************************
> applying taint labels to search string of length 14 @ p=0xa49002da
>
> ******************************************************************************
> api214-20-256: 5244538335 ( 75.00%) instrs. 4643.72 sec. 6.58 GB ram.
> api214-20-256: 5316190227 ( 76.03%) instrs. 4988.98 sec. 6.60 GB ram.
> api214-20-256: 5386319700 ( 77.03%) instrs. 5363.67 sec. 6.60 GB ram.
> api214-20-256: 5456115383 ( 78.03%) instrs. 5714.12 sec. 6.60 GB ram.
> api214-20-256: 5524071341 ( 79.00%) instrs. 6039.86 sec. 6.62 GB ram.
> api214-20-256: 5594009950 ( 80.00%) instrs. 6392.84 sec. 6.62 GB ram.
> api214-20-256: 5665215324 ( 81.02%) instrs. 6760.18 sec. 6.62 GB ram.
> api214-20-256: 5735561744 ( 82.02%) instrs. 7122.95 sec. 6.62 GB ram.
> api214-20-256: 5803941321 ( 83.00%) instrs. 7475.05 sec. 6.62 GB ram.
> api214-20-256: 5874989410 ( 84.02%) instrs. 7839.22 sec. 6.62 GB ram.
> api214-20-256: 5945687287 ( 85.03%) instrs. 8201.84 sec. 6.62 GB ram.
> api214-20-256: 6016246771 ( 86.04%) instrs. 8566.35 sec. 6.63 GB ram.
> api214-20-256: 6086895413 ( 87.05%) instrs. 8929.06 sec. 6.63 GB ram.
> api214-20-256: 6153429632 ( 88.00%) instrs. 9264.48 sec. 6.65 GB ram.
> api214-20-256: 6225320269 ( 89.03%) instrs. 9730.16 sec. 6.72 GB ram.
> api214-20-256: 6293245468 ( 90.00%) instrs. 10102.98 sec. 6.72 GB ram.
> api214-20-256: 6364596059 ( 91.02%) instrs. 10468.66 sec. 6.72 GB ram.
> api214-20-256: 6436068665 ( 92.04%) instrs. 10837.40 sec. 6.72 GB ram.
> api214-20-256: 6503270471 ( 93.00%) instrs. 11192.30 sec. 6.72 GB ram.
> api214-20-256: 6574434672 ( 94.02%) instrs. 11558.97 sec. 6.72 GB ram.
> api214-20-256: 6644627703 ( 95.03%) instrs. 11920.98 sec. 6.72 GB ram.
> api214-20-256: 6715490334 ( 96.04%) instrs. 12288.82 sec. 6.72 GB ram.
> api214-20-256: 6783347812 ( 97.01%) instrs. 12631.31 sec. 6.72 GB ram.
> api214-20-256: 6853231196 ( 98.01%) instrs. 12984.73 sec. 6.72 GB ram.
> api214-20-256: 6922569909 ( 99.00%) instrs. 13338.83 sec. 6.72 GB ram.
> /home/shentanli/pandanew/scripts/api214-20-256-rr-nondet.log: log is
> empty.
> Replay completed successfully.
> Time taken was: 13702 seconds.
> Stats:
> RR_INPUT_1 number = 818, size = 22086 bytes
> RR_INPUT_2 number = 303, size = 8484 bytes
> RR_INPUT_4 number = 757989, size = 22739670 bytes
> RR_INPUT_8 number = 0, size = 0 bytes
> RR_INTERRUPT_REQUEST number = 1756538, size = 49183064 bytes
> RR_EXIT_REQUEST number = 0, size = 0 bytes
> RR_SKIPPED_CALL number = 453631, size = 254126959 bytes
> RR_DEBUG number = 0, size = 0 bytes
> max_queue_len = 769
> 768 items on recycle list, 67584 bytes total
> Replay completed successfully.
>
>
> 2015-04-21 16:26 GMT-04:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
>
>> This is because your system is running out of memory, and so the
>> kernel is killing the process so the system doesn't crash (as you can
>> see it's using 10.68 GB ram when it crashes, and your system only has
>> 8GB available). You can verify this by looking at the output of
>> "dmesg".
>>
>> I'm not sure what else you can do, unfortunately (aside from running
>> this on a system with more RAM). It's possible you can modify the
>> taint plugin to use less memory (for example, by removing the taint
>> compute number tracking), but that's not something I have time to help
>> with at the moment. You'd have to read and understand the taint2
>> plugin code.
>>
>> -Brendan
>>
>> On Tue, Apr 21, 2015 at 5:40 AM, xiaojuan Li <xiaotan6666 at gmail.com>
>> wrote:
>> > and when i record and replay with 256M,it just killed...:
>> >
>> ****************************************************************************
>> > applying taint labels to search string of length 14 @ p=0xa73aebab
>> >
>> ******************************************************************************
>> > api214-20-256: 4405812542 ( 63.01%) instrs. 750.04 sec. 10.68 GB ram.
>> > Killed
>> >
>> >
>> >
>> > 2015-04-21 3:29 GMT-04:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>> >
>> >> HI Brendan, if you run continue do you encounter this?
>> >>
>> >>
>> ****************************************************************************
>> >> applying taint labels to search string of length 14 @ p=0xa62e82dd
>> >>
>> >>
>> ******************************************************************************
>> >> api414-4-20: 2737044888 ( 35.04%) instrs. 1943.11 sec. 14.51 GB ram.
>> >> terminate called after throwing an instance of 'std::bad_alloc'
>> >> what(): std::bad_alloc
>> >> Aborted
>> >>
>> >> i use the gdb to check the core dump,it shows:
>> >> Program terminated with signal 6, Aborted.
>> >> #0 0x00007fdb33f80165 in raise () from /lib/x86_64-linux-gnu/libc.so.6
>> >>
>> >> seems caused malloc().
>> >>
>> >>
>> >>
>> >>
>> >> 2015-04-21 1:18 GMT-04:00 xiaojuan Li <xiaotan6666 at gmail.com>:
>> >>
>> >>> Thanks for your patience very much and your great work!
>> >>> now i can use the taint plugin(but it seems a little slow) and take my
>> >>> next step.
>> >>>
>> >>> 2015-04-21 12:04 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu
>> >:
>> >>>>
>> >>>> Ok! Another option is to try making a recording with only 256M of
>> RAM,
>> >>>> which would need only 4GB to replay.
>> >>>>
>> >>>> One last thing you can try – it is possible that the taint system
>> will
>> >>>> not actually use all of the memory it allocates. In this case, if you
>> >>>> allow the kernel to overcommit memory it may succeed. You can do this
>> >>>> either by setting /proc/sys/vm/overcommit_memory to 1 or by setting
>> >>>> /proc/sys/vm/overcommit_ratio to a higher value. There are more
>> >>>> details about this feature here:
>> >>>> https://www.kernel.org/doc/Documentation/vm/overcommit-accounting
>> >>>>
>> >>>> -Brendan
>> >>>>
>> >>>>
>> >>>> On Mon, Apr 20, 2015 at 11:54 PM, xiaojuan Li <xiaotan6666 at gmail.com
>> >
>> >>>> wrote:
>> >>>> > sorry i make a mistake: my ram size is:
>> >>>> > (free -g)
>> >>>> > total used free shared buffers
>> >>>> > cached
>> >>>> > Mem: 7 6 1 0 0
>> >>>> > 2
>> >>>> > -/+ buffers/cache: 3 4
>> >>>> > Swap: 0 0 0
>> >>>> >
>> >>>> > before i mistake the size of hardware...
>> >>>> >
>> >>>> > there is unlimit.
>> >>>> > I think i should increase the memory chips.
>> >>>> > Thanks !
>> >>>> >
>> >>>> > 2015-04-20 23:36 GMT-04:00 Brendan Dolan-Gavitt
>> >>>> > <brendandg at gatech.edu>:
>> >>>> >
>> >>>> >> It is still not able to allocate the memory for the taint system,
>> it
>> >>>> >> seems (based on the "Cannot allocate memory" part). Since you said
>> >>>> >> your host system has 16GB of RAM, I'm not sure what else could be
>> the
>> >>>> >> problem.
>> >>>> >>
>> >>>> >> Do you have any memory quota set up on your system? (for example,
>> >>>> >> does
>> >>>> >> "ulimit -v" show any limits on the amount of memory you're
>> allowed to
>> >>>> >> allocate in a single process?)
