[panda-users] taint segmentation fault
xiaojuan Li
xiaotan6666 at gmail.com
Tue Apr 21 19:49:11 EDT 2015
actually, i have increased my memory to 16G, if I use 512 to record and
replay, it killed;if i use 256 to record and replay, first time it killed,
but second try it succeed (showing below). I just think it is unstable, as
for the reason, i am trying to find.
Thanks for your reply very much!
sorry for troubling you so long time!
READ Match of str 0 at: instr_count=5180266230 : 72a7562e b6c79a2a 00c04000
tstringsearch: thestring = [passwordisqemu]
tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
tstringsearch: string in memory @ 0xa49002da
****************************************************************************
applying taint labels to search string of length 14 @ p=0xa49002da
******************************************************************************
api214-20-256: 5244538335 ( 75.00%) instrs. 4643.72 sec. 6.58 GB ram.
api214-20-256: 5316190227 ( 76.03%) instrs. 4988.98 sec. 6.60 GB ram.
api214-20-256: 5386319700 ( 77.03%) instrs. 5363.67 sec. 6.60 GB ram.
api214-20-256: 5456115383 ( 78.03%) instrs. 5714.12 sec. 6.60 GB ram.
api214-20-256: 5524071341 ( 79.00%) instrs. 6039.86 sec. 6.62 GB ram.
api214-20-256: 5594009950 ( 80.00%) instrs. 6392.84 sec. 6.62 GB ram.
api214-20-256: 5665215324 ( 81.02%) instrs. 6760.18 sec. 6.62 GB ram.
api214-20-256: 5735561744 ( 82.02%) instrs. 7122.95 sec. 6.62 GB ram.
api214-20-256: 5803941321 ( 83.00%) instrs. 7475.05 sec. 6.62 GB ram.
api214-20-256: 5874989410 ( 84.02%) instrs. 7839.22 sec. 6.62 GB ram.
api214-20-256: 5945687287 ( 85.03%) instrs. 8201.84 sec. 6.62 GB ram.
api214-20-256: 6016246771 ( 86.04%) instrs. 8566.35 sec. 6.63 GB ram.
api214-20-256: 6086895413 ( 87.05%) instrs. 8929.06 sec. 6.63 GB ram.
api214-20-256: 6153429632 ( 88.00%) instrs. 9264.48 sec. 6.65 GB ram.
api214-20-256: 6225320269 ( 89.03%) instrs. 9730.16 sec. 6.72 GB ram.
api214-20-256: 6293245468 ( 90.00%) instrs. 10102.98 sec. 6.72 GB ram.
api214-20-256: 6364596059 ( 91.02%) instrs. 10468.66 sec. 6.72 GB ram.
api214-20-256: 6436068665 ( 92.04%) instrs. 10837.40 sec. 6.72 GB ram.
api214-20-256: 6503270471 ( 93.00%) instrs. 11192.30 sec. 6.72 GB ram.
api214-20-256: 6574434672 ( 94.02%) instrs. 11558.97 sec. 6.72 GB ram.
api214-20-256: 6644627703 ( 95.03%) instrs. 11920.98 sec. 6.72 GB ram.
api214-20-256: 6715490334 ( 96.04%) instrs. 12288.82 sec. 6.72 GB ram.
api214-20-256: 6783347812 ( 97.01%) instrs. 12631.31 sec. 6.72 GB ram.
api214-20-256: 6853231196 ( 98.01%) instrs. 12984.73 sec. 6.72 GB ram.
api214-20-256: 6922569909 ( 99.00%) instrs. 13338.83 sec. 6.72 GB ram.
/home/shentanli/pandanew/scripts/api214-20-256-rr-nondet.log: log is empty.
Replay completed successfully.
Time taken was: 13702 seconds.
Stats:
RR_INPUT_1 number = 818, size = 22086 bytes
RR_INPUT_2 number = 303, size = 8484 bytes
RR_INPUT_4 number = 757989, size = 22739670 bytes
RR_INPUT_8 number = 0, size = 0 bytes
RR_INTERRUPT_REQUEST number = 1756538, size = 49183064 bytes
RR_EXIT_REQUEST number = 0, size = 0 bytes
RR_SKIPPED_CALL number = 453631, size = 254126959 bytes
RR_DEBUG number = 0, size = 0 bytes
max_queue_len = 769
768 items on recycle list, 67584 bytes total
Replay completed successfully.
2015-04-21 16:26 GMT-04:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:
> This is because your system is running out of memory, and so the
> kernel is killing the process so the system doesn't crash (as you can
> see it's using 10.68 GB ram when it crashes, and your system only has
> 8GB available). You can verify this by looking at the output of
> "dmesg".
>
> I'm not sure what else you can do, unfortunately (aside from running
> this on a system with more RAM). It's possible you can modify the
> taint plugin to use less memory (for example, by removing the taint
> compute number tracking), but that's not something I have time to help
> with at the moment. You'd have to read and understand the taint2
> plugin code.
>
> -Brendan
>
> On Tue, Apr 21, 2015 at 5:40 AM, xiaojuan Li <xiaotan6666 at gmail.com>
> wrote:
> > and when i record and replay with 256M,it just killed...:
> >
> ****************************************************************************
> > applying taint labels to search string of length 14 @ p=0xa73aebab
> >
> ******************************************************************************
> > api214-20-256: 4405812542 ( 63.01%) instrs. 750.04 sec. 10.68 GB ram.
> > Killed
> >
> >
> >
> > 2015-04-21 3:29 GMT-04:00 xiaojuan Li <xiaotan6666 at gmail.com>:
> >
> >> HI Brendan, if you run continue do you encounter this?
> >>
> >>
> ****************************************************************************
> >> applying taint labels to search string of length 14 @ p=0xa62e82dd
> >>
> >>
> ******************************************************************************
> >> api414-4-20: 2737044888 ( 35.04%) instrs. 1943.11 sec. 14.51 GB ram.
> >> terminate called after throwing an instance of 'std::bad_alloc'
> >> what(): std::bad_alloc
> >> Aborted
> >>
> >> i use the gdb to check the core dump,it shows:
> >> Program terminated with signal 6, Aborted.
> >> #0 0x00007fdb33f80165 in raise () from /lib/x86_64-linux-gnu/libc.so.6
> >>
> >> seems caused malloc().
> >>
> >>
> >>
> >>
> >> 2015-04-21 1:18 GMT-04:00 xiaojuan Li <xiaotan6666 at gmail.com>:
> >>
> >>> Thanks for your patience very much and your great work!
> >>> now i can use the taint plugin(but it seems a little slow) and take my
> >>> next step.
> >>>
> >>> 2015-04-21 12:04 GMT+08:00 Brendan Dolan-Gavitt <brendandg at gatech.edu
> >:
> >>>>
> >>>> Ok! Another option is to try making a recording with only 256M of RAM,
> >>>> which would need only 4GB to replay.
> >>>>
> >>>> One last thing you can try – it is possible that the taint system will
> >>>> not actually use all of the memory it allocates. In this case, if you
> >>>> allow the kernel to overcommit memory it may succeed. You can do this
> >>>> either by setting /proc/sys/vm/overcommit_memory to 1 or by setting
> >>>> /proc/sys/vm/overcommit_ratio to a higher value. There are more
> >>>> details about this feature here:
> >>>> https://www.kernel.org/doc/Documentation/vm/overcommit-accounting
> >>>>
> >>>> -Brendan
> >>>>
> >>>>
> >>>> On Mon, Apr 20, 2015 at 11:54 PM, xiaojuan Li <xiaotan6666 at gmail.com>
> >>>> wrote:
> >>>> > sorry i make a mistake: my ram size is:
> >>>> > (free -g)
> >>>> > total used free shared buffers
> >>>> > cached
> >>>> > Mem: 7 6 1 0 0
> >>>> > 2
> >>>> > -/+ buffers/cache: 3 4
> >>>> > Swap: 0 0 0
> >>>> >
> >>>> > before i mistake the size of hardware...
> >>>> >
> >>>> > there is unlimit.
> >>>> > I think i should increase the memory chips.
> >>>> > Thanks !
> >>>> >
> >>>> > 2015-04-20 23:36 GMT-04:00 Brendan Dolan-Gavitt
> >>>> > <brendandg at gatech.edu>:
> >>>> >
> >>>> >> It is still not able to allocate the memory for the taint system,
> it
> >>>> >> seems (based on the "Cannot allocate memory" part). Since you said
> >>>> >> your host system has 16GB of RAM, I'm not sure what else could be
> the
> >>>> >> problem.
