[panda-users] [panda] file_taint crash r-18-06
Eric Lahtinen
elahtinen at csail.mit.edu
Mon Mar 11 18:05:05 EDT 2019
I am getting crash when I attempt to use file_taint.
Host:
Linux ubuntu 4.13.0-36-generic #40~16.04.1-Ubuntu SMP Fri Feb 16 23:25:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Capture Command:
~/build-panda/i386-softmmu/qemu-system-i386 -m 512 -hda ubuntu-16.04-server-cloudimg-i386-disk1.img -drive file=my-seed.img,if=virtio -device e1000,netdev=user.0 -netdev user,id=user.0,hostfwd=tcp::5555-:22
Reply Command:
~/build-panda/i386-softmmu/qemu-system-i386 -m 512 -drive file=my-seed.img,if=virtio -replay test32 -os linux-32-4.4.0-142-generic -panda osi -panda osi_linux:kconf_group=4.4.0-142-generic:32 -panda file_taint:filename=test32.txt
Output:
os_familyno=2 bits=32 os_details=[4.4.0-142-generic]
PANDA[osi_linux] - adding argument kconf_group=4.4.0-142-generic:32.
PANDA[file_taint] - adding argument filename=test32.txt.
Initializing plugin osi
Looking for kconffile in /home/haccs/build-panda/i386-softmmu/panda/plugins/osi_linux/kernelinfo.conf
OSI grabbing Linux introspection backend.
Linux OSI, using group 4.4.0-142-generic:32 from /home/haccs/build-panda/i386-softmmu/panda/plugins/osi_linux/kernelinfo.conf.
panda_require: osi_linux
Initializing plugin osi_linux
INFO(/home/haccs/panda/panda/plugins/osi_linux/osi_linux.cpp:init_plugin): Read kernel info from group "4.4.0-142-generic:32" of file "/home/haccs/build-panda/i386-softmmu/panda/plugins/osi_linux/kernelinfo.conf".
INFO(/home/haccs/panda/panda/plugins/osi_linux/osi_linux.cpp:init_plugin): osi_linux initialization complete.
panda_load_plugin: /home/haccs/build-panda/i386-softmmu/panda/plugins/panda_osi_linux.so already loaded
Initializing plugin file_taint
taint_filename = [test32.txt]
positional_labels = 0
no_taint = 0
end_label = 1000000
first_instr = 0
panda_require: osi
panda_load_plugin: /home/haccs/build-panda/i386-softmmu/panda/plugins/panda_osi.so already loaded
panda_require: syscalls2
Initializing plugin syscalls2
syscalls2: using profile for linux x86 32-bit
panda_require: osi_linux
panda_load_plugin: /home/haccs/build-panda/i386-softmmu/panda/plugins/panda_osi_linux.so already loaded
panda_require: taint2
Initializing plugin taint2
taint2: Propagating taint through pointer dereference ENABLED
taint2: taint ops inlining DISABLED
panda_require: callstack_instr
Initializing plugin callstack_instr
taint2: taint2_enable_taint
taint2: Allocating small fast_shad (0 bytes) using malloc @ 55f913a1fbe0.
taint2: Allocating small fast_shad (12800000 bytes) using malloc @ 7fd16c537010.
taint2: Allocating small fast_shad (256 bytes) using malloc @ 55f9139b0800.
taint2: Allocating small fast_shad (512 bytes) using malloc @ 55f912f179e0.
taint2: Allocating small fast_shad (656384 bytes) using malloc @ 7fd16c496010.
taint2: LLVM optimizations DISABLED
taint2: Linking taint ops from /home/haccs/build-panda/i386-softmmu/panda/plugins/panda_taint2_ops.bc
taint2: Done initializing taint transformation.
Segmentation fault (core dumped)
In particular, the crash is in llvm_taint_lib.cpp:
void PandaTaintVisitor::insertStateOp(Instruction &I) {
...
vector<Value *> args{
const_uint64_ptr(ctx, first_cpu->env_ptr), ptrToInt(ptr, I),
llvConst, constSlot(val), grvConst, gsvConst,
const_uint64(ctx, size), const_uint64(ctx, sizeof(target_ulong)),
ConstantInt::get(llvm::Type::getInt1Ty(ctx), isStore)
};
inlineCallAfter(I, hostCopyF, args);
Poking around a little, it appears that macro first_cpu is NULL right now, but I can’t figure how it is supposed to be set.
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20190311/382503fe/attachment.html
More information about the panda-users
mailing list