Skip to content
This repository has been archived by the owner on May 18, 2022. It is now read-only.

SimMemoryLimitError in puts #86

Open
Manouchehri opened this issue Feb 3, 2017 · 2 comments
Open

SimMemoryLimitError in puts #86

Manouchehri opened this issue Feb 3, 2017 · 2 comments

Comments

@Manouchehri
Copy link

puts will look as far ahead as it can for the null byte
I'm concerned that the default settings cause it to error like that, I'd consider that a bug

nitro:catalyst dave$ ipython
Python 2.7.13 (default, Dec 18 2016, 07:03:39)
Type "copyright", "credits" or "license" for more information.

IPython 5.1.0 -- An enhanced Interactive Python.
?         -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help      -> Python's own help system.
object?   -> Details about 'object', use 'object??' for extra details.

In [1]: import angr

In [2]: proj = angr.Project('catalyst', load_options={"auto_load_libs": False})

In [3]: path_group = proj.factory.path_group()

In [4]: path_group.explore()
Out[4]: <PathGroup with 1 errored>

In [5]: list(path_group.errored[0].trace)
Out[5]:
['<IRSB from 0x400780: 1 sat>',
 '<SimProcedure __libc_start_main from 0x1000040: 1 sat>',
 '<IRSB from 0x400fc0: 1 sat>',
 '<IRSB from 0x400690: 1 sat 1 unsat>',
 '<IRSB from 0x4006a2: 1 sat>',
 '<IRSB from 0x400ff1: 1 sat 1 unsat>',
 '<IRSB from 0x400ff6: 1 sat>',
 '<IRSB from 0x400850: 1 sat 1 unsat>',
 '<IRSB from 0x40085b: 1 sat>',
 '<IRSB from 0x4007f0: 1 sat 1 unsat>',
 '<IRSB from 0x400828: 1 sat>',
 '<IRSB from 0x40100d: 1 sat 1 unsat>',
 '<IRSB from 0x401016: 1 sat>',
 '<SimProcedure __libc_start_main from 0x1000050: 1 sat>',
 '<IRSB from 0x400d93: 1 sat>',
 '<IRSB from 0x400720: 1 sat>',
 '<SimProcedure malloc from 0x1000000: 1 sat>',
 '<IRSB from 0x400da5: 1 sat>',
 '<IRSB from 0x400720: 1 sat>',
 '<SimProcedure malloc from 0x1000000: 1 sat>',
 '<IRSB from 0x400db3: 1 sat>',
 '<IRSB from 0x400710: 1 sat>',
 '<SimProcedure ReturnUnconstrained from 0x10000d0: 1 sat>',
 '<IRSB from 0x400dc1: 1 sat>',
 '<IRSB from 0x400700: 1 sat>',
 '<SimProcedure ReturnUnconstrained from 0x10000c0: 1 sat>',
 '<IRSB from 0x400dc8: 1 sat>',
 '<IRSB from 0x4006d0: 1 sat>']

In [6]: path_group.errored[0]
Out[6]: <Errored Path with 28 runs (at 0x1000010, SimMemoryLimitError)>