> >>>> >>
> >>>> >> Do you have any memory quota set up on your system? (for example,
> >>>> >> does
> >>>> >> "ulimit -v" show any limits on the amount of memory you're allowed
> to
> >>>> >> allocate in a single process?)
> >>>> >>
> >>>> >> -Brendan
> >>>> >>
> >>>> >> On Mon, Apr 20, 2015 at 11:28 PM, xiaojuan Li <
> xiaotan6666 at gmail.com>
> >>>> >> wrote:
> >>>> >> > use the new version, but still segfault :(
> >>>> >> >
> >>>> >> > opening nondet log for read :
> >>>> >> > /home/shentanli/pandanew/scripts/api414-4-20-rr-nondet.log
> >>>> >> > api414-4-20: 81316759 ( 1.04%) instrs. 7.49 sec. 0.61 GB
> >>>> >> > ram.
> >>>> >> > api414-4-20: 156342747 ( 2.00%) instrs. 16.14 sec. 0.69 GB
> >>>> >> > ram.
> >>>> >> > api414-4-20: 234368551 ( 3.00%) instrs. 25.29 sec. 0.76 GB
> >>>> >> > ram.
> >>>> >> > api414-4-20: 312493247 ( 4.00%) instrs. 36.09 sec. 0.83 GB
> >>>> >> > ram.
> >>>> >> > api414-4-20: 390616091 ( 5.00%) instrs. 44.62 sec. 0.87 GB
> >>>> >> > ram.
> >>>> >> > api414-4-20: 468738195 ( 6.00%) instrs. 50.08 sec. 0.90 GB
> >>>> >> > ram.
> >>>> >> > api414-4-20: 547631582 ( 7.01%) instrs. 54.95 sec. 0.93 GB
> >>>> >> > ram.
> >>>> >> > api414-4-20: 624983872 ( 8.00%) instrs. 58.64 sec. 0.94 GB
> >>>> >> > ram.
> >>>> >> > api414-4-20: 703122355 ( 9.00%) instrs. 61.98 sec. 0.94 GB
> >>>> >> > ram.
> >>>> >> > api414-4-20: 783198179 ( 10.03%) instrs. 65.80 sec. 0.95 GB
> >>>> >> > ram.
> >>>> >> > READ Match of str 0 at: instr_count=812336749 : 72a7562e
> b6cb2e02
> >>>> >> > 0d36c000
> >>>> >> > tstringsearch: thestring = [passwordisqemu]
> >>>> >> > tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
> >>>> >> > tstringsearch: string in memory @ 0xa70d6212
> >>>> >> > enabling taint at instr count 812336749
> >>>> >> > taint2: __taint_enable_taint
> >>>> >> > taint2: Creating byte-level taint processor
> >>>> >> > taint2: Allocating large fast_shad (8589934592 bytes).
> >>>> >> > taint2: Hugetlb failed. Trying without.
> >>>> >> > Cannot allocate memory
> >>>> >> > taint2: Allocating small fast_shad (12800000 bytes) using malloc
> @
> >>>> >> > 7f38ff62e010.
> >>>> >> > taint2: Allocating small fast_shad (256 bytes) using malloc @
> >>>> >> > 17cda900.
> >>>> >> > taint2: Allocating small fast_shad (1024 bytes) using malloc @
> >>>> >> > 17cd91f0.
> >>>> >> > taint2: Allocating small fast_shad (867840 bytes) using malloc @
> >>>> >> > 17d24e70.
> >>>> >> > taint2: Linking taint ops from
> >>>> >> >
> >>>> >> >
> >>>> >> >
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_taint2_ops.bc
> >>>> >> > taint2: Done initializing taint transformation.
> >>>> >> > taint2: Done processing helper functions for taint.
> >>>> >> > taint2: Done verifying module. Running...
> >>>> >> >
> >>>> >> >
> >>>> >> >
> >>>> >> >
> ****************************************************************************
> >>>> >> > applying taint labels to search string of length 14 @
> p=0xa70d6212
> >>>> >> >
> >>>> >> >
> >>>> >> >
> ******************************************************************************
> >>>> >> > Segmentation fault
> >>>> >> >
> >>>> >> >
> >>>> >> > 2015-04-20 23:18 GMT-04:00 Brendan Dolan-Gavitt
> >>>> >> > <brendandg at gatech.edu>:
> >>>> >> >
> >>>> >> >> That was caused by some code that was left in by mistake from
> >>>> >> >> another
> >>>> >> >> branch of the project. I have fixed it and pushed the change.
> Once
> >>>> >> >> again you will need to do git pull && make clean && ./build.sh
> to
> >>>> >> >> rebuild.
> >>>> >> >>
> >>>> >> >> Hopefully this will fix things for you!
> >>>> >> >>
> >>>> >> >> -Brendan
> >>>> >> >>
> >>>> >> >> On Mon, Apr 20, 2015 at 11:11 PM, xiaojuan Li
> >>>> >> >> <xiaotan6666 at gmail.com>
> >>>> >> >> wrote:
> >>>> >> >> > it is the path that caused terminated.
> >>>> >> >> > i can find that panda_hypercall_struct.h in
> >>>> >> >> > /qemu/panda_tools/pirate_utils/linux direcroty
> >>>> >> >> >
> >>>> >> >> > 2015-04-20 23:02 GMT-04:00 xiaojuan Li <xiaotan6666 at gmail.com
> >:
> >>>> >> >> >
> >>>> >> >> >> while rebuild:
> >>>> >> >> >> taint2.cpp:109:61: fatal error:
> >>>> >> >> >> ../../../../lava/include/panda_hypercall_struct.h: No such
> file
> >>>> >> >> >> or
> >>>> >> >> >> directory
> >>>> >> >> >> compilation terminated.
> >>>> >> >> >> miss some files to push?
> >>>> >> >> >>
> >>>> >> >> >>
> >>>> >> >> >> 2015-04-20 22:56 GMT-04:00 xiaojuan Li <
> xiaotan6666 at gmail.com>:
> >>>> >> >> >>
> >>>> >> >> >>> you mean that it caused by "allocate at a fixed address"
> >>>> >> >> >>> i am going to try and thanks.
> >>>> >> >> >>>
> >>>> >> >> >>> 2015-04-20 22:53 GMT-04:00 Brendan Dolan-Gavitt
> >>>> >> >> >>> <brendandg at gatech.edu>:
> >>>> >> >> >>>
> >>>> >> >> >>>> Ah! I forgot to push the commit I made to stop it from
> trying
> >>>> >> >> >>>> to
> >>>> >> >> >>>> allocate at a fixed address.
> >>>> >> >> >>>>
> >>>> >> >> >>>> Could you do a git pull, rebuild, and try again?
> >>>> >> >> >>>>
> >>>> >> >> >>>> -Brendan
> >>>> >> >> >>>>
> >>>> >> >> >>>> On Mon, Apr 20, 2015 at 10:51 PM, xiaojuan Li
> >>>> >> >> >>>> <xiaotan6666 at gmail.com>
> >>>> >> >> >>>> wrote:
> >>>> >> >> >>>> > 1. the command i use is :
> >>>> >> >> >>>> > ./qemu-system-arm 0m 512 -replay api414-4-20 -M
> android_arm
> >>>> >> >> >>>> > -kernel
> >>>> >> >> >>>> > /dev/null -android -panda
> >>>> >> >> >>>> > "stringsearch:name=test;tstringsearch;tainted_instr"
> >>>> >> >> >>>> > 2.the output is:
> >>>> >> >> >>>> > Adding PANDA arg stringsearch:name=test.