>> >>>> >>
>> >>>> >> -Brendan
>> >>>> >>
>> >>>> >> On Mon, Apr 20, 2015 at 11:28 PM, xiaojuan Li <
>> xiaotan6666 at gmail.com>
>> >>>> >> wrote:
>> >>>> >> > use the new version, but still segfault :(
>> >>>> >> >
>> >>>> >> > opening nondet log for read :
>> >>>> >> > /home/shentanli/pandanew/scripts/api414-4-20-rr-nondet.log
>> >>>> >> > api414-4-20: 81316759 ( 1.04%) instrs. 7.49 sec. 0.61 GB
>> >>>> >> > ram.
>> >>>> >> > api414-4-20: 156342747 ( 2.00%) instrs. 16.14 sec. 0.69 GB
>> >>>> >> > ram.
>> >>>> >> > api414-4-20: 234368551 ( 3.00%) instrs. 25.29 sec. 0.76 GB
>> >>>> >> > ram.
>> >>>> >> > api414-4-20: 312493247 ( 4.00%) instrs. 36.09 sec. 0.83 GB
>> >>>> >> > ram.
>> >>>> >> > api414-4-20: 390616091 ( 5.00%) instrs. 44.62 sec. 0.87 GB
>> >>>> >> > ram.
>> >>>> >> > api414-4-20: 468738195 ( 6.00%) instrs. 50.08 sec. 0.90 GB
>> >>>> >> > ram.
>> >>>> >> > api414-4-20: 547631582 ( 7.01%) instrs. 54.95 sec. 0.93 GB
>> >>>> >> > ram.
>> >>>> >> > api414-4-20: 624983872 ( 8.00%) instrs. 58.64 sec. 0.94 GB
>> >>>> >> > ram.
>> >>>> >> > api414-4-20: 703122355 ( 9.00%) instrs. 61.98 sec. 0.94 GB
>> >>>> >> > ram.
>> >>>> >> > api414-4-20: 783198179 ( 10.03%) instrs. 65.80 sec. 0.95 GB
>> >>>> >> > ram.
>> >>>> >> > READ Match of str 0 at: instr_count=812336749 : 72a7562e
>> b6cb2e02
>> >>>> >> > 0d36c000
>> >>>> >> > tstringsearch: thestring = [passwordisqemu]
>> >>>> >> > tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
>> >>>> >> > tstringsearch: string in memory @ 0xa70d6212
>> >>>> >> > enabling taint at instr count 812336749
>> >>>> >> > taint2: __taint_enable_taint
>> >>>> >> > taint2: Creating byte-level taint processor
>> >>>> >> > taint2: Allocating large fast_shad (8589934592 bytes).
>> >>>> >> > taint2: Hugetlb failed. Trying without.
>> >>>> >> > Cannot allocate memory
>> >>>> >> > taint2: Allocating small fast_shad (12800000 bytes) using
>> malloc @
>> >>>> >> > 7f38ff62e010.
>> >>>> >> > taint2: Allocating small fast_shad (256 bytes) using malloc @
>> >>>> >> > 17cda900.
>> >>>> >> > taint2: Allocating small fast_shad (1024 bytes) using malloc @
>> >>>> >> > 17cd91f0.
>> >>>> >> > taint2: Allocating small fast_shad (867840 bytes) using malloc @
>> >>>> >> > 17d24e70.
>> >>>> >> > taint2: Linking taint ops from
>> >>>> >> >
>> >>>> >> >
>> >>>> >> >
>> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_taint2_ops.bc
>> >>>> >> > taint2: Done initializing taint transformation.
>> >>>> >> > taint2: Done processing helper functions for taint.
>> >>>> >> > taint2: Done verifying module. Running...
>> >>>> >> >
>> >>>> >> >
>> >>>> >> >
>> >>>> >> >
>> ****************************************************************************
>> >>>> >> > applying taint labels to search string of length 14 @
>> p=0xa70d6212
>> >>>> >> >
>> >>>> >> >
>> >>>> >> >
>> ******************************************************************************
>> >>>> >> > Segmentation fault
>> >>>> >> >
>> >>>> >> >
>> >>>> >> > 2015-04-20 23:18 GMT-04:00 Brendan Dolan-Gavitt
>> >>>> >> > <brendandg at gatech.edu>:
>> >>>> >> >
>> >>>> >> >> That was caused by some code that was left in by mistake from
>> >>>> >> >> another
>> >>>> >> >> branch of the project. I have fixed it and pushed the change.
>> Once
>> >>>> >> >> again you will need to do git pull && make clean && ./build.sh
>> to
>> >>>> >> >> rebuild.
>> >>>> >> >>
>> >>>> >> >> Hopefully this will fix things for you!
>> >>>> >> >>
>> >>>> >> >> -Brendan
>> >>>> >> >>
>> >>>> >> >> On Mon, Apr 20, 2015 at 11:11 PM, xiaojuan Li
>> >>>> >> >> <xiaotan6666 at gmail.com>
>> >>>> >> >> wrote:
>> >>>> >> >> > it is the path that caused terminated.
>> >>>> >> >> > i can find that panda_hypercall_struct.h in
>> >>>> >> >> > /qemu/panda_tools/pirate_utils/linux direcroty
>> >>>> >> >> >
>> >>>> >> >> > 2015-04-20 23:02 GMT-04:00 xiaojuan Li <
>> xiaotan6666 at gmail.com>:
>> >>>> >> >> >
>> >>>> >> >> >> while rebuild:
>> >>>> >> >> >> taint2.cpp:109:61: fatal error:
>> >>>> >> >> >> ../../../../lava/include/panda_hypercall_struct.h: No such
>> file
>> >>>> >> >> >> or
>> >>>> >> >> >> directory
>> >>>> >> >> >> compilation terminated.
>> >>>> >> >> >> miss some files to push?
>> >>>> >> >> >>
>> >>>> >> >> >>
>> >>>> >> >> >> 2015-04-20 22:56 GMT-04:00 xiaojuan Li <
>> xiaotan6666 at gmail.com>:
>> >>>> >> >> >>
>> >>>> >> >> >>> you mean that it caused by "allocate at a fixed address"
>> >>>> >> >> >>> i am going to try and thanks.
>> >>>> >> >> >>>
>> >>>> >> >> >>> 2015-04-20 22:53 GMT-04:00 Brendan Dolan-Gavitt
>> >>>> >> >> >>> <brendandg at gatech.edu>:
>> >>>> >> >> >>>
>> >>>> >> >> >>>> Ah! I forgot to push the commit I made to stop it from
>> trying
>> >>>> >> >> >>>> to
>> >>>> >> >> >>>> allocate at a fixed address.
>> >>>> >> >> >>>>
>> >>>> >> >> >>>> Could you do a git pull, rebuild, and try again?
>> >>>> >> >> >>>>
>> >>>> >> >> >>>> -Brendan
>> >>>> >> >> >>>>
>> >>>> >> >> >>>> On Mon, Apr 20, 2015 at 10:51 PM, xiaojuan Li
>> >>>> >> >> >>>> <xiaotan6666 at gmail.com>
>> >>>> >> >> >>>> wrote:
>> >>>> >> >> >>>> > 1. the command i use is :
>> >>>> >> >> >>>> > ./qemu-system-arm 0m 512 -replay api414-4-20 -M
>> android_arm
>> >>>> >> >> >>>> > -kernel
>> >>>> >> >> >>>> > /dev/null -android -panda
>> >>>> >> >> >>>> > "stringsearch:name=test;tstringsearch;tainted_instr"
>> >>>> >> >> >>>> > 2.the output is:
>> >>>> >> >> >>>> > Adding PANDA arg stringsearch:name=test.
