search

angr / angr

A powerful and user-friendly binary analysis platform!
http://angr.io
BSD 2-Clause "Simplified" License
7.46k stars 1.07k forks source link

IndexError in memory.py while simulating fread #1712

Closed carter-yagemann closed 2 years ago

carter-yagemann commented 5 years ago

Describe the bug.

While analyzing a 64-bit Linux program, I encountered a case where an fopen() followed by an fread() resulted in the following error:

  File "[...]/env/site-packages/angr/procedures/libc/fread.py", line 21, in run
    ret = simfd.read(dst, size * nm)
  File "[...]/env/site-packages/angr/storage/file.py", line 615, in read
    self.state.memory.store(pos, data, size=realsize)
  File "[...]/env/site-packages/angr/storage/memory.py", line 594, in store
    action.actual_value = action._make_object(request.stored_values[0]) # TODO
IndexError: list index out of range

It worries me that the error is happening on a line with an empty TODO comment...

If I comment out this line, the analysis is able to proceed, though I don't know if the result is trustworthy.

Environment Information.

I'm using the latest angr via pip install angr and latest pypy3.

To Reproduce.

Unfortunately, my analysis and the target program are complicated, so I can't give steps for reproducing. A good starting point would be to understand how this can happen so I can figure out of this is an angr problem or mine.

Additional context.

N/A

rhelmot commented 5 years ago

This is pretty weird!

As per discussion in #1605:

So, stored_values are in fact used in order to construct simactions, as per the snippet, but that TODO, the problem is that there's not a very good way to actually recompose the multiple stored values into one action. Perhaps we should get an action per sub-store? From what I can tell the stores are split up for things like address concretization and also breaking the store across pages, maybe?

So the stored_values list is populated with one entry per actual write operation that gets performed. I have no idea why there would be zero write actions being performed though... I hope this helps you investigate better. I can't go any further without the ability to reproduce.

P.S. Please don't capitalize angr!

carter-yagemann commented 5 years ago

P.S. Please don't capitalize angr!

Fixed.

Thanks for the discussion link. I'll update this issue if I can figure out a simpler way of triggering the behavior.

github-actions[bot] commented 2 years ago

This issue has been marked as stale because it has no recent activity. Please comment or add the pinned tag to prevent this issue from being closed.

github-actions[bot] commented 2 years ago

This issue has been closed due to inactivity.