> >>>> >> >> >>>> > adding
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_stringsearch.so
> >>>> >> >> >>>> > to panda_plugin_files 0
> >>>> >> >> >>>> > adding
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_tstringsearch.so
> >>>> >> >> >>>> > to panda_plugin_files 1
> >>>> >> >> >>>> > adding
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_tainted_instr.so
> >>>> >> >> >>>> > to panda_plugin_files 2
> >>>> >> >> >>>> > emulator: registered 'boot-properties' qemud service
> >>>> >> >> >>>> > emulator: Adding boot property: 'dalvik.vm.heapsize' =
> >>>> >> >> >>>> > '48m'
> >>>> >> >> >>>> > emulator: Adding boot property: 'qemu.sf.fake_camera' =
> >>>> >> >> >>>> > 'both'
> >>>> >> >> >>>> > emulator: Adding boot property: 'qemu.hw.mainkeys' = '0'
> >>>> >> >> >>>> > loading
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_stringsearch.so
> >>>> >> >> >>>> > Initializing plugin stringsearch
> >>>> >> >> >>>> > panda_require: callstack_instr
> >>>> >> >> >>>> > loading
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_callstack_instr.so
> >>>> >> >> >>>> > Initializing plugin callstack_instr
> >>>> >> >> >>>> > Success
> >>>> >> >> >>>> > stringsearch: added string of length 14 to search set
> >>>> >> >> >>>> > Success
> >>>> >> >> >>>> > loading
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_tstringsearch.so
> >>>> >> >> >>>> > Initializing tstringsearch
> >>>> >> >> >>>> > panda_require: stringsearch
> >>>> >> >> >>>> > panda_load_plugin:
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_stringsearch.so
> >>>> >> >> >>>> > already loaded
> >>>> >> >> >>>> > panda_require: taint2
> >>>> >> >> >>>> > loading
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_taint2.so
> >>>> >> >> >>>> > Initializing taint plugin
> >>>> >> >> >>>> > taint2: Instructed not to inline taint ops.
> >>>> >> >> >>>> > panda_require: callstack_instr
> >>>> >> >> >>>> > panda_load_plugin:
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_callstack_instr.so
> >>>> >> >> >>>> > already loaded
> >>>> >> >> >>>> > Success
> >>>> >> >> >>>> > Success
> >>>> >> >> >>>> > loading
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_tainted_instr.so
> >>>> >> >> >>>> > panda_require: taint2
> >>>> >> >> >>>> > panda_load_plugin:
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_taint2.so
> >>>> >> >> >>>> > already loaded
> >>>> >> >> >>>> > panda_require: callstack_instr
> >>>> >> >> >>>> > panda_load_plugin:
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_callstack_instr.so
> >>>> >> >> >>>> > already loaded
> >>>> >> >> >>>> > Success
> >>>> >> >> >>>> > goldfish_add_device: goldfish_device_bus, base ff001000
> >>>> >> >> >>>> > 1000,
> >>>> >> >> >>>> > irq 1
> >>>> >> >> >>>> > 1
> >>>> >> >> >>>> > goldfish_device_bus: ff001000 30
> >>>> >> >> >>>> > goldfish_add_device: goldfish_int, base ff000000 1000,
> irq
> >>>> >> >> >>>> > 0 0
> >>>> >> >> >>>> > goldfish_int: ff000000 38
> >>>> >> >> >>>> > goldfish_add_device: goldfish_timer, base ff003000 1000,
> >>>> >> >> >>>> > irq 3 1
> >>>> >> >> >>>> > goldfish_timer: ff003000 40
> >>>> >> >> >>>> > goldfish_add_device: goldfish_rtc, base ff010000 1000,
> irq
> >>>> >> >> >>>> > 10 1
> >>>> >> >> >>>> > goldfish_rtc: ff010000 48
> >>>> >> >> >>>> > goldfish_add_device: goldfish_tty, base ff002000 1000,
> irq
> >>>> >> >> >>>> > 4 1
> >>>> >> >> >>>> > goldfish_tty: ff002000 50
> >>>> >> >> >>>> > android_arm_init serial 1 0
> >>>> >> >> >>>> > android_arm_init serial 2 0
> >>>> >> >> >>>> > android_arm_init serial 3 0
> >>>> >> >> >>>> > goldfish_add_device: smc91x, base ff011000 1000, irq 11 1
> >>>> >> >> >>>> > goldfish_add_device: goldfish_fb, base ff012000 1000, irq
> >>>> >> >> >>>> > 12 1
> >>>> >> >> >>>> > goldfish_fb: ff012000 68
> >>>> >> >> >>>> > Using tmpfile for SD card:
> >>>> >> >> >>>> > /tmp/android-shentanli/emulator-P6kmpf
> >>>> >> >> >>>> > goldfish_add_device: goldfish_mmc, base ff005000 1000,
> irq
> >>>> >> >> >>>> > 13 1
> >>>> >> >> >>>> > goldfish_mmc: ff005000 70
> >>>> >> >> >>>> > goldfish_add_device: goldfish_memlog, base ff006000 1000,
> >>>> >> >> >>>> > irq 0
> >>>> >> >> >>>> > 0
> >>>> >> >> >>>> > goldfish_memlog: ff006000 78
> >>>> >> >> >>>> > goldfish_add_device: goldfish-battery, base ff013000
> 1000,
> >>>> >> >> >>>> > irq
> >>>> >> >> >>>> > 14 1
> >>>> >> >> >>>> > goldfish-battery: ff013000 80
> >>>> >> >> >>>> > goldfish_add_device: goldfish_events, base ff014000 1000,
> >>>> >> >> >>>> > irq 15
> >>>> >> >> >>>> > 1
> >>>> >> >> >>>> > goldfish_events: ff014000 88
> >>>> >> >> >>>> > Using event IRQ
> >>>> >> >> >>>> > Invalid system partition size for non-QCOW image:
> >>>> >> >> >>>> > 0emulator:
> >>>> >> >> >>>> > geometry
> >>>> >> >> >>>> > says
> >>>> >> >> >>>> > there are 0 blocks
> >>>> >> >> >>>> >
> >>>> >> >> >>>> > emulator: Dev size of
> >>>> >> >> >>>> > /tmp/android-shentanli/emulator-jxC2Uf is
> >>>> >> >> >>>> > 0
> >>>> >> >> >>>> >
> >>>> >> >> >>>> > Invalid data partition size for non-QCOW image:
> 0emulator:
> >>>> >> >> >>>> > Dev
> >>>> >> >> >>>> > size
> >>>> >> >> >>>> > 0x0 came
> >>>> >> >> >>>> > from argument
> >>>> >> >> >>>> >
> >>>> >> >> >>>> > emulator: geometry says there are 0 blocks
> >>>> >> >> >>>> >
> >>>> >> >> >>>> > emulator: Dev size of
> >>>> >> >> >>>> > /tmp/android-shentanli/emulator-2FZLqg is
> >>>> >> >> >>>> > 0
> >>>> >> >> >>>> >
> >>>> >> >> >>>> > emulator: Dev size 0x0 came from argument
> >>>> >> >> >>>> >
> >>>> >> >> >>>> > emulator: geometry says there are 0 blocks
> >>>> >> >> >>>> >
> >>>> >> >> >>>> > emulator: Dev size of
> >>>> >> >> >>>> > /tmp/android-shentanli/emulator-lyszWg is
> >>>> >> >> >>>> > 0
> >>>> >> >> >>>> >
> >>>> >> >> >>>> > goldfish_add_device: goldfish_nand, base ff015000 1000,
> irq
> >>>> >> >> >>>> > 16 1
> >>>> >> >> >>>> > goldfish_nand: ff015000 90
> >>>> >> >> >>>> > goldfish_add_device: qemu_pipe, base ff016000 2000, irq
> 17
> >>>> >> >> >>>> > 1
> >>>> >> >> >>>> > qemu_pipe: ff016000 98
> >>>> >> >> >>>> > emulator: control console listening on port 5554, ADB on
> >>>> >> >> >>>> > port
> >>>> >> >> >>>> > 5555
> >>>> >> >> >>>> > emulator: can't connect to ADB server: Connection refused
> >>>> >> >> >>>> > emulator: Realistic sensor emulation is not available,
> >>>> >> >> >>>> > since the
> >>>> >> >> >>>> > remote
> >>>> >> >> >>>> > controller is not accessible:
> >>>> >> >> >>>> > Connection refused
> >>>> >> >> >>>> > loading snapshot
> >>>> >> >> >>>> > emulator: Adding boot property: 'dalvik.vm.heapsize' =
> >>>> >> >> >>>> > '48m'
> >>>> >> >> >>>> > emulator: Adding boot property: 'qemu.sf.fake_camera' =
> >>>> >> >> >>>> > 'both'
> >>>> >> >> >>>> > emulator: Adding boot property: 'qemu.hw.mainkeys' = '0'
> >>>> >> >> >>>> > Unknown savevm section or instance 'goldfish_tty' 1
> >>>> >> >> >>>> > ... done.