>> >>>> >> >> >>>> > adding
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_stringsearch.so
>> >>>> >> >> >>>> > to panda_plugin_files 0
>> >>>> >> >> >>>> > adding
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_tstringsearch.so
>> >>>> >> >> >>>> > to panda_plugin_files 1
>> >>>> >> >> >>>> > adding
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_tainted_instr.so
>> >>>> >> >> >>>> > to panda_plugin_files 2
>> >>>> >> >> >>>> > emulator: registered 'boot-properties' qemud service
>> >>>> >> >> >>>> > emulator: Adding boot property: 'dalvik.vm.heapsize' =
>> >>>> >> >> >>>> > '48m'
>> >>>> >> >> >>>> > emulator: Adding boot property: 'qemu.sf.fake_camera' =
>> >>>> >> >> >>>> > 'both'
>> >>>> >> >> >>>> > emulator: Adding boot property: 'qemu.hw.mainkeys' = '0'
>> >>>> >> >> >>>> > loading
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_stringsearch.so
>> >>>> >> >> >>>> > Initializing plugin stringsearch
>> >>>> >> >> >>>> > panda_require: callstack_instr
>> >>>> >> >> >>>> > loading
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_callstack_instr.so
>> >>>> >> >> >>>> > Initializing plugin callstack_instr
>> >>>> >> >> >>>> > Success
>> >>>> >> >> >>>> > stringsearch: added string of length 14 to search set
>> >>>> >> >> >>>> > Success
>> >>>> >> >> >>>> > loading
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_tstringsearch.so
>> >>>> >> >> >>>> > Initializing tstringsearch
>> >>>> >> >> >>>> > panda_require: stringsearch
>> >>>> >> >> >>>> > panda_load_plugin:
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_stringsearch.so
>> >>>> >> >> >>>> > already loaded
>> >>>> >> >> >>>> > panda_require: taint2
>> >>>> >> >> >>>> > loading
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_taint2.so
>> >>>> >> >> >>>> > Initializing taint plugin
>> >>>> >> >> >>>> > taint2: Instructed not to inline taint ops.
>> >>>> >> >> >>>> > panda_require: callstack_instr
>> >>>> >> >> >>>> > panda_load_plugin:
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_callstack_instr.so
>> >>>> >> >> >>>> > already loaded
>> >>>> >> >> >>>> > Success
>> >>>> >> >> >>>> > Success
>> >>>> >> >> >>>> > loading
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_tainted_instr.so
>> >>>> >> >> >>>> > panda_require: taint2
>> >>>> >> >> >>>> > panda_load_plugin:
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_taint2.so
>> >>>> >> >> >>>> > already loaded
>> >>>> >> >> >>>> > panda_require: callstack_instr
>> >>>> >> >> >>>> > panda_load_plugin:
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_callstack_instr.so
>> >>>> >> >> >>>> > already loaded
>> >>>> >> >> >>>> > Success
>> >>>> >> >> >>>> > goldfish_add_device: goldfish_device_bus, base ff001000
>> >>>> >> >> >>>> > 1000,
>> >>>> >> >> >>>> > irq 1
>> >>>> >> >> >>>> > 1
>> >>>> >> >> >>>> > goldfish_device_bus: ff001000 30
>> >>>> >> >> >>>> > goldfish_add_device: goldfish_int, base ff000000 1000,
>> irq
>> >>>> >> >> >>>> > 0 0
>> >>>> >> >> >>>> > goldfish_int: ff000000 38
>> >>>> >> >> >>>> > goldfish_add_device: goldfish_timer, base ff003000 1000,
>> >>>> >> >> >>>> > irq 3 1
>> >>>> >> >> >>>> > goldfish_timer: ff003000 40
>> >>>> >> >> >>>> > goldfish_add_device: goldfish_rtc, base ff010000 1000,
>> irq
>> >>>> >> >> >>>> > 10 1
>> >>>> >> >> >>>> > goldfish_rtc: ff010000 48
>> >>>> >> >> >>>> > goldfish_add_device: goldfish_tty, base ff002000 1000,
>> irq
>> >>>> >> >> >>>> > 4 1
>> >>>> >> >> >>>> > goldfish_tty: ff002000 50
>> >>>> >> >> >>>> > android_arm_init serial 1 0
>> >>>> >> >> >>>> > android_arm_init serial 2 0
>> >>>> >> >> >>>> > android_arm_init serial 3 0
>> >>>> >> >> >>>> > goldfish_add_device: smc91x, base ff011000 1000, irq 11
>> 1
>> >>>> >> >> >>>> > goldfish_add_device: goldfish_fb, base ff012000 1000,
>> irq
>> >>>> >> >> >>>> > 12 1
>> >>>> >> >> >>>> > goldfish_fb: ff012000 68
>> >>>> >> >> >>>> > Using tmpfile for SD card:
>> >>>> >> >> >>>> > /tmp/android-shentanli/emulator-P6kmpf
>> >>>> >> >> >>>> > goldfish_add_device: goldfish_mmc, base ff005000 1000,
>> irq
>> >>>> >> >> >>>> > 13 1
>> >>>> >> >> >>>> > goldfish_mmc: ff005000 70
>> >>>> >> >> >>>> > goldfish_add_device: goldfish_memlog, base ff006000
>> 1000,
>> >>>> >> >> >>>> > irq 0
>> >>>> >> >> >>>> > 0
>> >>>> >> >> >>>> > goldfish_memlog: ff006000 78
>> >>>> >> >> >>>> > goldfish_add_device: goldfish-battery, base ff013000
>> 1000,
>> >>>> >> >> >>>> > irq
>> >>>> >> >> >>>> > 14 1
>> >>>> >> >> >>>> > goldfish-battery: ff013000 80
>> >>>> >> >> >>>> > goldfish_add_device: goldfish_events, base ff014000
>> 1000,
>> >>>> >> >> >>>> > irq 15
>> >>>> >> >> >>>> > 1
>> >>>> >> >> >>>> > goldfish_events: ff014000 88
>> >>>> >> >> >>>> > Using event IRQ
>> >>>> >> >> >>>> > Invalid system partition size for non-QCOW image:
>> >>>> >> >> >>>> > 0emulator:
>> >>>> >> >> >>>> > geometry
>> >>>> >> >> >>>> > says
>> >>>> >> >> >>>> > there are 0 blocks
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> > emulator: Dev size of
>> >>>> >> >> >>>> > /tmp/android-shentanli/emulator-jxC2Uf is
>> >>>> >> >> >>>> > 0
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> > Invalid data partition size for non-QCOW image:
>> 0emulator:
>> >>>> >> >> >>>> > Dev
>> >>>> >> >> >>>> > size
>> >>>> >> >> >>>> > 0x0 came
>> >>>> >> >> >>>> > from argument
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> > emulator: geometry says there are 0 blocks
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> > emulator: Dev size of
>> >>>> >> >> >>>> > /tmp/android-shentanli/emulator-2FZLqg is
>> >>>> >> >> >>>> > 0
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> > emulator: Dev size 0x0 came from argument
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> > emulator: geometry says there are 0 blocks
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> > emulator: Dev size of
>> >>>> >> >> >>>> > /tmp/android-shentanli/emulator-lyszWg is
>> >>>> >> >> >>>> > 0
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> > goldfish_add_device: goldfish_nand, base ff015000 1000,
>> irq
>> >>>> >> >> >>>> > 16 1
>> >>>> >> >> >>>> > goldfish_nand: ff015000 90
>> >>>> >> >> >>>> > goldfish_add_device: qemu_pipe, base ff016000 2000, irq
>> 17
>> >>>> >> >> >>>> > 1
>> >>>> >> >> >>>> > qemu_pipe: ff016000 98
>> >>>> >> >> >>>> > emulator: control console listening on port 5554, ADB on
>> >>>> >> >> >>>> > port
>> >>>> >> >> >>>> > 5555
>> >>>> >> >> >>>> > emulator: can't connect to ADB server: Connection
>> refused
>> >>>> >> >> >>>> > emulator: Realistic sensor emulation is not available,
>> >>>> >> >> >>>> > since the
>> >>>> >> >> >>>> > remote
>> >>>> >> >> >>>> > controller is not accessible:
>> >>>> >> >> >>>> > Connection refused
>> >>>> >> >> >>>> > loading snapshot
>> >>>> >> >> >>>> > emulator: Adding boot property: 'dalvik.vm.heapsize' =
>> >>>> >> >> >>>> > '48m'
>> >>>> >> >> >>>> > emulator: Adding boot property: 'qemu.sf.fake_camera' =
>> >>>> >> >> >>>> > 'both'
>> >>>> >> >> >>>> > emulator: Adding boot property: 'qemu.hw.mainkeys' = '0'
>> >>>> >> >> >>>> > Unknown savevm section or instance 'goldfish_tty' 1
>> >>>> >> >> >>>> > ... done.
