angr / claripy

An abstraction layer for constraint solvers.
BSD 2-Clause "Simplified" License
290 stars 94 forks source link

Two Bugs in CFG Generation: Bit-Vector Length Mismatch and List Index Out of Range #426

Open hwu71 opened 3 months ago

hwu71 commented 3 months ago

Description

I found two bugs when trying to get the CFG for the attached binary.

Bug 1: comparing two bit-vectors that have different lengths.

# Contains some debug info
a.args[1]
<BV32 0x1>
ast.all_operations.BVV(1, 1)
<BV1 1>

a.args[1] == ast.all_operations.BVV(1, 1)
Traceback (most recent call last):
  File "/home/hongwei/Desktop/Codes/angr-dev/claripy/claripy/backends/backend.py", line 359, in is_false
    return self._false_cache[e.cache_key]
  File "/usr/lib/python3.10/weakref.py", line 416, in __getitem__
    return self.data[ref(key)]
KeyError: <weakref at 0x77598ecf48b0; to 'ASTCacheKey' at 0x77598eee2770>

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/hongwei/Desktop/Codes/angr-dev/claripy/claripy/ast/base.py", line 1191, in _excavate_ite
    ast = next(ast_queue[-1])
StopIteration

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/home/hongwei/Desktop/Codes/angr-dev/claripy/claripy/operations.py", line 50, in _op
    raise ClaripyOperationError(msg)
claripy.errors.ClaripyOperationError: args' length must all be equal

Potential fix: In simplifications.py, check the length of a.args[x] and b.args[x] before the comparison, or generate BVV 0/1 using the length of a.args[x] and b.args[x].

After fixing bug 1, I found another bug in angr. Bug 2:

Traceback (most recent call last):
  File "/home/hongwei/Desktop/Codes/AMP_pipeline/src/misc/angr_amp_240724.py", line 4, in <module>
    cfg = proj.analyses.CFGFast()
  File "/home/hongwei/Desktop/Codes/angr-dev/angr/angr/analyses/analysis.py", line 217, in __call__
    r = w(*args, **kwargs)
  File "/home/hongwei/Desktop/Codes/angr-dev/angr/angr/analyses/analysis.py", line 202, in wrapper
    oself.__init__(*args, **kwargs)
  File "/home/hongwei/Desktop/Codes/angr-dev/angr/angr/analyses/cfg/cfg_fast.py", line 844, in __init__
    self._analyze()
  File "/home/hongwei/Desktop/Codes/angr-dev/angr/angr/analyses/forward_analysis/forward_analysis.py", line 269, in _analyze
    self._post_analysis()
  File "/home/hongwei/Desktop/Codes/angr-dev/angr/angr/analyses/cfg/cfg_fast.py", line 1562, in _post_analysis
    self._remove_redundant_overlapping_blocks(function_alignment=4, is_arm=True)
  File "/home/hongwei/Desktop/Codes/angr-dev/angr/angr/analyses/cfg/cfg_fast.py", line 3363, in _remove_redundant_overlapping_blocks
    if b.instruction_addrs[0] not in a.instruction_addrs and b in self.graph:
IndexError: list index out of range

Potential fix: In cfg_fast.py, check len(b.instruction_addrs) > 0 before accessing instruction_addrs[0].

Steps to reproduce the bug

import angr
path = "program_c.gcc.vuln"
proj = angr.Project(path, load_options={'auto_load_libs': False})
cfg = proj.analyses.CFGFast()

program_c.gcc.zip

Environment

angr-dev v9.2.112

Additional context

No response

twizmwazin commented 3 months ago

@hwu71 Can you submit PRs with each of those fixes?