> >>>> >> >> >>>> >
> >>>> >> >> >>>> > Logging all cpu states
> >>>> >> >> >>>> > CPU #0:
> >>>> >> >> >>>> > R00=00000000 R01=c049bcb8 R02=00000000 R03=00000000
> >>>> >> >> >>>> > R04=c0480000 R05=c04b9948 R06=c048fd34 R07=c047b374
> >>>> >> >> >>>> > R08=c0a05100 R09=410fc090 R10=00000000 R11=00000000
> >>>> >> >> >>>> > R12=c049bcb8 R13=c0481fb0 R14=c000e3f4 R15=c00158c8
> >>>> >> >> >>>> > PSR=60000093 -ZC- A svc32
> >>>> >> >> >>>> > opening nondet log for read :
> >>>> >> >> >>>> >
> /home/shentanli/pandanew/scripts/api414-4-20-rr-nondet.log
> >>>> >> >> >>>> > api414-4-20: 81316759 ( 1.04%) instrs. 7.52 sec.
> >>>> >> >> >>>> > 0.61 GB
> >>>> >> >> >>>> > ram.
> >>>> >> >> >>>> > api414-4-20: 156342747 ( 2.00%) instrs. 15.90 sec.
> >>>> >> >> >>>> > 0.69 GB
> >>>> >> >> >>>> > ram.
> >>>> >> >> >>>> > api414-4-20: 234368551 ( 3.00%) instrs. 24.93 sec.
> >>>> >> >> >>>> > 0.76 GB
> >>>> >> >> >>>> > ram.
> >>>> >> >> >>>> > api414-4-20: 312493247 ( 4.00%) instrs. 35.45 sec.
> >>>> >> >> >>>> > 0.83 GB
> >>>> >> >> >>>> > ram.
> >>>> >> >> >>>> > api414-4-20: 390616091 ( 5.00%) instrs. 43.97 sec.
> >>>> >> >> >>>> > 0.87 GB
> >>>> >> >> >>>> > ram.
> >>>> >> >> >>>> > api414-4-20: 468738195 ( 6.00%) instrs. 49.32 sec.
> >>>> >> >> >>>> > 0.90 GB
> >>>> >> >> >>>> > ram.
> >>>> >> >> >>>> > api414-4-20: 547631582 ( 7.01%) instrs. 54.12 sec.
> >>>> >> >> >>>> > 0.93 GB
> >>>> >> >> >>>> > ram.
> >>>> >> >> >>>> > api414-4-20: 624983872 ( 8.00%) instrs. 57.67 sec.
> >>>> >> >> >>>> > 0.94 GB
> >>>> >> >> >>>> > ram.
> >>>> >> >> >>>> > api414-4-20: 703122355 ( 9.00%) instrs. 60.94 sec.
> >>>> >> >> >>>> > 0.94 GB
> >>>> >> >> >>>> > ram.
> >>>> >> >> >>>> > api414-4-20: 783198179 ( 10.03%) instrs. 64.60 sec.
> >>>> >> >> >>>> > 0.95 GB
> >>>> >> >> >>>> > ram.
> >>>> >> >> >>>> > READ Match of str 0 at: instr_count=812336749 : 72a7562e
> >>>> >> >> >>>> > b6cb2e02
> >>>> >> >> >>>> > 0d36c000
> >>>> >> >> >>>> > tstringsearch: thestring = [passwordisqemu]
> >>>> >> >> >>>> > tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
> >>>> >> >> >>>> > tstringsearch: string in memory @ 0xa70d6212
> >>>> >> >> >>>> > enabling taint at instr count 812336749
> >>>> >> >> >>>> > taint2: __taint_enable_taint
> >>>> >> >> >>>> > taint2: Creating byte-level taint processor
> >>>> >> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes) @
> >>>> >> >> >>>> > 0x10000000000.
> >>>> >> >> >>>> > taint2: Hugetlb failed. Trying without.
> >>>> >> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes) @
> >>>> >> >> >>>> > 0x20000000000.
> >>>> >> >> >>>> > taint2: Hugetlb failed. Trying without.
> >>>> >> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes) @
> >>>> >> >> >>>> > 0x30000000000.
> >>>> >> >> >>>> > taint2: Hugetlb failed. Trying without.
> >>>> >> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes) @
> >>>> >> >> >>>> > 0x40000000000.
> >>>> >> >> >>>> > taint2: Hugetlb failed. Trying without.
> >>>> >> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes) @
> >>>> >> >> >>>> > 0x50000000000.
> >>>> >> >> >>>> > taint2: Hugetlb failed. Trying without.
> >>>> >> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes) @
> >>>> >> >> >>>> > 0x60000000000.
> >>>> >> >> >>>> > taint2: Hugetlb failed. Trying without.
> >>>> >> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes) @
> >>>> >> >> >>>> > 0x70000000000.
> >>>> >> >> >>>> > taint2: Hugetlb failed. Trying without.
> >>>> >> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes) @
> >>>> >> >> >>>> > 0x80000000000.
> >>>> >> >> >>>> > taint2: Hugetlb failed. Trying without.
> >>>> >> >> >>>> > taint2: Allocating large fast_shad (8589934592 bytes) @
> >>>> >> >> >>>> > 0x90000000000.
> >>>> >> >> >>>> > taint2: Hugetlb failed. Trying without.
> >>>> >> >> >>>> > Cannot allocate memory
> >>>> >> >> >>>> > taint2: Allocating small fast_shad (12800000 bytes) using
> >>>> >> >> >>>> > malloc
> >>>> >> >> >>>> > @
> >>>> >> >> >>>> > 7f8b608d0010.
> >>>> >> >> >>>> > taint2: Allocating small fast_shad (256 bytes) using
> malloc
> >>>> >> >> >>>> > @
> >>>> >> >> >>>> > 16be2a70.
> >>>> >> >> >>>> > taint2: Allocating small fast_shad (1024 bytes) using
> >>>> >> >> >>>> > malloc @
> >>>> >> >> >>>> > 171c3540.
> >>>> >> >> >>>> > taint2: Allocating small fast_shad (867840 bytes) using
> >>>> >> >> >>>> > malloc @
> >>>> >> >> >>>> > 1720ddd0.
> >>>> >> >> >>>> > taint2: Linking taint ops from
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_taint2_ops.bc
> >>>> >> >> >>>> > taint2: Done initializing taint transformation.
> >>>> >> >> >>>> > taint2: Done processing helper functions for taint.
> >>>> >> >> >>>> > taint2: Done verifying module. Running...
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> ****************************************************************************
> >>>> >> >> >>>> > applying taint labels to search string of length 14 @
> >>>> >> >> >>>> > p=0xa70d6212
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> ******************************************************************************
> >>>> >> >> >>>> > Segmentation fault
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> > 2015-04-20 22:42 GMT-04:00 Brendan Dolan-Gavitt
> >>>> >> >> >>>> > <brendandg at gatech.edu>:
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >> I am currently running your taint replay, and it is (so
> >>>> >> >> >>>> >> far)
> >>>> >> >> >>>> >> working
> >>>> >> >> >>>> >> fine. Here is the (slightly abbreviated) output I get:
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >> api414-4-20: 783198179 ( 10.03%) instrs. 218.26 sec.
> >>>> >> >> >>>> >> 0.96
> >>>> >> >> >>>> >> GB
> >>>> >> >> >>>> >> ram.
> >>>> >> >> >>>> >> READ Match of str 0 at: instr_count=812336749 :
> 72a7562e
> >>>> >> >> >>>> >> b6cb2e02
> >>>> >> >> >>>> >> 0d36c000
> >>>> >> >> >>>> >> tstringsearch: thestring = [passwordisqemu]
> >>>> >> >> >>>> >> tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
> >>>> >> >> >>>> >> tstringsearch: string in memory @ 0xa70d6212
> >>>> >> >> >>>> >> enabling taint at instr count 812336749
> >>>> >> >> >>>> >> taint2: __taint_enable_taint
> >>>> >> >> >>>> >> taint2: Creating byte-level taint processor
> >>>> >> >> >>>> >> taint2: Allocating large fast_shad (8589934592 bytes).
> >>>> >> >> >>>> >> taint2: Hugetlb failed. Trying without.
> >>>> >> >> >>>> >> taint2: Allocating small fast_shad (12800000 bytes)
> using
> >>>> >> >> >>>> >> malloc @
> >>>> >> >> >>>> >> 7fdd165c6010.