In [7]: proj._sim_procedures
Out[7]:
{16777216: <Hook for malloc>,
 16777232: <Hook for puts>,
 16777248: <Hook for __isoc99_scanf>,
 16777264: <Hook for exit>,
 16777280: <Hook for __libc_start_main>,
 16777296: <Hook for __libc_start_main (continuation)>,
 16777312: <Hook for printf>,
 16777328: <Hook for putchar>,
 16777344: <Hook for fflush>,
 16777360: <Hook for strlen>,
 16777376: <Hook for sleep>,
 16777392: <Hook for ReturnUnconstrained (resolves rand) (1 arg)>,
 16777408: <Hook for ReturnUnconstrained (resolves srand) (1 arg)>,
 16777424: <Hook for ReturnUnconstrained (resolves time) (1 arg)>,
 16777440: <Hook for CallReturn>,
 16777456: <Hook for LinuxLoader (1 arg)>,
 16777472: <Hook for _dl_rtld_lock_recursive>,
 16777488: <Hook for _dl_rtld_unlock_recursive>,
 16777504: <Hook for _vsyscall>,
 16777520: <Hook for LinuxLoader (1 arg) (continuation)>}
int sub_400d93() {
    var_10 = malloc(0x3e8);
    var_18 = malloc(0x3e8);
    rax = time(0x0);
    rax = srand(LODWORD(rax));
    rax = puts(0x401088);
    rax = puts(0x401160);
    rax = puts(0x401258);
    rax = puts(0x401348);
    rax = puts(0x4013e0);
    rax = puts(0x4014a8);
    rax = puts(0x401570);
    rax = puts(0x401348);
    rax = puts(0x401638);
    rax = puts(0x401708);
    rax = puts(0x4017e0);
    rax = puts(0x401890);
    LODWORD(rax) = 0x0;
    rax = printf("Loading");
    rax = *stdout;
    rax = fflush(rax);
    var_4 = 0x0;
    rax = putchar(0xa);
    LODWORD(rax) = 0x0;
    rax = printf("Username: ");
    LODWORD(rax) = 0x0;
    rax = __isoc99_scanf(0x4018c3, var_10);
    LODWORD(rax) = 0x0;
    rax = printf(0x4018c6);
    LODWORD(rax) = 0x0;
    rax = __isoc99_scanf(0x4018c3, var_18);
    LODWORD(rax) = 0x0;
    rax = printf("Logging in");
    rax = *stdout;
    rax = fflush(rax);
    var_8 = 0x0;
    rax = putchar(0xa);
    rax = sub_400c9a(var_10);
    rax = sub_400cdd(var_10);
    rax = sub_4008f7(var_10);
    rax = sub_400977(var_10, var_18);
    rax = sub_400876(var_10, var_18);
    LODWORD(rax) = 0x0;
    return 0x0;
}
┌ (fcn) main 335
│   main ();
           ; var int local_18h @ rbp-0x18
           ; var int local_10h @ rbp-0x10
           ; var int local_4h @ rbp-0x4
              ; DATA XREF from 0x0040079d (entry0)
0x00400d93      55             push rbp
0x00400d94      4889e5         rbp = rsp
0x00400d97      4883ec20       rsp -= 0x20
0x00400d9b      bfe8030000     edi = 0x3e8                 ; size_t size
0x00400da0      e87bf9ffff     sym.imp.malloc ()          ;  void *malloc(size_t size)
0x00400da5      488945f0       qword [rbp - local_10h] = rax
0x00400da9      bfe8030000     edi = 0x3e8                 ; size_t size
0x00400dae      e86df9ffff     sym.imp.malloc ()          ;  void *malloc(size_t size)
0x00400db3      488945e8       qword [rbp - local_18h] = rax
0x00400db7      bf00000000     edi = 0                     ; time_t *timer
0x00400dbc      e84ff9ffff     sym.imp.time ()            ; time_t time(time_t *timer)
0x00400dc1      89c7           edi = eax                   ; int seed
0x00400dc3      e838f9ffff     sym.imp.srand ()           ; void srand(int seed)
0x00400dc8      bf88104000     edi = 0x401088              ; const char * s
0x00400dcd      e8fef8ffff     sym.imp.puts ()            ; int puts(const char *s)
0x00400dd2      bf60114000     edi = str._e_33m_____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_33m_____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
0x00400dd7      e8f4f8ffff     sym.imp.puts ()            ; int puts(const char *s)
0x00400ddc      bf58124000     edi = str._e_32m__________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_32m__________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
0x00400de1      e8eaf8ffff     sym.imp.puts ()            ; int puts(const char *s)
0x00400de6      bf48134000     edi = str._e_36m_____________________________________________________________________________________________________________________________________ ; str._e_36m_____________________________________________________________________________________________________________________________________ ; const char * s
0x00400deb      e8e0f8ffff     sym.imp.puts ()            ; int puts(const char *s)
0x00400df0      bfe0134000     edi = 0x4013e0              ; const char * s
0x00400df5      e8d6f8ffff     sym.imp.puts ()            ; int puts(const char *s)
0x00400dfa      bfa8144000     edi = str._e_35m_______________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_35m_______________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
0x00400dff      e8ccf8ffff     sym.imp.puts ()            ; int puts(const char *s)