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> > Logging all cpu states
>> >>>> >> >> >>>> > CPU #0:
>> >>>> >> >> >>>> > R00=00000000 R01=c049bcb8 R02=00000000 R03=00000000
>> >>>> >> >> >>>> > R04=c0480000 R05=c04b9948 R06=c048fd34 R07=c047b374
>> >>>> >> >> >>>> > R08=c0a05100 R09=410fc090 R10=00000000 R11=00000000
>> >>>> >> >> >>>> > R12=c049bcb8 R13=c0481fb0 R14=c000e3f4 R15=c00158c8
>> >>>> >> >> >>>> > PSR=60000093 -ZC- A svc32
>> >>>> >> >> >>>> > opening nondet log for read :
>> >>>> >> >> >>>> >
>> /home/shentanli/pandanew/scripts/api414-4-20-rr-nondet.log
>> >>>> >> >> >>>> > api414-4-20: 81316759 ( 1.04%) instrs. 7.52 sec.
>> >>>> >> >> >>>> > 0.61 GB
>> >>>> >> >> >>>> > ram.
>> >>>> >> >> >>>> > api414-4-20: 156342747 ( 2.00%) instrs. 15.90 sec.
>> >>>> >> >> >>>> > 0.69 GB
>> >>>> >> >> >>>> > ram.
>> >>>> >> >> >>>> > api414-4-20: 234368551 ( 3.00%) instrs. 24.93 sec.
>> >>>> >> >> >>>> > 0.76 GB
>> >>>> >> >> >>>> > ram.
>> >>>> >> >> >>>> > api414-4-20: 312493247 ( 4.00%) instrs. 35.45 sec.
>> >>>> >> >> >>>> > 0.83 GB
>> >>>> >> >> >>>> > ram.
>> >>>> >> >> >>>> > api414-4-20: 390616091 ( 5.00%) instrs. 43.97 sec.
>> >>>> >> >> >>>> > 0.87 GB
>> >>>> >> >> >>>> > ram.
>> >>>> >> >> >>>> > api414-4-20: 468738195 ( 6.00%) instrs. 49.32 sec.
>> >>>> >> >> >>>> > 0.90 GB
>> >>>> >> >> >>>> > ram.
>> >>>> >> >> >>>> > api414-4-20: 547631582 ( 7.01%) instrs. 54.12 sec.
>> >>>> >> >> >>>> > 0.93 GB
>> >>>> >> >> >>>> > ram.
>> >>>> >> >> >>>> > api414-4-20: 624983872 ( 8.00%) instrs. 57.67 sec.
>> >>>> >> >> >>>> > 0.94 GB
>> >>>> >> >> >>>> > ram.
>> >>>> >> >> >>>> > api414-4-20: 703122355 ( 9.00%) instrs. 60.94 sec.
>> >>>> >> >> >>>> > 0.94 GB
>> >>>> >> >> >>>> > ram.
>> >>>> >> >> >>>> > api414-4-20: 783198179 ( 10.03%) instrs. 64.60 sec.
>> >>>> >> >> >>>> > 0.95 GB
>> >>>> >> >> >>>> > ram.
>> >>>> >> >> >>>> > READ Match of str 0 at: instr_count=812336749 :
>> 72a7562e
>> >>>> >> >> >>>> > b6cb2e02
>> >>>> >> >> >>>> > 0d36c000
>> >>>> >> >> >>>> > tstringsearch: thestring = [passwordisqemu]
>> >>>> >> >> >>>> > tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
>> >>>> >> >> >>>> > tstringsearch: string in memory @ 0xa70d6212
>> >>>> >> >> >>>> > enabling taint at instr count 812336749
>> >>>> >> >> >>>> > taint2: __taint_enable_taint
>> >>>> >> >> >>>> > taint2: Creating byte-level taint processor
>> >>>> >> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes)
>> @
>> >>>> >> >> >>>> > 0x10000000000.
>> >>>> >> >> >>>> > taint2: Hugetlb failed. Trying without.
>> >>>> >> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes)
>> @
>> >>>> >> >> >>>> > 0x20000000000.
>> >>>> >> >> >>>> > taint2: Hugetlb failed. Trying without.
>> >>>> >> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes)
>> @
>> >>>> >> >> >>>> > 0x30000000000.
>> >>>> >> >> >>>> > taint2: Hugetlb failed. Trying without.
>> >>>> >> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes)
>> @
>> >>>> >> >> >>>> > 0x40000000000.
>> >>>> >> >> >>>> > taint2: Hugetlb failed. Trying without.
>> >>>> >> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes)
>> @
>> >>>> >> >> >>>> > 0x50000000000.
>> >>>> >> >> >>>> > taint2: Hugetlb failed. Trying without.
>> >>>> >> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes)
>> @
>> >>>> >> >> >>>> > 0x60000000000.
>> >>>> >> >> >>>> > taint2: Hugetlb failed. Trying without.
>> >>>> >> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes)
>> @
>> >>>> >> >> >>>> > 0x70000000000.
>> >>>> >> >> >>>> > taint2: Hugetlb failed. Trying without.
>> >>>> >> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes)
>> @
>> >>>> >> >> >>>> > 0x80000000000.
>> >>>> >> >> >>>> > taint2: Hugetlb failed. Trying without.
>> >>>> >> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes)
>> @
>> >>>> >> >> >>>> > 0x90000000000.
>> >>>> >> >> >>>> > taint2: Hugetlb failed. Trying without.
>> >>>> >> >> >>>> > Cannot allocate memory
>> >>>> >> >> >>>> > taint2: Allocating small fast_shad (12800000 bytes)
>> using
>> >>>> >> >> >>>> > malloc
>> >>>> >> >> >>>> > @
>> >>>> >> >> >>>> > 7f8b608d0010.
>> >>>> >> >> >>>> > taint2: Allocating small fast_shad (256 bytes) using
>> malloc
>> >>>> >> >> >>>> > @
>> >>>> >> >> >>>> > 16be2a70.
>> >>>> >> >> >>>> > taint2: Allocating small fast_shad (1024 bytes) using
>> >>>> >> >> >>>> > malloc @
>> >>>> >> >> >>>> > 171c3540.
>> >>>> >> >> >>>> > taint2: Allocating small fast_shad (867840 bytes) using
>> >>>> >> >> >>>> > malloc @
>> >>>> >> >> >>>> > 1720ddd0.
>> >>>> >> >> >>>> > taint2: Linking taint ops from
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_taint2_ops.bc
>> >>>> >> >> >>>> > taint2: Done initializing taint transformation.
>> >>>> >> >> >>>> > taint2: Done processing helper functions for taint.
>> >>>> >> >> >>>> > taint2: Done verifying module. Running...
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> ****************************************************************************
>> >>>> >> >> >>>> > applying taint labels to search string of length 14 @
>> >>>> >> >> >>>> > p=0xa70d6212
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> ******************************************************************************
>> >>>> >> >> >>>> > Segmentation fault
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> > 2015-04-20 22:42 GMT-04:00 Brendan Dolan-Gavitt
>> >>>> >> >> >>>> > <brendandg at gatech.edu>:
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >> I am currently running your taint replay, and it is (so
>> >>>> >> >> >>>> >> far)
>> >>>> >> >> >>>> >> working
>> >>>> >> >> >>>> >> fine. Here is the (slightly abbreviated) output I get:
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >> api414-4-20: 783198179 ( 10.03%) instrs. 218.26 sec.
>> >>>> >> >> >>>> >> 0.96
>> >>>> >> >> >>>> >> GB
>> >>>> >> >> >>>> >> ram.
>> >>>> >> >> >>>> >> READ Match of str 0 at: instr_count=812336749 :
>> 72a7562e
>> >>>> >> >> >>>> >> b6cb2e02
>> >>>> >> >> >>>> >> 0d36c000
>> >>>> >> >> >>>> >> tstringsearch: thestring = [passwordisqemu]
>> >>>> >> >> >>>> >> tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d
>> 75
>> >>>> >> >> >>>> >> tstringsearch: string in memory @ 0xa70d6212
>> >>>> >> >> >>>> >> enabling taint at instr count 812336749
>> >>>> >> >> >>>> >> taint2: __taint_enable_taint
>> >>>> >> >> >>>> >> taint2: Creating byte-level taint processor
>> >>>> >> >> >>>> >> taint2: Allocating large fast_shad (8589934592 bytes).
>> >>>> >> >> >>>> >> taint2: Hugetlb failed. Trying without.
>> >>>> >> >> >>>> >> taint2: Allocating small fast_shad (12800000 bytes)
>> using
>> >>>> >> >> >>>> >> malloc @
>> >>>> >> >> >>>> >> 7fdd165c6010.