> >>>> >> >> >>>> >> taint2: Allocating small fast_shad (256 bytes) using
> >>>> >> >> >>>> >> malloc @
> >>>> >> >> >>>> >> 7fdd0bec21a0.
> >>>> >> >> >>>> >> taint2: Allocating small fast_shad (1024 bytes) using
> >>>> >> >> >>>> >> malloc @
> >>>> >> >> >>>> >> 7fdcfc49ddc0.
> >>>> >> >> >>>> >> taint2: Allocating small fast_shad (867840 bytes) using
> >>>> >> >> >>>> >> malloc
> >>>> >> >> >>>> >> @
> >>>> >> >> >>>> >> 7fdcfc4e7db0.
> >>>> >> >> >>>> >> taint2: Linking taint ops from
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> /scratch/git/pandroid/qemu/arm-softmmu/panda_plugins/panda_taint2_ops.bc
> >>>> >> >> >>>> >> taint2: Done initializing taint transformation.
> >>>> >> >> >>>> >> taint2: Done processing helper functions for taint.
> >>>> >> >> >>>> >> taint2: Done verifying module. Running...
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> ****************************************************************************
> >>>> >> >> >>>> >> applying taint labels to search string of length 14 @
> >>>> >> >> >>>> >> p=0xa70d6212
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> ******************************************************************************
> >>>> >> >> >>>> >> READ Match of str 0 at: instr_count=812336765 :
> 72a7562e
> >>>> >> >> >>>> >> b6cb2a2a
> >>>> >> >> >>>> >> 0d36c000
> >>>> >> >> >>>> >> tstringsearch: thestring = [passwordisqemu]
> >>>> >> >> >>>> >> tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
> >>>> >> >> >>>> >> tstringsearch: string in memory @ 0xa70d6212
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> ****************************************************************************
> >>>> >> >> >>>> >> applying taint labels to search string of length 14 @
> >>>> >> >> >>>> >> p=0xa70d6212
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> ******************************************************************************
> >>>> >> >> >>>> >> READ Match of str 0 at: instr_count=812337316 :
> 72a7562e
> >>>> >> >> >>>> >> b6cb2e4a
> >>>> >> >> >>>> >> 0d36c000
> >>>> >> >> >>>> >> tstringsearch: thestring = [passwordisqemu]
> >>>> >> >> >>>> >> tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
> >>>> >> >> >>>> >> tstringsearch: string in memory @ 0xa70d6212
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> ****************************************************************************
> >>>> >> >> >>>> >> applying taint labels to search string of length 14 @
> >>>> >> >> >>>> >> p=0xa70d6212
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> ******************************************************************************
> >>>> >> >> >>>> >> READ Match of str 0 at: instr_count=812337331 :
> 72a7562e
> >>>> >> >> >>>> >> b6cb2a2a
> >>>> >> >> >>>> >> 0d36c000
> >>>> >> >> >>>> >> tstringsearch: thestring = [passwordisqemu]
> >>>> >> >> >>>> >> tstringsearch: 70 61 73 73 77 6f 72 64 69 73 71 65 6d 75
> >>>> >> >> >>>> >> tstringsearch: string in memory @ 0xa70d6212
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> ****************************************************************************
> >>>> >> >> >>>> >> applying taint labels to search string of length 14 @
> >>>> >> >> >>>> >> p=0xa70d6212
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >>
> ******************************************************************************
> >>>> >> >> >>>> >> api414-4-20: 859399601 ( 11.00%) instrs. 658.13 sec.
> >>>> >> >> >>>> >> 3.27
> >>>> >> >> >>>> >> GB
> >>>> >> >> >>>> >> ram.
> >>>> >> >> >>>> >> api414-4-20: 937474512 ( 12.00%) instrs. 1017.48 sec.
> >>>> >> >> >>>> >> 4.70
> >>>> >> >> >>>> >> GB
> >>>> >> >> >>>> >> ram.
> >>>> >> >> >>>> >> api414-4-20: 1015597970 ( 13.00%) instrs. 1265.76 sec.
> >>>> >> >> >>>> >> 5.58
> >>>> >> >> >>>> >> GB
> >>>> >> >> >>>> >> ram.
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >> My command line to replay was:
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >> arm-softmmu/qemu-system-arm -m 512 -replay api414-4-20
> -M
> >>>> >> >> >>>> >> android_arm
> >>>> >> >> >>>> >> -cpu cortex-a9 -android -kernel /dev/null -pandalog
> >>>> >> >> >>>> >> api.log
> >>>> >> >> >>>> >> -panda
> >>>> >> >> >>>> >> 'stringsearch:name=api;tstringsearch;tainted_instr'
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >> From the screenshot you posted earlier, it looks like
> >>>> >> >> >>>> >> yours had
> >>>> >> >> >>>> >> already failed by this point. If you are still getting a
> >>>> >> >> >>>> >> segfault
> >>>> >> >> >>>> >> with
> >>>> >> >> >>>> >> this replay, could you post:
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >> 1. The full command line you are using (as text, not a
> >>>> >> >> >>>> >> screenshot)
> >>>> >> >> >>>> >> 2. The full output from PANDA up to the point where the
> >>>> >> >> >>>> >> segfault
> >>>> >> >> >>>> >> happens (as text, not a screenshot)
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >> -Brendan
> >>>> >> >> >>>> >>
> >>>> >> >> >>>> >> On Mon, Apr 20, 2015 at 7:57 PM, xiaojuan Li
> >>>> >> >> >>>> >> <xiaotan6666 at gmail.com>
> >>>> >> >> >>>> >> wrote:
> >>>> >> >> >>>> >> > i know you are busy.
> >>>> >> >> >>>> >> > I just get stuck in this taint step but have no idea
> no
> >>>> >> >> >>>> >> > fix
> >>>> >> >> >>>> >> > it...(use
> >>>> >> >> >>>> >> > core
> >>>> >> >> >>>> >> > dump to find where it segfault )
> >>>> >> >> >>>> >> > here is the 512M version:
> >>>> >> >> >>>> >> > http://pan.baidu.com/s/1mgopzIg
> >>>> >> >> >>>> >> > the content of search string .txt is "passwordisqemu"
> >>>> >> >> >>>> >> > thanks!
> >>>> >> >> >>>> >> >
> >>>> >> >> >>>> >> > 2015-04-20 11:32 GMT-04:00 Brendan Dolan-Gavitt
> >>>> >> >> >>>> >> > <brendandg at gatech.edu>:
> >>>> >> >> >>>> >> >
> >>>> >> >> >>>> >> >> I will try to reproduce from those instructions in
> the
> >>>> >> >> >>>> >> >> next
> >>>> >> >> >>>> >> >> couple
> >>>> >> >> >>>> >> >> days.
> >>>> >> >> >>>> >> >> Sorry for the delay! Did you post the .rr of the
> >>>> >> >> >>>> >> >> recording
> >>>> >> >> >>>> >> >> with
> >>>> >> >> >>>> >> >> 512M
> >>>> >> >> >>>> >> >> somewhere? I only saw the 2G one.
