search

Markakd / GREBE

75 stars 14 forks source link

Some bitcode files are not generated when building the kernel with customized llvm. #7

Closed DarkBoulder closed 1 year ago

DarkBoulder commented 1 year ago

I am trying to analyze this crash: https://syzkaller.appspot.com/bug?id=bdeea91ae259b3a42aa8ed8d8c91afd871eb5d80, and I compiled the clang with your patch. However, when I compiled the Linux kernel with command

make CC="/path/to/clang/" -j64

, I didn't get all .c files' bitcode file, and the missing bitcode files is needed. The error messages are as follows:

executing ~/GREBE/analyzer/build/lib/analyzer --crash-report=./case/report --call-graph=./case/report_cg.txt ./case/linux-bitcode/lib/list_debug.c.bc ./case/linux-bitcode/crypto/algapi.c.bc ./case/linux-bitcode/crypto/pcrypt.c.bc ./case/linux-bitcode/crypto/pcrypt.c.bc ./case/linux-bitcode/crypto/algboss.c.bc ./case/linux-bitcode/kernel/kthread.c.bc ./case/linux-bitcode/arch/x86/entry/entry_64.S.bc 

Total 7 file(s)
/home/ws/GREBE/analyzer/build/lib/analyzer: error loading file './case/linux-bitcode/lib/list_debug.c.bc'
/home/ws/GREBE/analyzer/build/lib/analyzer: error loading file './case/linux-bitcode/crypto/pcrypt.c.bc'
/home/ws/GREBE/analyzer/build/lib/analyzer: error loading file './case/linux-bitcode/crypto/pcrypt.c.bc'
/home/ws/GREBE/analyzer/build/lib/analyzer: error loading file './case/linux-bitcode/arch/x86/entry/entry_64.S.bc'
inserting __list_del_entry_valid __list_del_entry
inserting __list_del_entry list_del
inserting list_del crypto_drop_spawn
inserting crypto_drop_spawn crypto_drop_aead
inserting crypto_drop_aead pcrypt_create_aead
inserting pcrypt_create_aead pcrypt_create
inserting pcrypt_create cryptomgr_probe
inserting cryptomgr_probe kthread
inserting kthread ret_from_fork
Here is the crash location __list_del_entry_valid lib/list_debug.c:51 explicit checking? 1
analyzer: /home/ws/GREBE/analyzer/src/lib/CrashAnalyzer.cc:248: void CrashAnalyzer::dump(llvm::StringRef): Assertion `Ctx->TaintSrc.size() > 0 || Ctx->TmpTaintSrc.size() > 0' failed.
 #0 0x00000000005d57ff llvm::sys::PrintStackTrace(llvm::raw_ostream&) (/home/ws/GREBE/analyzer/build/lib/analyzer+0x5d57ff)
 #1 0x00000000005d3a82 llvm::sys::RunSignalHandlers() (/home/ws/GREBE/analyzer/build/lib/analyzer+0x5d3a82)
 #2 0x00000000005d6075 SignalHandler(int) (/home/ws/GREBE/analyzer/build/lib/analyzer+0x5d6075)
 #3 0x00007ff1fd922420 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x14420)
 #4 0x00007ff1fd41100b raise /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:51:1
 #5 0x00007ff1fd3f0859 abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:81:7
 #6 0x00007ff1fd3f0729 get_sysdep_segment_value /build/glibc-SzIz7B/glibc-2.31/intl/loadmsgcat.c:509:8
 #7 0x00007ff1fd3f0729 _nl_load_domain /build/glibc-SzIz7B/glibc-2.31/intl/loadmsgcat.c:970:34
 #8 0x00007ff1fd401fd6 (/lib/x86_64-linux-gnu/libc.so.6+0x33fd6)
 #9 0x0000000000563d83 CrashAnalyzer::dump(llvm::StringRef) /home/ws/GREBE/analyzer/src/lib/CrashAnalyzer.cc:0:5
#10 0x0000000000563b78 CrashAnalyzer::dump() /home/ws/GREBE/analyzer/src/lib/CrashAnalyzer.cc:233:1
#11 0x000000000052e50a main /home/ws/GREBE/analyzer/src/lib/KAMain.cc:269:16
#12 0x00007ff1fd3f2083 __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:342:3
#13 0x000000000052c95e _start (/home/ws/GREBE/analyzer/build/lib/analyzer+0x52c95e)
Stack dump:
0.  Program arguments: /home/ws/GREBE/analyzer/build/lib/analyzer --crash-report=./case/report --call-graph=./case/report_cg.txt ./case/linux-bitcode/lib/list_debug.c.bc ./case/linux-bitcode/crypto/algapi.c.bc ./case/linux-bitcode/crypto/pcrypt.c.bc ./case/linux-bitcode/crypto/pcrypt.c.bc ./case/linux-bitcode/crypto/algboss.c.bc ./case/linux-bitcode/kernel/kthread.c.bc ./case/linux-bitcode/arch/x86/entry/entry_64.S.bc 
Aborted (core dumped)
Traceback (most recent call last):
  File "run_analyze.py", line 68, in <module>
    run_case(sys.argv[1])
  File "run_analyze.py", line 65, in run_case
    shutil.copyfile("/tmp/ca_result", case_path+"/sts.txt")
  File "/usr/lib/python3.8/shutil.py", line 264, in copyfile
    with open(src, 'rb') as fsrc, open(dst, 'wb') as fdst:
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/ca_result'

So is my kernel compile command wrong?

