SimMemoryLimitError in puts

[Manouchehri]

puts will look as far ahead as it can for the null byte I'm concerned that the default settings cause it to error like that, I'd consider that a bug

• @rhelmot

nitro:catalyst dave$ ipython
Python 2.7.13 (default, Dec 18 2016, 07:03:39)
Type "copyright", "credits" or "license" for more information.

IPython 5.1.0 -- An enhanced Interactive Python.
?         -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help      -> Python's own help system.
object?   -> Details about 'object', use 'object??' for extra details.

In [1]: import angr

In [2]: proj = angr.Project('catalyst', load_options={"auto_load_libs": False})

In [3]: path_group = proj.factory.path_group()

In [4]: path_group.explore()
Out[4]: <PathGroup with 1 errored>

In [5]: list(path_group.errored[0].trace)
Out[5]:
['<IRSB from 0x400780: 1 sat>',
 '<SimProcedure __libc_start_main from 0x1000040: 1 sat>',
 '<IRSB from 0x400fc0: 1 sat>',
 '<IRSB from 0x400690: 1 sat 1 unsat>',
 '<IRSB from 0x4006a2: 1 sat>',
 '<IRSB from 0x400ff1: 1 sat 1 unsat>',
 '<IRSB from 0x400ff6: 1 sat>',
 '<IRSB from 0x400850: 1 sat 1 unsat>',
 '<IRSB from 0x40085b: 1 sat>',
 '<IRSB from 0x4007f0: 1 sat 1 unsat>',
 '<IRSB from 0x400828: 1 sat>',
 '<IRSB from 0x40100d: 1 sat 1 unsat>',
 '<IRSB from 0x401016: 1 sat>',
 '<SimProcedure __libc_start_main from 0x1000050: 1 sat>',
 '<IRSB from 0x400d93: 1 sat>',
 '<IRSB from 0x400720: 1 sat>',
 '<SimProcedure malloc from 0x1000000: 1 sat>',
 '<IRSB from 0x400da5: 1 sat>',
 '<IRSB from 0x400720: 1 sat>',
 '<SimProcedure malloc from 0x1000000: 1 sat>',
 '<IRSB from 0x400db3: 1 sat>',
 '<IRSB from 0x400710: 1 sat>',
 '<SimProcedure ReturnUnconstrained from 0x10000d0: 1 sat>',
 '<IRSB from 0x400dc1: 1 sat>',
 '<IRSB from 0x400700: 1 sat>',
 '<SimProcedure ReturnUnconstrained from 0x10000c0: 1 sat>',
 '<IRSB from 0x400dc8: 1 sat>',
 '<IRSB from 0x4006d0: 1 sat>']

In [6]: path_group.errored[0]
Out[6]: <Errored Path with 28 runs (at 0x1000010, SimMemoryLimitError)>

In [7]: proj._sim_procedures
Out[7]:
{16777216: <Hook for malloc>,
 16777232: <Hook for puts>,
 16777248: <Hook for __isoc99_scanf>,
 16777264: <Hook for exit>,
 16777280: <Hook for __libc_start_main>,
 16777296: <Hook for __libc_start_main (continuation)>,
 16777312: <Hook for printf>,
 16777328: <Hook for putchar>,
 16777344: <Hook for fflush>,
 16777360: <Hook for strlen>,
 16777376: <Hook for sleep>,
 16777392: <Hook for ReturnUnconstrained (resolves rand) (1 arg)>,
 16777408: <Hook for ReturnUnconstrained (resolves srand) (1 arg)>,
 16777424: <Hook for ReturnUnconstrained (resolves time) (1 arg)>,
 16777440: <Hook for CallReturn>,
 16777456: <Hook for LinuxLoader (1 arg)>,
 16777472: <Hook for _dl_rtld_lock_recursive>,
 16777488: <Hook for _dl_rtld_unlock_recursive>,
 16777504: <Hook for _vsyscall>,
 16777520: <Hook for LinuxLoader (1 arg) (continuation)>}

