TypeError: unsupported operand type(s) for -: 'NoneType' and 'int'

[mborgerson]

Tested with Docker image angr/angr:latest. Loading certain ELF binaries can fail with the following exception. It appears to only affect ELF debug symbol binaries. Attached an example binary.

• Package: http://cdn-fastly.deb.debian.org/debian-debug/pool/main/m/mcabber/mcabber-dbgsym_1.0.4-1.1_mipsel.deb
• Binary: bin.zip
• Steps to reproduce:

  docker run -it --rm angr/angr@sha256:074b11474605c9cd224eab4810e01def5302251160eb686502e50224fcfae7f5
  wget http://cdn-fastly.deb.debian.org/debian-debug/pool/main/m/mcabber/mcabber-dbgsym_1.0.4-1.1_mipsel.deb
  wget http://cdn-fastly.deb.debian.org/debian/pool/main/m/mcabber/mcabber_1.0.4-1.1_mipsel.deb
  dpkg --vextract mcabber_1.0.4-1.1_mipsel.deb .
  dpkg -x mcabber-dbgsym_1.0.4-1.1_mipsel.deb .
  /home/angr/.virtualenvs/angr/bin/python -c "import angr; angr.Project('./usr/lib/debug/.build-id/86/44da19196d153945f5be3581a1ee790cf02b62.debug', auto_load_libs=False)"

• Traceback:

  Traceback (most recent call last):
  File "./analyze_binary.py", line 21, in catcher
  yield
  File "./analyze_binary.py", line 52, in doit_raw
  dbg = angr.Project(dbg_path, auto_load_libs=False)
  File "/home/angr/angr-dev/angr/angr/project.py", line 129, in __init__
  self.loader = cle.Loader(self.filename, concrete_target=concrete_target, **load_options)
  File "/home/angr/angr-dev/cle/cle/loader.py", line 133, in __init__
  self.initial_load_objects = self._internal_load(main_binary, *preload_libs, *force_load_libs, preloading=(main_binary, *preload_libs))
  File "/home/angr/angr-dev/cle/cle/loader.py", line 649, in _internal_load
  obj = self._load_object_isolated(main_spec)
  File "/home/angr/angr-dev/cle/cle/loader.py", line 829, in _load_object_isolated
  result = backend_cls(binary, binary_stream, is_main_bin=self.main_object is None, loader=self, **options)
  File "/home/angr/angr-dev/cle/cle/backends/elf/elf.py", line 124, in __init__
  self.__register_segments()
  File "/home/angr/angr-dev/cle/cle/backends/elf/elf.py", line 484, in __register_segments
  self.__register_dyn(seg)
  File "/home/angr/angr-dev/cle/cle/backends/elf/elf.py", line 518, in __register_dyn
  self.__neuter_streams(strtab)
  File "/home/angr/angr-dev/cle/cle/backends/elf/elf.py", line 865, in __neuter_streams
  obj.header.sh_offset = self._offset_to_rva(obj.header.sh_offset)
  File "/home/angr/angr-dev/cle/cle/backends/elf/elf.py", line 870, in _offset_to_rva
  return AT.from_mva(self.offset_to_addr(offset), self).to_rva()
  File "/home/angr/angr-dev/cle/cle/address_translator.py", line 44, in from_mva
  return cls(mva - owner.mapped_base, owner)
  TypeError: unsupported operand type(s) for -: 'NoneType' and 'int'

---

angr environment report

angr environment report
=============================
Date: 2020-03-31 04:06:19.931358
Running in virtual environment at /home/angr/.virtualenvs/angr
Platform: linux-x86_64
Python version: 3.6.9 (default, Nov  7 2019, 10:44:02) 
[GCC 8.3.0]
######## angr #########
Python found it in /home/angr/angr-dev/angr/angr
Pip version angr 8.20.1.7
Git info:
    Current commit d79af102c3030923d1ed1a801c0c18a1d46e6a1d from branch master
    Checked out from remote origin: https://github.com/angr/angr
######## ailment #########
Python found it in /home/angr/angr-dev/ailment/ailment
Pip version ailment 8.20.1.7
Git info:
    Current commit 0f7d3964226b77049a95e8b0f8f06c630df37454 from branch master
    Checked out from remote origin: https://github.com/angr/ailment
######## cle #########
Python found it in /home/angr/angr-dev/cle/cle
Pip version cle 8.20.1.7
Git info:
    Current commit 3ea14263843d01b7ad28348c6a64f12aa621858a from branch master
    Checked out from remote origin: https://github.com/angr/cle
######## pyvex #########
Python found it in /home/angr/angr-dev/pyvex/pyvex
Pip version pyvex 8.20.1.7
Git info:
    Current commit f4753f85a8c18dae9dbb32301f8a7804efd36491 from branch master
    Checked out from remote origin: https://github.com/angr/pyvex
######## claripy #########
Python found it in /home/angr/angr-dev/claripy/claripy
Pip version claripy 8.20.1.7
Git info:
    Current commit 8fc35a0ec4cc69b27795dd305a289a47d9f169e2 from branch master
    Checked out from remote origin: https://github.com/angr/claripy
######## archinfo #########
Python found it in /home/angr/angr-dev/archinfo/archinfo
Pip version archinfo 8.20.1.7
Git info:
    Current commit 18f72651bdd29e65e147dd6da10da8f00764e61c from branch master
    Checked out from remote origin: https://github.com/angr/archinfo
######## z3 #########
Python found it in /home/angr/.virtualenvs/angr/lib/python3.6/site-packages/z3
Pip version z3-solver 4.8.7.0
Couldn't find git info
######## unicorn #########
Python found it in /home/angr/.virtualenvs/angr/lib/python3.6/site-packages/unicorn
Pip version unicorn 1.0.2
Couldn't find git info
######### Native Module Info ##########
angr: 
unicorn: 
pyvex: .FFILibrary object at 0x7f26cb753ac8>
z3: 

