<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">I am getting crash when I attempt to use file_taint.<div class=""><br class=""></div><div class="">Host:</div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class="">Linux ubuntu 4.13.0-36-generic #40~16.04.1-Ubuntu SMP Fri Feb 16 23:25:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux</div></blockquote><div class=""><br class=""></div><div class="">Capture Command:</div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class="">~/build-panda/i386-softmmu/qemu-system-i386 -m 512 -hda ubuntu-16.04-server-cloudimg-i386-disk1.img -drive file=my-seed.img,if=virtio -device e1000,netdev=user.0 -netdev user,id=user.0,hostfwd=tcp::5555-:22</div></blockquote><div class=""><br class=""></div><div class="">Reply Command:<br class=""><span class="Apple-tab-span" style="white-space:pre"> </span>~/build-panda/i386-softmmu/qemu-system-i386 -m 512 -drive file=my-seed.img,if=virtio -replay test32 -os linux-32-4.4.0-142-generic -panda osi -panda osi_linux:kconf_group=4.4.0-142-generic:32 -panda file_taint:filename=test32.txt </div><div class=""><br class=""></div><div class="">Output:</div><div class=""><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class="">os_familyno=2 bits=32 os_details=[4.4.0-142-generic]</div><div class="">PANDA[osi_linux] - adding argument kconf_group=4.4.0-142-generic:32.</div><div class="">PANDA[file_taint] - adding argument filename=test32.txt.</div><div class="">Initializing plugin osi</div><div class="">Looking for kconffile in /home/haccs/build-panda/i386-softmmu/panda/plugins/osi_linux/kernelinfo.conf</div><div class="">OSI grabbing Linux introspection backend.</div><div class="">Linux OSI, using group 4.4.0-142-generic:32 from /home/haccs/build-panda/i386-softmmu/panda/plugins/osi_linux/kernelinfo.conf.</div><div class="">panda_require: osi_linux</div><div class="">Initializing plugin osi_linux</div><div class="">INFO(/home/haccs/panda/panda/plugins/osi_linux/osi_linux.cpp:init_plugin): Read kernel info from group "4.4.0-142-generic:32" of file "/home/haccs/build-panda/i386-softmmu/panda/plugins/osi_linux/kernelinfo.conf".</div><div class="">INFO(/home/haccs/panda/panda/plugins/osi_linux/osi_linux.cpp:init_plugin): osi_linux initialization complete.</div><div class="">panda_load_plugin: /home/haccs/build-panda/i386-softmmu/panda/plugins/panda_osi_linux.so already loaded</div><div class="">Initializing plugin file_taint</div><div class="">taint_filename = [test32.txt]</div><div class="">positional_labels = 0</div><div class="">no_taint = 0</div><div class="">end_label = 1000000</div><div class="">first_instr = 0 </div><div class="">panda_require: osi</div><div class="">panda_load_plugin: /home/haccs/build-panda/i386-softmmu/panda/plugins/panda_osi.so already loaded</div><div class="">panda_require: syscalls2</div><div class="">Initializing plugin syscalls2</div><div class="">syscalls2: using profile for linux x86 32-bit</div><div class="">panda_require: osi_linux</div><div class="">panda_load_plugin: /home/haccs/build-panda/i386-softmmu/panda/plugins/panda_osi_linux.so already loaded</div><div class="">panda_require: taint2</div><div class="">Initializing plugin taint2</div><div class="">taint2: Propagating taint through pointer dereference ENABLED</div><div class="">taint2: taint ops inlining DISABLED</div><div class="">panda_require: callstack_instr</div><div class="">Initializing plugin callstack_instr</div><div class="">taint2: taint2_enable_taint</div><div class="">taint2: Allocating small fast_shad (0 bytes) using malloc @ 55f913a1fbe0.</div><div class="">taint2: Allocating small fast_shad (12800000 bytes) using malloc @ 7fd16c537010.</div><div class="">taint2: Allocating small fast_shad (256 bytes) using malloc @ 55f9139b0800.</div><div class="">taint2: Allocating small fast_shad (512 bytes) using malloc @ 55f912f179e0.</div><div class="">taint2: Allocating small fast_shad (656384 bytes) using malloc @ 7fd16c496010.</div><div class="">taint2: LLVM optimizations DISABLED</div><div class="">taint2: Linking taint ops from /home/haccs/build-panda/i386-softmmu/panda/plugins/panda_taint2_ops.bc</div><div class="">taint2: Done initializing taint transformation.</div><div class="">Segmentation fault (core dumped)</div></blockquote><div class=""><br class="">In particular, the crash is in llvm_taint_lib.cpp:<br class=""><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div class="">void PandaTaintVisitor::insertStateOp(Instruction &I) {</div><div class="">...</div><div class=""> vector<Value *> args{</div><div class=""> const_uint64_ptr(ctx, first_cpu->env_ptr), ptrToInt(ptr, I),</div><div class=""> llvConst, constSlot(val), grvConst, gsvConst,</div><div class=""> const_uint64(ctx, size), const_uint64(ctx, sizeof(target_ulong)),</div><div class=""> ConstantInt::get(llvm::Type::getInt1Ty(ctx), isStore)</div><div class=""> };</div><div class=""> inlineCallAfter(I, hostCopyF, args);</div><div class=""><br class=""></div><div class=""><br class=""></div></blockquote><div class=""><br class="">Poking around a little, it appears that macro first_cpu is NULL right now, but I can’t figure how it is supposed to be set.<br class=""><br class="">Thanks!</div></body></html>