> >>>> >> >> >>>> >> >>
> >>>> >> >> >>>> >> >> Thanks,
> >>>> >> >> >>>> >> >> Brendan
> >>>> >> >> >>>> >> >>
> >>>> >> >> >>>> >> >> On Mon, Apr 20, 2015 at 8:07 AM, xiaojuan Li
> >>>> >> >> >>>> >> >> <xiaotan6666 at gmail.com>
> >>>> >> >> >>>> >> >> wrote:
> >>>> >> >> >>>> >> >>>
> >>>> >> >> >>>> >> >>> about the taint segfault, if you cannot download
> that
> >>>> >> >> >>>> >> >>> .rr i
> >>>> >> >> >>>> >> >>> upload
> >>>> >> >> >>>> >> >>> before, you can follow the step to reproduce:
> >>>> >> >> >>>> >> >>> 1)use android studio to create avd, choose api21
> >>>> >> >> >>>> >> >>> target
> >>>> >> >> >>>> >> >>> android
> >>>> >> >> >>>> >> >>> 5.0.1
> >>>> >> >> >>>> >> >>> use
> >>>> >> >> >>>> >> >>> the default size;you can get the
> >>>> >> >> >>>> >> >>> cache-img,sdcard.img,data.img
> >>>> >> >> >>>> >> >>> and
> >>>> >> >> >>>> >> >>> system.img and then copy kernel-qemu & rmdisk.img
> from
> >>>> >> >> >>>> >> >>> sdk/systemimg;
> >>>> >> >> >>>> >> >>> 2)use pandaCovert.py to convert them and get the
> >>>> >> >> >>>> >> >>> (cache,data,system)-pandroid.qcow2 as well as kernel
> >>>> >> >> >>>> >> >>> and
> >>>> >> >> >>>> >> >>> initramfs;
> >>>> >> >> >>>> >> >>> 3)use runpandroid.py(-m 512) to boot emulator;telnet
> >>>> >> >> >>>> >> >>> and
> >>>> >> >> >>>> >> >>> begin_record
> >>>> >> >> >>>> >> >>> 4)run an app and input a string : end_record;
> >>>> >> >> >>>> >> >>> 5)use qemu-system-arm to replay(-m 512) with the
> panda
> >>>> >> >> >>>> >> >>>
> plugins:stringsearch,tstringsearch;tainted_instr.(the
> >>>> >> >> >>>> >> >>> search
> >>>> >> >> >>>> >> >>> string
> >>>> >> >> >>>> >> >>> .txt is
> >>>> >> >> >>>> >> >>> the string you input)
> >>>> >> >> >>>> >> >>>
> >>>> >> >> >>>> >> >>> do you guys get the segfault ?
> >>>> >> >> >>>> >> >>> how can i fix it?
> >>>> >> >> >>>> >> >>> Thanks a lot!
> >>>> >> >> >>>> >> >>>
> >>>> >> >> >>>> >> >>> 2015-04-20 17:51 GMT+08:00 xiaojuan Li
> >>>> >> >> >>>> >> >>> <xiaotan6666 at gmail.com>:
> >>>> >> >> >>>> >> >>>>
> >>>> >> >> >>>> >> >>>> excuse me, i have noticed that the ida_taint
> >>>> >> >> >>>> >> >>>> plugin:"win7
> >>>> >> >> >>>> >> >>>> only
> >>>> >> >> >>>> >> >>>> but
> >>>> >> >> >>>> >> >>>> othre
> >>>> >> >> >>>> >> >>>> os could be easily added".
> >>>> >> >> >>>> >> >>>> i have installed ida pro in my
> >>>> >> >> >>>> >> >>>> system(debian),modified the
> >>>> >> >> >>>> >> >>>> ida_taint.bat
> >>>> >> >> >>>> >> >>>> with my ida path,when i use it :./ida_taint.bat
> >>>> >> >> >>>> >> >>>> name.json
> >>>> >> >> >>>> >> >>>> qemu-system-arm
> >>>> >> >> >>>> >> >>>> it failed. it seems not available in linux, is it?
> >>>> >> >> >>>> >> >>>> Thanks a lot!
> >>>> >> >> >>>> >> >>>>
> >>>> >> >> >>>> >> >>>>
> >>>> >> >> >>>> >> >>>> 2015-04-10 21:24 GMT-04:00 Brendan Dolan-Gavitt
> >>>> >> >> >>>> >> >>>> <brendandg at gatech.edu>:
> >>>> >> >> >>>> >> >>>>
> >>>> >> >> >>>> >> >>>>> Once you have used PANDA's taint system to
> identify
> >>>> >> >> >>>> >> >>>>> the
> >>>> >> >> >>>> >> >>>>> portions of
> >>>> >> >> >>>> >> >>>>> the
> >>>> >> >> >>>> >> >>>>> code that process the data you're interested in,
> you
> >>>> >> >> >>>> >> >>>>> will
> >>>> >> >> >>>> >> >>>>> still
> >>>> >> >> >>>> >> >>>>> have
> >>>> >> >> >>>> >> >>>>> to
> >>>> >> >> >>>> >> >>>>> analyze that code do understand how it works. One
> >>>> >> >> >>>> >> >>>>> way to
> >>>> >> >> >>>> >> >>>>> do
> >>>> >> >> >>>> >> >>>>> that
> >>>> >> >> >>>> >> >>>>> might be to
> >>>> >> >> >>>> >> >>>>> use the scissors plugin to extract out the portion
> >>>> >> >> >>>> >> >>>>> of the
> >>>> >> >> >>>> >> >>>>> trace
> >>>> >> >> >>>> >> >>>>> that
> >>>> >> >> >>>> >> >>>>> contains the code you're interested in, and then
> >>>> >> >> >>>> >> >>>>> replay
> >>>> >> >> >>>> >> >>>>> it
> >>>> >> >> >>>> >> >>>>> with
> >>>> >> >> >>>> >> >>>>> QEMU's "-d
> >>>> >> >> >>>> >> >>>>> in_asm -D asmlog.txt" options to get the
> disassembly
> >>>> >> >> >>>> >> >>>>> for
> >>>> >> >> >>>> >> >>>>> that
> >>>> >> >> >>>> >> >>>>> code.
> >>>> >> >> >>>> >> >>>>>
> >>>> >> >> >>>> >> >>>>> Alternatively, you could take a memory snapshot at
> >>>> >> >> >>>> >> >>>>> some
> >>>> >> >> >>>> >> >>>>> point
> >>>> >> >> >>>> >> >>>>> when
> >>>> >> >> >>>> >> >>>>> the
> >>>> >> >> >>>> >> >>>>> code you want to analyze is in memory (using
> >>>> >> >> >>>> >> >>>>> something
> >>>> >> >> >>>> >> >>>>> like
> >>>> >> >> >>>> >> >>>>> the
> >>>> >> >> >>>> >> >>>>> pmemsave
> >>>> >> >> >>>> >> >>>>> plugin in PANDA), then use Volatility to analyze
> >>>> >> >> >>>> >> >>>>> that
> >>>> >> >> >>>> >> >>>>> memory
> >>>> >> >> >>>> >> >>>>> image
> >>>> >> >> >>>> >> >>>>> to
> >>>> >> >> >>>> >> >>>>> extract out the binary, which you could look at in
> >>>> >> >> >>>> >> >>>>> IDA or
> >>>> >> >> >>>> >> >>>>> something
> >>>> >> >> >>>> >> >>>>> similar.
> >>>> >> >> >>>> >> >>>>>
> >>>> >> >> >>>> >> >>>>> Basically – disassemble the code that handles the
> >>>> >> >> >>>> >> >>>>> data
> >>>> >> >> >>>> >> >>>>> you're
> >>>> >> >> >>>> >> >>>>> interested in and find out how it works. Exactly
> >>>> >> >> >>>> >> >>>>> what
> >>>> >> >> >>>> >> >>>>> that
> >>>> >> >> >>>> >> >>>>> means
> >>>> >> >> >>>> >> >>>>> will depend
> >>>> >> >> >>>> >> >>>>> on what you're hoping to accomplish.
> >>>> >> >> >>>> >> >>>>>
> >>>> >> >> >>>> >> >>>>> -Brendan
> >>>> >> >> >>>> >> >>>>>
> >>>> >> >> >>>> >> >>>>> On Fri, Apr 10, 2015 at 9:07 PM, xiaojuan Li
> >>>> >> >> >>>> >> >>>>> <xiaotan6666 at gmail.com>
> >>>> >> >> >>>> >> >>>>> wrote:
> >>>> >> >> >>>> >> >>>>>>
> >>>> >> >> >>>> >> >>>>>> Hi,
> >>>> >> >> >>>> >> >>>>>> Thanks for your job first.
> >>>> >> >> >>>> >> >>>>>> I am a little confused about the result of the
> >>>> >> >> >>>> >> >>>>>> tainted.how
> >>>> >> >> >>>> >> >>>>>> can
> >>>> >> >> >>>> >> >>>>>> I
> >>>> >> >> >>>> >> >>>>>> get
> >>>> >> >> >>>> >> >>>>>> enough information about the processing code from
> >>>> >> >> >>>> >> >>>>>> the
> >>>> >> >> >>>> >> >>>>>> binary?
> >>>> >> >> >>>> >> >>>>>> use
> >>>> >> >> >>>> >> >>>>>> the gdb?
> >>>> >> >> >>>> >> >>>>>> Thanks!