>> >>>> >> >> >>>> >> taint2: Allocating small fast_shad (256 bytes) using
>> >>>> >> >> >>>> >> malloc @
>> >>>> >> >> >>>> >> 7fdd0bec21a0.
>> >>>> >> >> >>>> >> taint2: Allocating small fast_shad (1024 bytes) using
>> >>>> >> >> >>>> >> malloc @
>> >>>> >> >> >>>> >> 7fdcfc49ddc0.
>> >>>> >> >> >>>> >> taint2: Allocating small fast_shad (867840 bytes) using
>> >>>> >> >> >>>> >> malloc
>> >>>> >> >> >>>> >> @
>> >>>> >> >> >>>> >> 7fdcfc4e7db0.
>> >>>> >> >> >>>> >> taint2: Linking taint ops from
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> /scratch/git/pandroid/qemu/arm-softmmu/panda_plugins/panda_taint2_ops.bc
>> >>>> >> >> >>>> >> taint2: Done initializing taint transformation.
>> >>>> >> >> >>>> >> taint2: Done processing helper functions for taint.
>> >>>> >> >> >>>> >> taint2: Done verifying module. Running...
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> ****************************************************************************
>> >>>> >> >> >>>> >> applying taint labels to search string of length 14 @
>> >>>> >> >> >>>> >> p=0xa70d6212
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> ******************************************************************************
>> >>>> >> >> >>>> >> READ Match of str 0 at: instr_count=812336765 :
>> 72a7562e
>> >>>> >> >> >>>> >> b6cb2a2a
>> >>>> >> >> >>>> >> 0d36c000
>> >>>> >> >> >>>> >> tstringsearch: thestring = [passwordisqemu]
>> >>>> >> >> >>>> >> tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d
>> 75
>> >>>> >> >> >>>> >> tstringsearch: string in memory @ 0xa70d6212
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> ****************************************************************************
>> >>>> >> >> >>>> >> applying taint labels to search string of length 14 @
>> >>>> >> >> >>>> >> p=0xa70d6212
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> ******************************************************************************
>> >>>> >> >> >>>> >> READ Match of str 0 at: instr_count=812337316 :
>> 72a7562e
>> >>>> >> >> >>>> >> b6cb2e4a
>> >>>> >> >> >>>> >> 0d36c000
>> >>>> >> >> >>>> >> tstringsearch: thestring = [passwordisqemu]
>> >>>> >> >> >>>> >> tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d
>> 75
>> >>>> >> >> >>>> >> tstringsearch: string in memory @ 0xa70d6212
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> ****************************************************************************
>> >>>> >> >> >>>> >> applying taint labels to search string of length 14 @
>> >>>> >> >> >>>> >> p=0xa70d6212
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> ******************************************************************************
>> >>>> >> >> >>>> >> READ Match of str 0 at: instr_count=812337331 :
>> 72a7562e
>> >>>> >> >> >>>> >> b6cb2a2a
>> >>>> >> >> >>>> >> 0d36c000
>> >>>> >> >> >>>> >> tstringsearch: thestring = [passwordisqemu]
>> >>>> >> >> >>>> >> tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d
>> 75
>> >>>> >> >> >>>> >> tstringsearch: string in memory @ 0xa70d6212
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> ****************************************************************************
>> >>>> >> >> >>>> >> applying taint labels to search string of length 14 @
>> >>>> >> >> >>>> >> p=0xa70d6212
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >>
>> ******************************************************************************
>> >>>> >> >> >>>> >> api414-4-20: 859399601 ( 11.00%) instrs. 658.13 sec.
>> >>>> >> >> >>>> >> 3.27
>> >>>> >> >> >>>> >> GB
>> >>>> >> >> >>>> >> ram.
>> >>>> >> >> >>>> >> api414-4-20: 937474512 ( 12.00%) instrs. 1017.48 sec.
>> >>>> >> >> >>>> >> 4.70
>> >>>> >> >> >>>> >> GB
>> >>>> >> >> >>>> >> ram.
>> >>>> >> >> >>>> >> api414-4-20: 1015597970 ( 13.00%) instrs. 1265.76 sec.
>> >>>> >> >> >>>> >> 5.58
>> >>>> >> >> >>>> >> GB
>> >>>> >> >> >>>> >> ram.
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >> My command line to replay was:
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >> arm-softmmu/qemu-system-arm -m 512 -replay api414-4-20
>> -M
>> >>>> >> >> >>>> >> android_arm
>> >>>> >> >> >>>> >> -cpu cortex-a9 -android -kernel /dev/null -pandalog
>> >>>> >> >> >>>> >> api.log
>> >>>> >> >> >>>> >> -panda
>> >>>> >> >> >>>> >> 'stringsearch:name=api;tstringsearch;tainted_instr'
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >> From the screenshot you posted earlier, it looks like
>> >>>> >> >> >>>> >> yours had
>> >>>> >> >> >>>> >> already failed by this point. If you are still getting
>> a
>> >>>> >> >> >>>> >> segfault
>> >>>> >> >> >>>> >> with
>> >>>> >> >> >>>> >> this replay, could you post:
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >> 1. The full command line you are using (as text, not a
>> >>>> >> >> >>>> >> screenshot)
>> >>>> >> >> >>>> >> 2. The full output from PANDA up to the point where the
>> >>>> >> >> >>>> >> segfault
>> >>>> >> >> >>>> >> happens (as text, not a screenshot)
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >> -Brendan
>> >>>> >> >> >>>> >>
>> >>>> >> >> >>>> >> On Mon, Apr 20, 2015 at 7:57 PM, xiaojuan Li
>> >>>> >> >> >>>> >> <xiaotan6666 at gmail.com>
>> >>>> >> >> >>>> >> wrote:
>> >>>> >> >> >>>> >> > i know you are busy.
>> >>>> >> >> >>>> >> > I just get stuck in this taint step but have no idea
>> no
>> >>>> >> >> >>>> >> > fix
>> >>>> >> >> >>>> >> > it...(use
>> >>>> >> >> >>>> >> > core
>> >>>> >> >> >>>> >> > dump to find where it segfault )
>> >>>> >> >> >>>> >> > here is the 512M version:
>> >>>> >> >> >>>> >> > http://pan.baidu.com/s/1mgopzIg
>> >>>> >> >> >>>> >> > the content of search string .txt is "passwordisqemu"
>> >>>> >> >> >>>> >> > thanks!
>> >>>> >> >> >>>> >> >
>> >>>> >> >> >>>> >> > 2015-04-20 11:32 GMT-04:00 Brendan Dolan-Gavitt
>> >>>> >> >> >>>> >> > <brendandg at gatech.edu>:
>> >>>> >> >> >>>> >> >
>> >>>> >> >> >>>> >> >> I will try to reproduce from those instructions in
>> the
>> >>>> >> >> >>>> >> >> next
>> >>>> >> >> >>>> >> >> couple
>> >>>> >> >> >>>> >> >> days.
>> >>>> >> >> >>>> >> >> Sorry for the delay! Did you post the .rr of the
>> >>>> >> >> >>>> >> >> recording
>> >>>> >> >> >>>> >> >> with
>> >>>> >> >> >>>> >> >> 512M
>> >>>> >> >> >>>> >> >> somewhere? I only saw the 2G one.