DarkBoulder commented 1 year ago

It seems like the command 

make allyesconfig

could fully compile all Linux kernel .c files and generate bitcode file.

DarkBoulder commented 1 year ago

Now I have another problem:

executing /home/aota08/GREBE/GREBE/analyzer/build/lib/analyzer --crash-report=/home/aota08/GREBE/GREBE/fuzzer/workdir/crash_report/1.txt --call-graph=/home/aota08/GREBE/GREBE/fuzzer/workdir/crash_report/1.txt_cg.txt /home/aota08/GREBE/linux-kernel/linux-5.6/net/l2tp/l2tp_core.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/net/core/sock.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/kernel/rcu/tree.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/kernel/rcu/tree.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/kernel/softirq.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/kernel/softirq.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/kernel/softirq.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/arch/x86/kernel/apic/apic.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/arch/x86/entry/entry_64.S.bc 

Total 9 file(s)
/home/aota08/GREBE/GREBE/analyzer/build/lib/analyzer: error loading file '/home/aota08/GREBE/linux-kernel/linux-5.6/arch/x86/entry/entry_64.S.bc'
inserting l2tp_session_free __sk_destruct
inserting __sk_destruct rcu_do_batch
inserting rcu_do_batch rcu_core
inserting rcu_core __do_softirq
inserting __do_softirq invoke_softirq
inserting invoke_softirq irq_exit
inserting irq_exit exiting_irq
inserting exiting_irq smp_apic_timer_interrupt
inserting smp_apic_timer_interrupt apic_timer_interrupt
Here is the crash location l2tp_session_free net/l2tp/l2tp_core.c:1572 explicit checking? 1
analyzer: /home/aota08/GREBE/GREBE/analyzer/src/lib/CrashAnalyzer.cc:248: void CrashAnalyzer::dump(llvm::StringRef): Assertion `Ctx->TaintSrc.size() > 0 || Ctx->TmpTaintSrc.size() > 0' failed.
/home/aota08/GREBE/GREBE/analyzer/build/lib/analyzer[0x4babdf]
/home/aota08/GREBE/GREBE/analyzer/build/lib/analyzer[0x4b8e72]
/home/aota08/GREBE/GREBE/analyzer/build/lib/analyzer[0x4bb455]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x11390)[0x7fa406c63390]
/lib/x86_64-linux-gnu/libc.so.6(gsignal+0x38)[0x7fa40601c438]
/lib/x86_64-linux-gnu/libc.so.6(abort+0x16a)[0x7fa40601e03a]
/lib/x86_64-linux-gnu/libc.so.6(+0x2dbe7)[0x7fa406014be7]
/lib/x86_64-linux-gnu/libc.so.6(+0x2dc92)[0x7fa406014c92]
/home/aota08/GREBE/GREBE/analyzer/build/lib/analyzer[0x44aee5]
/home/aota08/GREBE/GREBE/analyzer/build/lib/analyzer[0x44acf8]
/home/aota08/GREBE/GREBE/analyzer/build/lib/analyzer[0x415f83]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fa406007840]
/home/aota08/GREBE/GREBE/analyzer/build/lib/analyzer[0x414349]
Stack dump:
0.      Program arguments: /home/aota08/GREBE/GREBE/analyzer/build/lib/analyzer --crash-report=/home/aota08/GREBE/GREBE/fuzzer/workdir/crash_report/1.txt --call-graph=/home/aota08/GREBE/GREBE/fuzzer/workdir/crash_report/1.txt_cg.txt /home/aota08/GREBE/linux-kernel/linux-5.6/net/l2tp/l2tp_core.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/net/core/sock.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/kernel/rcu/tree.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/kernel/rcu/tree.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/kernel/softirq.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/kernel/softirq.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/kernel/softirq.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/arch/x86/kernel/apic/apic.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/arch/x86/entry/entry_64.S.bc 
Aborted (core dumped)
Traceback (most recent call last):
  File "run_analyze.py", line 72, in <module>
    run_case(sys.argv[1], sys.argv[2])
  File "run_analyze.py", line 69, in run_case
    shutil.copyfile("/tmp/ca_result", report_path+"_sts.txt")
  File "/usr/lib/python3.5/shutil.py", line 114, in copyfile
    with open(src, 'rb') as fsrc:
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/ca_result'

Why does the assertion `Ctx->TaintSrc.size() > 0 || Ctx->TmpTaintSrc.size() > 0' failed when I have all the required bitcode files?

Markakd commented 1 year ago

Hey, sorry for the late reply.

It looks like the taint source is not found. There might be some bugs in analyzing the crash location.

DarkBoulder commented 1 year ago

I realized that I need to use the kernel version and config options described in syzbot report, like this, and the analysis can run correctly. Sorry for my interruption.

M1ld22 commented 3 months ago

I realized that I need to use the kernel version and config options described in syzbot report, like this, and the analysis can run correctly. Sorry for my interruption.

I realized that I need to use the kernel version and config options described in syzbot report, like this, and the analysis can run correctly. Sorry for my interruption.

hi, I met a same problem. I use the kernel version and config from your link.

But it still report "analyzer: /home/aota08/GREBE/GREBE/analyzer/src/lib/CrashAnalyzer.cc:248: void CrashAnalyzer::dump(llvm::StringRef): Assertion `Ctx->TaintSrc.size() > 0 || Ctx->TmpTaintSrc.size() > 0' failed."

can you give me some advice? thanks