> >>>> >> >> >>>> >> >>>>>>
> >>>> >> >> >>>> >> >>>>>> 2015-04-10 12:05 GMT+08:00 xiaojuan Li
> >>>> >> >> >>>> >> >>>>>> <xiaotan6666 at gmail.com>:
> >>>> >> >> >>>> >> >>>>>>>
> >>>> >> >> >>>> >> >>>>>>> Thanks for your guys great work!
> >>>> >> >> >>>> >> >>>>>>> and I will try.
> >>>> >> >> >>>> >> >>>>>>>
> >>>> >> >> >>>> >> >>>>>>> 2015-04-10 11:42 GMT+08:00 Brendan Dolan-Gavitt
> >>>> >> >> >>>> >> >>>>>>> <brendandg at gatech.edu>:
> >>>> >> >> >>>> >> >>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>> Hi,
> >>>> >> >> >>>> >> >>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>> Tim has just updated the tainted_instructions
> >>>> >> >> >>>> >> >>>>>>>> tutorial
> >>>> >> >> >>>> >> >>>>>>>> so
> >>>> >> >> >>>> >> >>>>>>>> that it
> >>>> >> >> >>>> >> >>>>>>>> reflects how things work now. Could you look
> >>>> >> >> >>>> >> >>>>>>>> through
> >>>> >> >> >>>> >> >>>>>>>> that
> >>>> >> >> >>>> >> >>>>>>>> tutorial and see
> >>>> >> >> >>>> >> >>>>>>>> if it helps with your problem?
> >>>> >> >> >>>> >> >>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>
> https://github.com/moyix/panda/blob/master/docs/tainted_instructions.md
> >>>> >> >> >>>> >> >>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>> Note that you will probably need to do a "git
> >>>> >> >> >>>> >> >>>>>>>> pull"
> >>>> >> >> >>>> >> >>>>>>>> and
> >>>> >> >> >>>> >> >>>>>>>> rebuild
> >>>> >> >> >>>> >> >>>>>>>> (make clean ; ./build.sh) in order to make sure
> >>>> >> >> >>>> >> >>>>>>>> everything
> >>>> >> >> >>>> >> >>>>>>>> works
> >>>> >> >> >>>> >> >>>>>>>> as it says
> >>>> >> >> >>>> >> >>>>>>>> in the tutorial.
> >>>> >> >> >>>> >> >>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>> -Brendan
> >>>> >> >> >>>> >> >>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>> On Thu, Apr 9, 2015 at 9:30 AM, xiaojuan Li
> >>>> >> >> >>>> >> >>>>>>>> <xiaotan6666 at gmail.com>
> >>>> >> >> >>>> >> >>>>>>>> wrote:
> >>>> >> >> >>>> >> >>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>> Now that the panda taint.md is not fresh,can
> you
> >>>> >> >> >>>> >> >>>>>>>>> guys
> >>>> >> >> >>>> >> >>>>>>>>> give
> >>>> >> >> >>>> >> >>>>>>>>> me
> >>>> >> >> >>>> >> >>>>>>>>> some
> >>>> >> >> >>>> >> >>>>>>>>> help?
> >>>> >> >> >>>> >> >>>>>>>>> I use the replay plugin,here is my command and
> >>>> >> >> >>>> >> >>>>>>>>> the
> >>>> >> >> >>>> >> >>>>>>>>> result.
> >>>> >> >> >>>> >> >>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>> the content of pk_search_strings.txt is :"sdt"
> >>>> >> >> >>>> >> >>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>> I am confused here:in the paper— Repeatable
> >>>> >> >> >>>> >> >>>>>>>>> reverse
> >>>> >> >> >>>> >> >>>>>>>>> with
> >>>> >> >> >>>> >> >>>>>>>>> panda:
> >>>> >> >> >>>> >> >>>>>>>>> :
> >>>> >> >> >>>> >> >>>>>>>>> it is clear that:if I use the stringsearch and
> >>>> >> >> >>>> >> >>>>>>>>> taint
> >>>> >> >> >>>> >> >>>>>>>>> plugin,when
> >>>> >> >> >>>> >> >>>>>>>>> it
> >>>> >> >> >>>> >> >>>>>>>>> matches, the taint label will be put and then
> >>>> >> >> >>>> >> >>>>>>>>> taint
> >>>> >> >> >>>> >> >>>>>>>>> action
> >>>> >> >> >>>> >> >>>>>>>>> will
> >>>> >> >> >>>> >> >>>>>>>>> start.but
> >>>> >> >> >>>> >> >>>>>>>>> when I use it, it seems wrong(the picture
> showed
> >>>> >> >> >>>> >> >>>>>>>>> before):no
> >>>> >> >> >>>> >> >>>>>>>>> taint action
> >>>> >> >> >>>> >> >>>>>>>>> execute,and i am confused about the
> >>>> >> >> >>>> >> >>>>>>>>> tstringsearch's
> >>>> >> >> >>>> >> >>>>>>>>> result.
> >>>> >> >> >>>> >> >>>>>>>>> how can i use it to analysis?
> >>>> >> >> >>>> >> >>>>>>>>> Thanks a lot!
> >>>> >> >> >>>> >> >>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>> 2015-04-08 10:14 GMT+08:00 xiaojuan Li
> >>>> >> >> >>>> >> >>>>>>>>> <xiaotan6666 at gmail.com>:
> >>>> >> >> >>>> >> >>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>> I get the replay file by running runandroid
> >>>> >> >> >>>> >> >>>>>>>>>> script.
> >>>> >> >> >>>> >> >>>>>>>>>> and
> >>>> >> >> >>>> >> >>>>>>>>>> i
> >>>> >> >> >>>> >> >>>>>>>>>> use
> >>>> >> >> >>>> >> >>>>>>>>>> qemu-system-arm command just to do some
> replay
> >>>> >> >> >>>> >> >>>>>>>>>> work.
> >>>> >> >> >>>> >> >>>>>>>>>> I may not understand you at all in this
> emal.do
> >>>> >> >> >>>> >> >>>>>>>>>> you
> >>>> >> >> >>>> >> >>>>>>>>>> mean
> >>>> >> >> >>>> >> >>>>>>>>>> that i
> >>>> >> >> >>>> >> >>>>>>>>>> should gdb the original program rather than
> the
> >>>> >> >> >>>> >> >>>>>>>>>> record
> >>>> >> >> >>>> >> >>>>>>>>>> file?
> >>>> >> >> >>>> >> >>>>>>>>>> Thansk
> >>>> >> >> >>>> >> >>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>> 2015-04-08 9:52 GMT+08:00 Brendan
> Dolan-Gavitt
> >>>> >> >> >>>> >> >>>>>>>>>> <brendandg at gatech.edu>:
> >>>> >> >> >>>> >> >>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>> Hmm. gdb should normally stop when you get a
> >>>> >> >> >>>> >> >>>>>>>>>>> segfault.
> >>>> >> >> >>>> >> >>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>> Are you by any chance running PANDA using
> the
> >>>> >> >> >>>> >> >>>>>>>>>>> runandroid
> >>>> >> >> >>>> >> >>>>>>>>>>> script?
> >>>> >> >> >>>> >> >>>>>>>>>>> If so, you will need to instead invoke PANDA
> >>>> >> >> >>>> >> >>>>>>>>>>> manually,
> >>>> >> >> >>>> >> >>>>>>>>>>> i.e.:
> >>>> >> >> >>>> >> >>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>> gdb --args arm-softmmu/qemu-system-arm [...]
> >>>> >> >> >>>> >> >>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>> And then once it crashes, type "bt" at the
> gdb
> >>>> >> >> >>>> >> >>>>>>>>>>> prompt
> >>>> >> >> >>>> >> >>>>>>>>>>> to
> >>>> >> >> >>>> >> >>>>>>>>>>> get a
> >>>> >> >> >>>> >> >>>>>>>>>>> backtrace.
> >>>> >> >> >>>> >> >>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>> -Brendan
> >>>> >> >> >>>> >> >>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>> On Tue, Apr 7, 2015 at 9:47 PM, xiaojuan Li
> >>>> >> >> >>>> >> >>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
> >>>> >> >> >>>> >> >>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>> when gdb,it shows:
> >>>> >> >> >>>> >> >>>>>>>>>>>> and then i see the log:it shows segfault:
> >>>> >> >> >>>> >> >>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>> 2015-04-08 9:03 GMT+08:00 xiaojuan Li
> >>>> >> >> >>>> >> >>>>>>>>>>>> <xiaotan6666 at gmail.com>:
> >>>> >> >> >>>> >> >>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>> maybe i am wrong.