>> >>>> >> >> >>>> >> >>
>> >>>> >> >> >>>> >> >> Thanks,
>> >>>> >> >> >>>> >> >> Brendan
>> >>>> >> >> >>>> >> >>
>> >>>> >> >> >>>> >> >> On Mon, Apr 20, 2015 at 8:07 AM, xiaojuan Li
>> >>>> >> >> >>>> >> >> <xiaotan6666 at gmail.com>
>> >>>> >> >> >>>> >> >> wrote:
>> >>>> >> >> >>>> >> >>>
>> >>>> >> >> >>>> >> >>> about the taint segfault, if you cannot download
>> that
>> >>>> >> >> >>>> >> >>> .rr i
>> >>>> >> >> >>>> >> >>> upload
>> >>>> >> >> >>>> >> >>> before, you can follow the step to reproduce:
>> >>>> >> >> >>>> >> >>> 1)use android studio to create avd, choose api21
>> >>>> >> >> >>>> >> >>> target
>> >>>> >> >> >>>> >> >>> android
>> >>>> >> >> >>>> >> >>> 5.0.1
>> >>>> >> >> >>>> >> >>> use
>> >>>> >> >> >>>> >> >>> the default size;you can get the
>> >>>> >> >> >>>> >> >>> cache-img,sdcard.img,data.img
>> >>>> >> >> >>>> >> >>> and
>> >>>> >> >> >>>> >> >>> system.img and then copy kernel-qemu & rmdisk.img
>> from
>> >>>> >> >> >>>> >> >>> sdk/systemimg;
>> >>>> >> >> >>>> >> >>> 2)use pandaCovert.py to convert them and get the
>> >>>> >> >> >>>> >> >>> (cache,data,system)-pandroid.qcow2 as well as
>> kernel
>> >>>> >> >> >>>> >> >>> and
>> >>>> >> >> >>>> >> >>> initramfs;
>> >>>> >> >> >>>> >> >>> 3)use runpandroid.py(-m 512) to boot
>> emulator;telnet
>> >>>> >> >> >>>> >> >>> and
>> >>>> >> >> >>>> >> >>> begin_record
>> >>>> >> >> >>>> >> >>> 4)run an app and input a string : end_record;
>> >>>> >> >> >>>> >> >>> 5)use qemu-system-arm to replay(-m 512) with the
>> panda
>> >>>> >> >> >>>> >> >>>
>> plugins:stringsearch,tstringsearch;tainted_instr.(the
>> >>>> >> >> >>>> >> >>> search
>> >>>> >> >> >>>> >> >>> string
>> >>>> >> >> >>>> >> >>> .txt is
>> >>>> >> >> >>>> >> >>> the string you input)
>> >>>> >> >> >>>> >> >>>
>> >>>> >> >> >>>> >> >>> do you guys get the segfault ?
>> >>>> >> >> >>>> >> >>> how can i fix it?
>> >>>> >> >> >>>> >> >>> Thanks a lot!
>> >>>> >> >> >>>> >> >>>
>> >>>> >> >> >>>> >> >>> 2015-04-20 17:51 GMT+08:00 xiaojuan Li
>> >>>> >> >> >>>> >> >>> <xiaotan6666 at gmail.com>:
>> >>>> >> >> >>>> >> >>>>
>> >>>> >> >> >>>> >> >>>> excuse me, i have noticed that the ida_taint
>> >>>> >> >> >>>> >> >>>> plugin:"win7
>> >>>> >> >> >>>> >> >>>> only
>> >>>> >> >> >>>> >> >>>> but
>> >>>> >> >> >>>> >> >>>> othre
>> >>>> >> >> >>>> >> >>>> os could be easily added".
>> >>>> >> >> >>>> >> >>>> i have installed ida pro in my
>> >>>> >> >> >>>> >> >>>> system(debian),modified the
>> >>>> >> >> >>>> >> >>>> ida_taint.bat
>> >>>> >> >> >>>> >> >>>> with my ida path,when i use it :./ida_taint.bat
>> >>>> >> >> >>>> >> >>>> name.json
>> >>>> >> >> >>>> >> >>>> qemu-system-arm
>> >>>> >> >> >>>> >> >>>> it failed. it seems not available in linux, is it?
>> >>>> >> >> >>>> >> >>>> Thanks a lot!
>> >>>> >> >> >>>> >> >>>>
>> >>>> >> >> >>>> >> >>>>
>> >>>> >> >> >>>> >> >>>> 2015-04-10 21:24 GMT-04:00 Brendan Dolan-Gavitt
>> >>>> >> >> >>>> >> >>>> <brendandg at gatech.edu>:
>> >>>> >> >> >>>> >> >>>>
>> >>>> >> >> >>>> >> >>>>> Once you have used PANDA's taint system to
>> identify
>> >>>> >> >> >>>> >> >>>>> the
>> >>>> >> >> >>>> >> >>>>> portions of
>> >>>> >> >> >>>> >> >>>>> the
>> >>>> >> >> >>>> >> >>>>> code that process the data you're interested in,
>> you
>> >>>> >> >> >>>> >> >>>>> will
>> >>>> >> >> >>>> >> >>>>> still
>> >>>> >> >> >>>> >> >>>>> have
>> >>>> >> >> >>>> >> >>>>> to
>> >>>> >> >> >>>> >> >>>>> analyze that code do understand how it works. One
>> >>>> >> >> >>>> >> >>>>> way to
>> >>>> >> >> >>>> >> >>>>> do
>> >>>> >> >> >>>> >> >>>>> that
>> >>>> >> >> >>>> >> >>>>> might be to
>> >>>> >> >> >>>> >> >>>>> use the scissors plugin to extract out the
>> portion
>> >>>> >> >> >>>> >> >>>>> of the
>> >>>> >> >> >>>> >> >>>>> trace
>> >>>> >> >> >>>> >> >>>>> that
>> >>>> >> >> >>>> >> >>>>> contains the code you're interested in, and then
>> >>>> >> >> >>>> >> >>>>> replay
>> >>>> >> >> >>>> >> >>>>> it
>> >>>> >> >> >>>> >> >>>>> with
>> >>>> >> >> >>>> >> >>>>> QEMU's "-d
>> >>>> >> >> >>>> >> >>>>> in_asm -D asmlog.txt" options to get the
>> disassembly
>> >>>> >> >> >>>> >> >>>>> for
>> >>>> >> >> >>>> >> >>>>> that
>> >>>> >> >> >>>> >> >>>>> code.
>> >>>> >> >> >>>> >> >>>>>
>> >>>> >> >> >>>> >> >>>>> Alternatively, you could take a memory snapshot
>> at
>> >>>> >> >> >>>> >> >>>>> some
>> >>>> >> >> >>>> >> >>>>> point
>> >>>> >> >> >>>> >> >>>>> when
>> >>>> >> >> >>>> >> >>>>> the
>> >>>> >> >> >>>> >> >>>>> code you want to analyze is in memory (using
>> >>>> >> >> >>>> >> >>>>> something
>> >>>> >> >> >>>> >> >>>>> like
>> >>>> >> >> >>>> >> >>>>> the
>> >>>> >> >> >>>> >> >>>>> pmemsave
>> >>>> >> >> >>>> >> >>>>> plugin in PANDA), then use Volatility to analyze
>> >>>> >> >> >>>> >> >>>>> that
>> >>>> >> >> >>>> >> >>>>> memory
>> >>>> >> >> >>>> >> >>>>> image
>> >>>> >> >> >>>> >> >>>>> to
>> >>>> >> >> >>>> >> >>>>> extract out the binary, which you could look at
>> in
>> >>>> >> >> >>>> >> >>>>> IDA or
>> >>>> >> >> >>>> >> >>>>> something
>> >>>> >> >> >>>> >> >>>>> similar.
>> >>>> >> >> >>>> >> >>>>>
>> >>>> >> >> >>>> >> >>>>> Basically – disassemble the code that handles the
>> >>>> >> >> >>>> >> >>>>> data
>> >>>> >> >> >>>> >> >>>>> you're
>> >>>> >> >> >>>> >> >>>>> interested in and find out how it works. Exactly
>> >>>> >> >> >>>> >> >>>>> what
>> >>>> >> >> >>>> >> >>>>> that
>> >>>> >> >> >>>> >> >>>>> means
>> >>>> >> >> >>>> >> >>>>> will depend
>> >>>> >> >> >>>> >> >>>>> on what you're hoping to accomplish.
>> >>>> >> >> >>>> >> >>>>>
>> >>>> >> >> >>>> >> >>>>> -Brendan
>> >>>> >> >> >>>> >> >>>>>
>> >>>> >> >> >>>> >> >>>>> On Fri, Apr 10, 2015 at 9:07 PM, xiaojuan Li
>> >>>> >> >> >>>> >> >>>>> <xiaotan6666 at gmail.com>
>> >>>> >> >> >>>> >> >>>>> wrote:
>> >>>> >> >> >>>> >> >>>>>>
>> >>>> >> >> >>>> >> >>>>>> Hi,
>> >>>> >> >> >>>> >> >>>>>> Thanks for your job first.
>> >>>> >> >> >>>> >> >>>>>> I am a little confused about the result of the
>> >>>> >> >> >>>> >> >>>>>> tainted.how
>> >>>> >> >> >>>> >> >>>>>> can
>> >>>> >> >> >>>> >> >>>>>> I
>> >>>> >> >> >>>> >> >>>>>> get
>> >>>> >> >> >>>> >> >>>>>> enough information about the processing code
>> from
>> >>>> >> >> >>>> >> >>>>>> the
>> >>>> >> >> >>>> >> >>>>>> binary?