$ pip freeze

-e git+https://github.com/angr/ailment@0f7d3964226b77049a95e8b0f8f06c630df37454#egg=ailment
-e git+https://github.com/angr/angr@d79af102c3030923d1ed1a801c0c18a1d46e6a1d#egg=angr
-e git+https://github.com/angr/angr-targets@7472fdd8c7e053952d82679de0ffb745d16271ed#egg=angr_targets
-e git+https://git:@github.com/salls/angrop@f1a80d3f56e2c85d3ec459c09e0420759f6b9863#egg=angrop
-e git+https://github.com/angr/archinfo@18f72651bdd29e65e147dd6da10da8f00764e61c#egg=archinfo
-e git+https://github.com/angr/archr@10864d364e35da289a0ad8258ea145ec00d92a30#egg=archr
astroid==2.3.3
avatar2==1.3.1
backcall==0.1.0
bitstring==3.1.6
cachetools==4.0.0
capstone==4.0.1
certifi==2019.11.28
cffi==1.14.0
chardet==3.0.4
-e git+https://github.com/angr/claripy@8fc35a0ec4cc69b27795dd305a289a47d9f169e2#egg=claripy
-e git+https://github.com/angr/cle@3ea14263843d01b7ad28348c6a64f12aa621858a#egg=cle
configparser==5.0.0
coverage==5.0.4
decorator==4.4.2
docker==4.2.0
dpkt==1.9.2
flaky==3.6.1
future==0.18.2
gitdb==4.0.2
GitPython==3.1.0
idna==2.9
intervaltree==3.0.2
ipdb==0.13.2
ipython==7.13.0
ipython-genutils==0.2.0
isort==4.3.21
itanium-demangler==1.0
jedi==0.16.0
keystone-engine==0.9.1.post3
lazy-object-proxy==1.4.3
mccabe==0.6.1
-e git+https://git:@github.com/rhelmot/monkeyhex@2718ae888d05c0827af3aca9bb46d25f773edfc2#egg=monkeyhex
-e git+https://git:@github.com/zardus/mulpyplexer@98515f1a587bc62693b6b33c730f0525ed9b85a8#egg=mulpyplexer
nclib==1.0.0rc4
networkx==2.4
nose==1.3.7
nose-timer==1.0.0
npyscreen==4.10.5
parse==1.15.0
parso==0.6.2
patchelf-wrapper==1.1.0
pefile==2019.4.18
pexpect==4.8.0
pickleshare==0.7.5
pkg-resources==0.0.0
plumbum==1.6.9
posix-ipc==1.0.4
progressbar==2.5
progressbar2==3.50.1
prompt-toolkit==3.0.5
protobuf==3.11.3
psutil==5.7.0
ptyprocess==0.6.0
pycparser==2.20
pyelftools==0.26
pygdbmi==0.9.0.3
Pygments==2.6.1
pylink-square==0.6.0
pylint==2.4.4
PySMT==0.8.0.post1
-e git+https://github.com/angr/pysoot@d08dc569ec35796ccea5509b3e04b74967bcfd48#egg=pysoot
python-utils==2.4.0
-e git+https://github.com/angr/pyvex@f4753f85a8c18dae9dbb32301f8a7804efd36491#egg=pyvex
requests==2.23.0
rpyc==4.1.4
shellphish-qemu==0.9.11
six==1.14.0
smmap==3.0.1
sortedcontainers==2.1.0
stopit==1.1.2
traitlets==4.3.3
typed-ast==1.4.1
unicorn==1.0.2
urllib3==1.25.8
wcwidth==0.1.9
websocket-client==0.57.0
wrapt==1.11.2
z3-solver==4.8.7.0

[rhelmot]

I pushed a fix which works for this binary but I don't know if it'll apply to everything in the future. My advice for having maximum resiliency during the megatests is to load with loader param page_size=0x1000 and to not directly load the debug symbol binaries the way you showed me you were originally doing, but to instead specify them as main_opts={'debug_symbols': path_to_debug_file}

[rhelmot]

Also, I can't tell if your pyelftools is installed from github in that pip freeze, but I want to reiterate that that's the thing that you need to do.