> >>>> >> >> >>>> >> >>>>>>>>>>>>> i use the command
> >>>> >> >> >>>> >> >>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>
> line:"taint2:label_mode=binary,query_outgoing_network=1"and
> >>>> >> >> >>>> >> >>>>>>>>>>>>> I found that
> >>>> >> >> >>>> >> >>>>>>>>>>>>> when i use taint2, after it loads
> >>>> >> >> >>>> >> >>>>>>>>>>>>> panda_taint2.so,it
> >>>> >> >> >>>> >> >>>>>>>>>>>>> shows:"taint2:instructed not to inline
> taint
> >>>> >> >> >>>> >> >>>>>>>>>>>>> ops
> >>>> >> >> >>>> >> >>>>>>>>>>>>> .success".
> >>>> >> >> >>>> >> >>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>> 2015-04-08 8:54 GMT+08:00 xiaojuan Li
> >>>> >> >> >>>> >> >>>>>>>>>>>>> <xiaotan6666 at gmail.com>:
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> ok.
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> 1.I want to use taint plugin to get
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> information
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> about
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> some
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> functions(of course, it is
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> closed-source),so I
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> think I
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> can
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> stringsearch
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> potential data and then taint them and
> next
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> I
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> can
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> locate
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> the functions which
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> solves these data.
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> 2.the command line I used is :
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
> stringsearch:name=***;taint2:tainted_instructions=1.
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> thanks
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> 2015-04-08 8:40 GMT+08:00 Brendan
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> Dolan-Gavitt
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> <brendandg at gatech.edu>:
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> Could you provide:
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> 1. What information you're trying to get
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> 2. The command line you're using to run
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> PANDA
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> with
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> the
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> taint2
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> plugin
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> ?
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> Right now I believe taint2 does not
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> produce
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> very
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> much
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> output
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> by default. Instead you use the
> -pandalog
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> <filename>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> command line option,
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> and taint2 will write its results there
> in
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> pandalog
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> format; you can then
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> read them using pandalog_reader (see
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> panda/pandalog_reader.c for details on
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> that tool).
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> -Brendan
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:32 PM, xiaojuan
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> Li
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> when I tried taint2,it showed the same
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> error
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> with
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> taint1,
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> the olny difference is that taint2 has
> no
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> segfault
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> error,just uninit taint
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> plugin.
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> 2015-04-08 8:28 GMT+08:00 Brendan
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> Dolan-Gavitt
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> <brendandg at gatech.edu>:
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> Could you be a little more descriptive
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> about
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> how
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> it
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> failed?
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> Segfault? Error message? Incorrect
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> output?
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> -Brendan
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> On Tue, Apr 7, 2015 at 8:27 PM,
> xiaojuan
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> Li
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> i tried taint2 too,it failed.
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> 2015-04-07 5:20 GMT+08:00 Leek,
> Timothy
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> -
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> 0559
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> -
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> MITLL
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> <tleek at ll.mit.edu>:
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> Also note that the “taint” plugin is
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> somewhat
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> defunct.
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> “taint2” is the one we are actively
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> using
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> and
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> developing.
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> --
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> Tim Leek
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> Technical Staff
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> Cyber System Assessments
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> MIT Lincoln Laboratory
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> 781-981-2975
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> From: Brendan Dolan-Gavitt
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> <brendandg at gatech.edu>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> Date: Monday, April 6, 2015 at 5:18
> PM
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> To: xiaojuan Li
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> <xiaotan6666 at gmail.com>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> Cc: "panda-users at mit.edu"
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> <panda-users at mit.edu>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> Subject: Re: [panda-users] taint
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> segmentation
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> fault
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> Could you run that under gdb and
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> provide us
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> with
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> a
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> backtrace when it crashes?
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> -Brendan
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> On Sunday, April 5, 2015, xiaojuan
> Li
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>> <xiaotan6666 at gmail.com> wrote:
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> Hi,
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> excuse me,i have a question about
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> taint
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
> plugin:(stringsearch:name=***;taint:tainted_instructions=1)
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> when I started it showed success:
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> but when it finished search,it
> showd
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> "uninit
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> taint
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> plugin segementation fault"
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> how can I fix it?
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> Thanks a lot!
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> --
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>>> wait and hope~~
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> --
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> wait and hope~~
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
> _______________________________________________
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> panda-users mailing list
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>> panda-users at mit.edu
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
> http://mailman.mit.edu/mailman/listinfo/panda-users
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> --
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>> wait and hope~~
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> --
> >>>> >> >> >>>> >> >>>>>>>>>>>>>> wait and hope~~
> >>>> >> >> >>>> >> >>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>> --
> >>>> >> >> >>>> >> >>>>>>>>>>>>> wait and hope~~
> >>>> >> >> >>>> >> >>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>> --
> >>>> >> >> >>>> >> >>>>>>>>>>>> wait and hope~~
> >>>> >> >> >>>> >> >>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>> --
> >>>> >> >> >>>> >> >>>>>>>>>> wait and hope~~
> >>>> >> >> >>>> >> >>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>> --
> >>>> >> >> >>>> >> >>>>>>>>> wait and hope~~
> >>>> >> >> >>>> >> >>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>>
> >>>> >> >> >>>> >> >>>>>>>
> >>>> >> >> >>>> >> >>>>>>>
> >>>> >> >> >>>> >> >>>>>>>
> >>>> >> >> >>>> >> >>>>>>> --
> >>>> >> >> >>>> >> >>>>>>> wait and hope~~
> >>>> >> >> >>>> >> >>>>>>
> >>>> >> >> >>>> >> >>>>>>
> >>>> >> >> >>>> >> >>>>>>
> >>>> >> >> >>>> >> >>>>>>
> >>>> >> >> >>>> >> >>>>>> --
> >>>> >> >> >>>> >> >>>>>> wait and hope~~
> >>>> >> >> >>>> >> >>>>>
> >>>> >> >> >>>> >> >>>>>
> >>>> >> >> >>>> >> >>>>
> >>>> >> >> >>>> >> >>>>
> >>>> >> >> >>>> >> >>>>
> >>>> >> >> >>>> >> >>>> --
> >>>> >> >> >>>> >> >>>> wait and hope~~
> >>>> >> >> >>>> >> >>>
> >>>> >> >> >>>> >> >>>
> >>>> >> >> >>>> >> >>>
> >>>> >> >> >>>> >> >>>
> >>>> >> >> >>>> >> >>> --
> >>>> >> >> >>>> >> >>> wait and hope~~
> >>>> >> >> >>>> >> >>
> >>>> >> >> >>>> >> >>
> >>>> >> >> >>>> >> >
> >>>> >> >> >>>> >> >
> >>>> >> >> >>>> >> >
> >>>> >> >> >>>> >> > --
> >>>> >> >> >>>> >> > wait and hope~~
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> >
> >>>> >> >> >>>> > --
> >>>> >> >> >>>> > wait and hope~~
> >>>> >> >> >>>
> >>>> >> >> >>>
> >>>> >> >> >>>
> >>>> >> >> >>>
> >>>> >> >> >>> --
> >>>> >> >> >>> wait and hope~~
> >>>> >> >> >>
> >>>> >> >> >>
> >>>> >> >> >>
> >>>> >> >> >>
> >>>> >> >> >> --
> >>>> >> >> >> wait and hope~~
> >>>> >> >> >
> >>>> >> >> >
> >>>> >> >> >
> >>>> >> >> >
> >>>> >> >> > --
> >>>> >> >> > wait and hope~~
> >>>> >> >
> >>>> >> >
> >>>> >> >
> >>>> >> >
> >>>> >> > --
> >>>> >> > wait and hope~~
> >>>> >
> >>>> >
> >>>> >
> >>>> >
> >>>> > --
> >>>> > wait and hope~~
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> wait and hope~~
> >>
> >>
> >>
> >>
> >> --
> >> wait and hope~~
> >>
> >> _______________________________________________
> >> panda-users mailing list
> >> panda-users at mit.edu
> >> http://mailman.mit.edu/mailman/listinfo/panda-users
> >>
> >
> >
> >
> > --
> > wait and hope~~
> >
> > _______________________________________________
> > panda-users mailing list
> > panda-users at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/panda-users
> >
>
--
wait and hope~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20150421/608ebd18/attachment-0001.htm
More information about the panda-users
mailing list