>> >>>> >> >> >>>> >> >>>>>> use
>> >>>> >> >> >>>> >> >>>>>> the gdb?
>> >>>> >> >> >>>> >> >>>>>> Thanks!
>> >>>> >> >> >>>> >> >>>>>>
>> >>>> >> >> >>>> >> >>>>>> 2015-04-10 12:05 GMT+08:00 xiaojuan Li
>> >>>> >> >> >>>> >> >>>>>> <xiaotan6666 at gmail.com>:
>> >>>> >> >> >>>> >> >>>>>>>
>> >>>> >> >> >>>> >> >>>>>>> Thanks for your guys great work!
>> >>>> >> >> >>>> >> >>>>>>> and I will try.
>> >>>> >> >> >>>> >> >>>>>>>
>> >>>> >> >> >>>> >> >>>>>>> 2015-04-10 11:42 GMT+08:00 Brendan Dolan-Gavitt
>> >>>> >> >> >>>> >> >>>>>>> <brendandg at gatech.edu>:
>> >>>> >> >> >>>> >> >>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>> Hi,
>> >>>> >> >> >>>> >> >>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>> Tim has just updated the tainted_instructions
>> >>>> >> >> >>>> >> >>>>>>>> tutorial
>> >>>> >> >> >>>> >> >>>>>>>> so
>> >>>> >> >> >>>> >> >>>>>>>> that it
>> >>>> >> >> >>>> >> >>>>>>>> reflects how things work now. Could you look
>> >>>> >> >> >>>> >> >>>>>>>> through
>> >>>> >> >> >>>> >> >>>>>>>> that
>> >>>> >> >> >>>> >> >>>>>>>> tutorial and see
>> >>>> >> >> >>>> >> >>>>>>>> if it helps with your problem?
>> >>>> >> >> >>>> >> >>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>
>> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
>> >>>> >> >> >>>> >> >>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>> Note that you will probably need to do a "git
>> >>>> >> >> >>>> >> >>>>>>>> pull"
>> >>>> >> >> >>>> >> >>>>>>>> and
>> >>>> >> >> >>>> >> >>>>>>>> rebuild
>> >>>> >> >> >>>> >> >>>>>>>> (make clean ; ./build.sh) in order to make
>> sure
>> >>>> >> >> >>>> >> >>>>>>>> everything
>> >>>> >> >> >>>> >> >>>>>>>> works
>> >>>> >> >> >>>> >> >>>>>>>> as it says
>> >>>> >> >> >>>> >> >>>>>>>> in the tutorial.
>> >>>> >> >> >>>> >> >>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>> -Brendan
>> >>>> >> >> >>>> >> >>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>> On Thu, Apr 9, 2015 at 9:30 AM, xiaojuan Li
>> >>>> >> >> >>>> >> >>>>>>>> <xiaotan6666 at gmail.com>
>> >>>> >> >> >>>> >> >>>>>>>> wrote:
>> >>>> >> >> >>>> >> >>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>> Now that the panda taint.md is not
>> fresh,can you
>> >>>> >> >> >>>> >> >>>>>>>>> guys
>> >>>> >> >> >>>> >> >>>>>>>>> give
>> >>>> >> >> >>>> >> >>>>>>>>> me
>> >>>> >> >> >>>> >> >>>>>>>>> some
>> >>>> >> >> >>>> >> >>>>>>>>> help?
>> >>>> >> >> >>>> >> >>>>>>>>> I use the replay plugin,here is my command
>> and
>> >>>> >> >> >>>> >> >>>>>>>>> the
>> >>>> >> >> >>>> >> >>>>>>>>> result.
>> >>>> >> >> >>>> >> >>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>> the content of pk_search_strings.txt is
>> :"sdt"
>> >>>> >> >> >>>> >> >>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>> I am confused here:in the paper— Repeatable
>> >>>> >> >> >>>> >> >>>>>>>>> reverse
>> >>>> >> >> >>>> >> >>>>>>>>> with
>> >>>> >> >> >>>> >> >>>>>>>>> panda:
>> >>>> >> >> >>>> >> >>>>>>>>> :
>> >>>> >> >> >>>> >> >>>>>>>>> it is clear that:if I use the stringsearch
>> and
>> >>>> >> >> >>>> >> >>>>>>>>> taint
>> >>>> >> >> >>>> >> >>>>>>>>> plugin,when
>> >>>> >> >> >>>> >> >>>>>>>>> it
>> >>>> >> >> >>>> >> >>>>>>>>> matches, the taint label will be put and then
>> >>>> >> >> >>>> >> >>>>>>>>> taint
>> >>>> >> >> >>>> >> >>>>>>>>> action
>> >>>> >> >> >>>> >> >>>>>>>>> will
>> >>>> >> >> >>>> >> >>>>>>>>> start.but
>> >>>> >> >> >>>> >> >>>>>>>>> when I use it, it seems wrong(the picture
>> showed
>> >>>> >> >> >>>> >> >>>>>>>>> before):no
>> >>>> >> >> >>>> >> >>>>>>>>> taint action
>> >>>> >> >> >>>> >> >>>>>>>>> execute,and i am confused about the
>> >>>> >> >> >>>> >> >>>>>>>>> tstringsearch's
>> >>>> >> >> >>>> >> >>>>>>>>> result.
>> >>>> >> >> >>>> >> >>>>>>>>> how can i use it to analysis?
>> >>>> >> >> >>>> >> >>>>>>>>> Thanks a lot!
>> >>>> >> >> >>>> >> >>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li
>> >>>> >> >> >>>> >> >>>>>>>>> <xiaotan6666 at gmail.com>:
>> >>>> >> >> >>>> >> >>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>> I get the replay file by running runandroid
>> >>>> >> >> >>>> >> >>>>>>>>>> script.
>> >>>> >> >> >>>> >> >>>>>>>>>> and
>> >>>> >> >> >>>> >> >>>>>>>>>> i
>> >>>> >> >> >>>> >> >>>>>>>>>> use
>> >>>> >> >> >>>> >> >>>>>>>>>> qemu-system-arm command just to do some
>> replay
>> >>>> >> >> >>>> >> >>>>>>>>>> work.
>> >>>> >> >> >>>> >> >>>>>>>>>> I may not understand you at all in this
>> emal.do
>> >>>> >> >> >>>> >> >>>>>>>>>> you
>> >>>> >> >> >>>> >> >>>>>>>>>> mean
>> >>>> >> >> >>>> >> >>>>>>>>>> that i
>> >>>> >> >> >>>> >> >>>>>>>>>> should gdb the original program rather than
>> the
>> >>>> >> >> >>>> >> >>>>>>>>>> record
>> >>>> >> >> >>>> >> >>>>>>>>>> file?
>> >>>> >> >> >>>> >> >>>>>>>>>> Thansk
>> >>>> >> >> >>>> >> >>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>> 2015-04-08 9:52 GMT+08:00 Brendan
>> Dolan-Gavitt
>> >>>> >> >> >>>> >> >>>>>>>>>> <brendandg at gatech.edu>:
>> >>>> >> >> >>>> >> >>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>> Hmm. gdb should normally stop when you get
>> a
>> >>>> >> >> >>>> >> >>>>>>>>>>> segfault.
>> >>>> >> >> >>>> >> >>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>> Are you by any chance running PANDA using
>> the
>> >>>> >> >> >>>> >> >>>>>>>>>>> runandroid
>> >>>> >> >> >>>> >> >>>>>>>>>>> script?
>> >>>> >> >> >>>> >> >>>>>>>>>>> If so, you will need to instead invoke
>> PANDA
>> >>>> >> >> >>>> >> >>>>>>>>>>> manually,
>> >>>> >> >> >>>> >> >>>>>>>>>>> i.e.:
>> >>>> >> >> >>>> >> >>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>> gdb --args arm-softmmu/qemu-system-arm
>> [...]
>> >>>> >> >> >>>> >> >>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>> And then once it crashes, type "bt" at the
>> gdb
>> >>>> >> >> >>>> >> >>>>>>>>>>> prompt
>> >>>> >> >> >>>> >> >>>>>>>>>>> to
>> >>>> >> >> >>>> >> >>>>>>>>>>> get a
>> >>>> >> >> >>>> >> >>>>>>>>>>> backtrace.