0x00400e04      bf70154000     edi = str._e_34m______________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_34m______________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
0x00400e09      e8c2f8ffff     sym.imp.puts ()            ; int puts(const char *s)
0x00400e0e      bf48134000     edi = str._e_36m_____________________________________________________________________________________________________________________________________ ; str._e_36m_____________________________________________________________________________________________________________________________________ ; const char * s
0x00400e13      e8b8f8ffff     sym.imp.puts ()            ; int puts(const char *s)
0x00400e18      bf38164000     edi = str._e_32m___________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_32m___________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
0x00400e1d      e8aef8ffff     sym.imp.puts ()            ; int puts(const char *s)
0x00400e22      bf08174000     edi = str._e_33m_________________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_33m_________________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
0x00400e27      e8a4f8ffff     sym.imp.puts ()            ; int puts(const char *s)
0x00400e2c      bfe0174000     edi = str._e_31m____________________________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_31m____________________________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
0x00400e31      e89af8ffff     sym.imp.puts ()            ; int puts(const char *s)
0x00400e36      bf90184000     edi = str._e_0mWelcome_to_Catalyst_systems ; str._e_0mWelcome_to_Catalyst_systems ; const char * s
0x00400e3b      e890f8ffff     sym.imp.puts ()            ; int puts(const char *s)
0x00400e40      bfb0184000     edi = str.Loading           ; "Loading" @ 0x4018b0 ; const char * format
0x00400e45      b800000000     eax = 0
0x00400e4a      e8a1f8ffff     sym.imp.printf ()          ; int printf(const char *format)
0x00400e4f      488b05721220.  rax = qword [obj.stdout]    ; [0x6020c8:8]=0x4e4728203a434347 ; LEA obj.stdout ; "GCC: (GNU) 6.1.1 20160721 (Red Hat 6.1.1-4)" @ 0x6020c8
0x00400e56      4889c7         rdi = rax                   ; FILE *stream
0x00400e59      e8d2f8ffff     sym.imp.fflush ()          ; int fflush(FILE *stream)
0x00400e5e      c745fc000000.  dword [rbp - local_4h] = 0
└       ┌─< 0x00400e65      eb44           goto loc.00400eab
├ loc.00400eab 123
│   loc.00400eab ();
           ; var int local_18h @ rbp-0x18
           ; var int local_10h @ rbp-0x10
           ; var int local_8h @ rbp-0x8
              ; JMP XREF from 0x00400e65 (main)
0x00400eab      bf0a000000     edi = 0xa                   ; size_t size
0x00400eb0      e80bf8ffff     sym.imp.putchar ()         ; sym.imp.malloc-0x60;  void *malloc(size_t size)
0x00400eb5      bfb8184000     edi = str.Username:         ; "Username: " @ 0x4018b8 ; const char * format
0x00400eba      b800000000     eax = 0
0x00400ebf      e82cf8ffff     sym.imp.printf ()          ; int printf(const char *format)
0x00400ec4      488b45f0       rax = qword [rbp - local_10h]
0x00400ec8      4889c6         rsi = rax
0x00400ecb      bfc3184000     edi = 0x4018c3              ; const char * format
0x00400ed0      b800000000     eax = 0
0x00400ed5      e866f8ffff     sym.imp.__isoc99_scanf ()  ; int scanf(const char *format)
0x00400eda      bfc6184000     edi = str.Password:         ; "Password: " @ 0x4018c6 ; const char * format
0x00400edf      b800000000     eax = 0
0x00400ee4      e807f8ffff     sym.imp.printf ()          ; int printf(const char *format)
0x00400ee9      488b45e8       rax = qword [rbp - local_18h]
0x00400eed      4889c6         rsi = rax
0x00400ef0      bfc3184000     edi = 0x4018c3              ; const char * format
0x00400ef5      b800000000     eax = 0
0x00400efa      e841f8ffff     sym.imp.__isoc99_scanf ()  ; int scanf(const char *format)
0x00400eff      bfd1184000     edi = str.Logging_in        ; "Logging in" @ 0x4018d1 ; const char * format
0x00400f04      b800000000     eax = 0
0x00400f09      e8e2f7ffff     sym.imp.printf ()          ; int printf(const char *format)
0x00400f0e      488b05b31120.  rax = qword [obj.stdout]    ; [0x6020c8:8]=0x4e4728203a434347 ; LEA obj.stdout ; "GCC: (GNU) 6.1.1 20160721 (Red Hat 6.1.1-4)" @ 0x6020c8
0x00400f15      4889c7         rdi = rax                   ; FILE *stream
0x00400f18      e813f8ffff     sym.imp.fflush ()          ; int fflush(FILE *stream)
0x00400f1d      c745f8000000.  dword [rbp - local_8h] = 0
└       ┌─< 0x00400f24      eb3e           goto loc.00400f64
@Manouchehri
Copy link
Author

