[panda-users] [panda] file_taint crash r-18-06

Brendan Dolan-Gavitt brendandg at nyu.edu
Mon Mar 11 23:09:58 EDT 2019 

Can you try adding the argument first_instr=1 to file_taint? It looks
like you're hitting this bug:

https://github.com/panda-re/panda/issues/269

Basically, right now taint is being turned on before the virtual CPU
or RAM have been created by QEMU. Adding first_instr=1 will delay
turning on taint until it's actually ready to run code.


On Mon, Mar 11, 2019 at 6:05 PM Eric Lahtinen <elahtinen at csail.mit.edu> wrote:
>
> I am getting crash when I attempt to use file_taint.
>
> Host:
>
> Linux ubuntu 4.13.0-36-generic #40~16.04.1-Ubuntu SMP Fri Feb 16 23:25:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
>
>
> Capture Command:
>
> ~/build-panda/i386-softmmu/qemu-system-i386 -m 512 -hda ubuntu-16.04-server-cloudimg-i386-disk1.img -drive file=my-seed.img,if=virtio -device e1000,netdev=user.0 -netdev user,id=user.0,hostfwd=tcp::5555-:22
>
>
> Reply Command:
> ~/build-panda/i386-softmmu/qemu-system-i386 -m 512 -drive file=my-seed.img,if=virtio -replay test32 -os linux-32-4.4.0-142-generic -panda osi -panda osi_linux:kconf_group=4.4.0-142-generic:32 -panda file_taint:filename=test32.txt
>
> Output:
>
> os_familyno=2 bits=32 os_details=[4.4.0-142-generic]
> PANDA[osi_linux] - adding argument kconf_group=4.4.0-142-generic:32.
> PANDA[file_taint] - adding argument filename=test32.txt.
> Initializing plugin osi
> Looking for kconffile in /home/haccs/build-panda/i386-softmmu/panda/plugins/osi_linux/kernelinfo.conf
> OSI grabbing Linux introspection backend.
> Linux OSI, using group 4.4.0-142-generic:32 from /home/haccs/build-panda/i386-softmmu/panda/plugins/osi_linux/kernelinfo.conf.
> panda_require: osi_linux
> Initializing plugin osi_linux
> INFO(/home/haccs/panda/panda/plugins/osi_linux/osi_linux.cpp:init_plugin): Read kernel info from group "4.4.0-142-generic:32" of file "/home/haccs/build-panda/i386-softmmu/panda/plugins/osi_linux/kernelinfo.conf".
> INFO(/home/haccs/panda/panda/plugins/osi_linux/osi_linux.cpp:init_plugin): osi_linux initialization complete.
> panda_load_plugin: /home/haccs/build-panda/i386-softmmu/panda/plugins/panda_osi_linux.so already loaded
> Initializing plugin file_taint
> taint_filename = [test32.txt]
> positional_labels = 0
> no_taint = 0
> end_label = 1000000
> first_instr = 0
> panda_require: osi
> panda_load_plugin: /home/haccs/build-panda/i386-softmmu/panda/plugins/panda_osi.so already loaded
> panda_require: syscalls2
> Initializing plugin syscalls2
> syscalls2: using profile for linux x86 32-bit
> panda_require: osi_linux
> panda_load_plugin: /home/haccs/build-panda/i386-softmmu/panda/plugins/panda_osi_linux.so already loaded
> panda_require: taint2
> Initializing plugin taint2
> taint2: Propagating taint through pointer dereference ENABLED
> taint2: taint ops inlining DISABLED
> panda_require: callstack_instr
> Initializing plugin callstack_instr
> taint2: taint2_enable_taint
> taint2: Allocating small fast_shad (0 bytes) using malloc @ 55f913a1fbe0.
> taint2: Allocating small fast_shad (12800000 bytes) using malloc @ 7fd16c537010.
> taint2: Allocating small fast_shad (256 bytes) using malloc @ 55f9139b0800.
> taint2: Allocating small fast_shad (512 bytes) using malloc @ 55f912f179e0.
> taint2: Allocating small fast_shad (656384 bytes) using malloc @ 7fd16c496010.
> taint2: LLVM optimizations DISABLED
> taint2: Linking taint ops from /home/haccs/build-panda/i386-softmmu/panda/plugins/panda_taint2_ops.bc
> taint2: Done initializing taint transformation.
> Segmentation fault (core dumped)
>
>
> In particular, the crash is in llvm_taint_lib.cpp:
>
> void PandaTaintVisitor::insertStateOp(Instruction &I) {
> ...
>        vector<Value *> args{
>            const_uint64_ptr(ctx, first_cpu->env_ptr), ptrToInt(ptr, I),
>            llvConst, constSlot(val), grvConst, gsvConst,
>            const_uint64(ctx, size), const_uint64(ctx, sizeof(target_ulong)),
>            ConstantInt::get(llvm::Type::getInt1Ty(ctx), isStore)
>        };
>        inlineCallAfter(I, hostCopyF, args);
>
>
>
> Poking around a little, it appears that macro first_cpu is NULL right now, but I can’t figure how it is supposed to be set.
>
> Thanks!
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.mit.edu_mailman_listinfo_panda-2Dusers&d=DwICAg&c=slrrB7dE8n7gBJbeO0g-IQ&r=A4wu5Zmpus3hDmokNWeJTO0SLjrxguzCAxn30Hc-o48&m=17bPkaXa1uhnkvh6c3qUw7FjtfAdu62EauBml0zvCFc&s=_toSuE4qPz1li8fIGEzL7lh1jH4TM9aBgzmNSXfAoGU&e=



--
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering

More information about the panda-users mailing list