>> >>>> >> >> >>>> >> >>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>> -Brendan
>> >>>> >> >> >>>> >> >>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li
>> >>>> >> >> >>>> >> >>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>> >>>> >> >> >>>> >> >>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>> when gdb,it shows:
>> >>>> >> >> >>>> >> >>>>>>>>>>>> and then i see the log:it shows segfault:
>> >>>> >> >> >>>> >> >>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li
>> >>>> >> >> >>>> >> >>>>>>>>>>>> <xiaotan6666 at gmail.com>:
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>> maybe i am wrong.
>> >>>> >> >> >>>> >> >>>>>>>>>>>>> i use the command
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>
>> line:"taint2:label_mode=binary,query_outgoing_network=1"and
>> >>>> >> >> >>>> >> >>>>>>>>>>>>> I found that
>> >>>> >> >> >>>> >> >>>>>>>>>>>>> when i use taint2, after it loads
>> >>>> >> >> >>>> >> >>>>>>>>>>>>> panda_taint2.so,it
>> >>>> >> >> >>>> >> >>>>>>>>>>>>> shows:"taint2:instructed not to inline
>> taint
>> >>>> >> >> >>>> >> >>>>>>>>>>>>> ops
>> >>>> >> >> >>>> >> >>>>>>>>>>>>> .success".
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li
>> >>>> >> >> >>>> >> >>>>>>>>>>>>> <xiaotan6666 at gmail.com>:
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> ok.
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> 1.I want to use taint plugin to get
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> information
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> about
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> some
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> functions(of course, it is
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> closed-source),so I
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> think I
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> can
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> stringsearch
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> potential data and then taint them and
>> next
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> I
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> can
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> locate
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> the functions which
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> solves these data.
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> 2.the command line I used is :
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
>> stringsearch:name=***;taint2:tainted_instructions=1.
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> thanks
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> Dolan-Gavitt
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> <brendandg at gatech.edu>:
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> Could you provide:
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> 1. What information you're trying to
>> get
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> 2. The command line you're using to run
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> PANDA
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> with
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> the
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> taint2
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> plugin
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> ?
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> Right now I believe taint2 does not
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> produce
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> very
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> much
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> output
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> by default. Instead you use the
>> -pandalog
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> <filename>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> command line option,
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> and taint2 will write its results
>> there in
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> pandalog
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> format; you can then
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> read them using pandalog_reader (see
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> panda/pandalog_reader.c for details on
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> that tool).
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> -Brendan
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM,
>> xiaojuan
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> Li
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> when I tried taint2,it showed the same
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> error
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> with
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> taint1,
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> the olny difference is that taint2
>> has no
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> segfault
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> error,just uninit taint
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> plugin.
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> Dolan-Gavitt
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> <brendandg at gatech.edu>:
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> Could you be a little more
>> descriptive
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> about
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> how
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> it
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> failed?
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> Segfault? Error message? Incorrect
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> output?
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> -Brendan
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM,
>> xiaojuan
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> Li
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> i tried taint2 too,it failed.
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek,
>> Timothy
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> -
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> 0559
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> -
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> MITLL
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> <tleek at ll.mit.edu>:
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> Also note that the “taint” plugin
>> is
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> somewhat
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> defunct.
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> “taint2” is the one we are actively
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> using
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> and
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> developing.
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> --
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> Tim Leek
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> Technical Staff
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> Cyber System Assessments
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> MIT Lincoln Laboratory
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> 781-981-2975
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> <brendandg at gatech.edu>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at
>> 5:18 PM
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> To: xiaojuan Li
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> <xiaotan6666 at gmail.com>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> Cc: "panda-users at mit.edu"
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> <panda-users at mit.edu>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> Subject: Re: [panda-users] taint
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> segmentation
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> fault
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> Could you run that under gdb and
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> provide us
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> with
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> a
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> backtrace when it crashes?
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> -Brendan
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan
>> Li
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> Hi,
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> excuse me,i have a question about
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> taint
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
>> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> when I started it showed success:
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> but when it finished search,it
>> showd
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> "uninit
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> taint
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> plugin segementation fault"
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> how can I fix it?
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> Thanks a lot!
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> --
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> wait and hope~~
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> --
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> wait and hope~~
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> _______________________________________________
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> panda-users mailing list
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> panda-users at mit.edu
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> http://mailman.mit.edu/mailman/listinfo/panda-users
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> --
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> wait and hope~~
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> --
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>> wait and hope~~
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>> --
>> >>>> >> >> >>>> >> >>>>>>>>>>>>> wait and hope~~
>> >>>> >> >> >>>> >> >>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>> --
>> >>>> >> >> >>>> >> >>>>>>>>>>>> wait and hope~~
>> >>>> >> >> >>>> >> >>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>> --
>> >>>> >> >> >>>> >> >>>>>>>>>> wait and hope~~
>> >>>> >> >> >>>> >> >>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>> --
>> >>>> >> >> >>>> >> >>>>>>>>> wait and hope~~
>> >>>> >> >> >>>> >> >>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>
>> >>>> >> >> >>>> >> >>>>>>>
>> >>>> >> >> >>>> >> >>>>>>> --
>> >>>> >> >> >>>> >> >>>>>>> wait and hope~~
>> >>>> >> >> >>>> >> >>>>>>
>> >>>> >> >> >>>> >> >>>>>>
>> >>>> >> >> >>>> >> >>>>>>
>> >>>> >> >> >>>> >> >>>>>>
>> >>>> >> >> >>>> >> >>>>>> --
>> >>>> >> >> >>>> >> >>>>>> wait and hope~~
>> >>>> >> >> >>>> >> >>>>>
>> >>>> >> >> >>>> >> >>>>>
>> >>>> >> >> >>>> >> >>>>
>> >>>> >> >> >>>> >> >>>>
>> >>>> >> >> >>>> >> >>>>
>> >>>> >> >> >>>> >> >>>> --
>> >>>> >> >> >>>> >> >>>> wait and hope~~
>> >>>> >> >> >>>> >> >>>
>> >>>> >> >> >>>> >> >>>
>> >>>> >> >> >>>> >> >>>
>> >>>> >> >> >>>> >> >>>
>> >>>> >> >> >>>> >> >>> --
>> >>>> >> >> >>>> >> >>> wait and hope~~
>> >>>> >> >> >>>> >> >>
>> >>>> >> >> >>>> >> >>
>> >>>> >> >> >>>> >> >
>> >>>> >> >> >>>> >> >
>> >>>> >> >> >>>> >> >
>> >>>> >> >> >>>> >> > --
>> >>>> >> >> >>>> >> > wait and hope~~
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> >
>> >>>> >> >> >>>> > --
>> >>>> >> >> >>>> > wait and hope~~
>> >>>> >> >> >>>
>> >>>> >> >> >>>
>> >>>> >> >> >>>
>> >>>> >> >> >>>
>> >>>> >> >> >>> --
>> >>>> >> >> >>> wait and hope~~
>> >>>> >> >> >>
>> >>>> >> >> >>
>> >>>> >> >> >>
>> >>>> >> >> >>
>> >>>> >> >> >> --
>> >>>> >> >> >> wait and hope~~
>> >>>> >> >> >
>> >>>> >> >> >
>> >>>> >> >> >
>> >>>> >> >> >
>> >>>> >> >> > --
>> >>>> >> >> > wait and hope~~
>> >>>> >> >
>> >>>> >> >
>> >>>> >> >
>> >>>> >> >
>> >>>> >> > --
>> >>>> >> > wait and hope~~
>> >>>> >
>> >>>> >
>> >>>> >
>> >>>> >
>> >>>> > --
>> >>>> > wait and hope~~
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> wait and hope~~
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> wait and hope~~
>> >>
>> >> _______________________________________________
>> >> panda-users mailing list
>> >> panda-users at mit.edu
>> >> http://mailman.mit.edu/mailman/listinfo/panda-users
>> >>
>> >
>> >
>> >
>> > --
>> > wait and hope~~
>> >
>> > _______________________________________________
>> > panda-users mailing list
>> > panda-users at mit.edu
>> > http://mailman.mit.edu/mailman/listinfo/panda-users
>> >
>>
>
>
>
> --
> wait and hope~~
>
--
wait and hope~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20150421/c73ffc73/attachment-0001.htm
More information about the panda-users
mailing list