Fish wasn't able to reproduce this issue.

Will reopen after I confirm if it's not just my system.

@Manouchehri
Copy link
Author

Manouchehri commented Feb 4, 2017
edited
Loading

Reopening, reproducible on a different VM (new install with angr-dev's setup.sh).

(angr) dave@xen16:~/angr-doc/examples/catalyst# python solve.py 
WARNING | 2017-02-03 20:13:52,705 | angr.project | Re-hooking symbol puts
WARNING | 2017-02-03 20:13:52,706 | angr.project | Re-hooking symbol putchar
WARNING | 2017-02-03 20:13:52,706 | angr.project | Re-hooking symbol printf
Python 2.7.13 (default, Dec 18 2016, 20:19:42) 
Type "copyright", "credits" or "license" for more information.

IPython 5.2.2 -- An enhanced Interactive Python.
?         -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help      -> Python's own help system.
object?   -> Details about 'object', use 'object??' for extra details.

In [1]: path_group
Out[1]: <PathGroup with 1 errored>

In [2]: path_group.errored
Out[2]: [<Errored Path with 16 runs (at 0x1000020, SimMemoryLimitError)>]

In [3]: e.debug() # e = path_group.errored[0]

You are currently into an embedded ipython shell,
the configuration will not be loaded.

> /root/angr-dev/simuvex/simuvex/plugins/symbolic_memory.py(323)_resolve_size_range()
    322             if i > self._maximum_concrete_size:
--> 323                 raise SimMemoryLimitError("Concrete size %d outside of allowable limits" % i)
    324             return i, i

ipdb> up
> /root/angr-dev/simuvex/simuvex/plugins/symbolic_memory.py(488)_load()
    487         # for now, we always load the maximum size
--> 488         _,max_size = self._resolve_size_range(size)
    489         if options.ABSTRACT_MEMORY not in self.state.options and self.state.se.symbolic(size):

ipdb> up
> /root/angr-dev/simuvex/simuvex/storage/memory.py(715)load()
    714 
--> 715         a,r,c = self._load(addr_e, size_e, condition=condition_e, fallback=fallback_e)
    716         add_constraints = self.state._inspect_getattr('address_concretization_add_constraints', add_constraints)

ipdb> up
> /root/angr-dev/simuvex/simuvex/s_format.py(429)_parse()
    428 
--> 429         fmt_xpr = self.state.memory.load(fmtstr_ptr, length)
    430 

ipdb> print fmtstr_ptr
<SAO <BV64 0x401088>>

@Manouchehri Manouchehri reopened this Feb 4, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Manouchehri