int sub_400d93() {
    var_10 = malloc(0x3e8);
    var_18 = malloc(0x3e8);
    rax = time(0x0);
    rax = srand(LODWORD(rax));
    rax = puts(0x401088);
    rax = puts(0x401160);
    rax = puts(0x401258);
    rax = puts(0x401348);
    rax = puts(0x4013e0);
    rax = puts(0x4014a8);
    rax = puts(0x401570);
    rax = puts(0x401348);
    rax = puts(0x401638);
    rax = puts(0x401708);
    rax = puts(0x4017e0);
    rax = puts(0x401890);
    LODWORD(rax) = 0x0;
    rax = printf("Loading");
    rax = *stdout;
    rax = fflush(rax);
    var_4 = 0x0;
    rax = putchar(0xa);
    LODWORD(rax) = 0x0;
    rax = printf("Username: ");
    LODWORD(rax) = 0x0;
    rax = __isoc99_scanf(0x4018c3, var_10);
    LODWORD(rax) = 0x0;
    rax = printf(0x4018c6);
    LODWORD(rax) = 0x0;
    rax = __isoc99_scanf(0x4018c3, var_18);
    LODWORD(rax) = 0x0;
    rax = printf("Logging in");
    rax = *stdout;
    rax = fflush(rax);
    var_8 = 0x0;
    rax = putchar(0xa);
    rax = sub_400c9a(var_10);
    rax = sub_400cdd(var_10);
    rax = sub_4008f7(var_10);
    rax = sub_400977(var_10, var_18);
    rax = sub_400876(var_10, var_18);
    LODWORD(rax) = 0x0;
    return 0x0;
}

┌ (fcn) main 335
│   main ();
│           ; var int local_18h @ rbp-0x18
│           ; var int local_10h @ rbp-0x10
│           ; var int local_4h @ rbp-0x4
│              ; DATA XREF from 0x0040079d (entry0)
│           0x00400d93      55             push rbp
│           0x00400d94      4889e5         rbp = rsp
│           0x00400d97      4883ec20       rsp -= 0x20
│           0x00400d9b      bfe8030000     edi = 0x3e8                 ; size_t size
│           0x00400da0      e87bf9ffff     sym.imp.malloc ()          ;  void *malloc(size_t size)
│           0x00400da5      488945f0       qword [rbp - local_10h] = rax
│           0x00400da9      bfe8030000     edi = 0x3e8                 ; size_t size
│           0x00400dae      e86df9ffff     sym.imp.malloc ()          ;  void *malloc(size_t size)
│           0x00400db3      488945e8       qword [rbp - local_18h] = rax
│           0x00400db7      bf00000000     edi = 0                     ; time_t *timer
│           0x00400dbc      e84ff9ffff     sym.imp.time ()            ; time_t time(time_t *timer)
│           0x00400dc1      89c7           edi = eax                   ; int seed
│           0x00400dc3      e838f9ffff     sym.imp.srand ()           ; void srand(int seed)
│           0x00400dc8      bf88104000     edi = 0x401088              ; const char * s
│           0x00400dcd      e8fef8ffff     sym.imp.puts ()            ; int puts(const char *s)
│           0x00400dd2      bf60114000     edi = str._e_33m_____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_33m_____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
│           0x00400dd7      e8f4f8ffff     sym.imp.puts ()            ; int puts(const char *s)
│           0x00400ddc      bf58124000     edi = str._e_32m__________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_32m__________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
│           0x00400de1      e8eaf8ffff     sym.imp.puts ()            ; int puts(const char *s)
│           0x00400de6      bf48134000     edi = str._e_36m_____________________________________________________________________________________________________________________________________ ; str._e_36m_____________________________________________________________________________________________________________________________________ ; const char * s
│           0x00400deb      e8e0f8ffff     sym.imp.puts ()            ; int puts(const char *s)
│           0x00400df0      bfe0134000     edi = 0x4013e0              ; const char * s
│           0x00400df5      e8d6f8ffff     sym.imp.puts ()            ; int puts(const char *s)
│           0x00400dfa      bfa8144000     edi = str._e_35m_______________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_35m_______________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
│           0x00400dff      e8ccf8ffff     sym.imp.puts ()            ; int puts(const char *s)
│           0x00400e04      bf70154000     edi = str._e_34m______________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_34m______________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
│           0x00400e09      e8c2f8ffff     sym.imp.puts ()            ; int puts(const char *s)
│           0x00400e0e      bf48134000     edi = str._e_36m_____________________________________________________________________________________________________________________________________ ; str._e_36m_____________________________________________________________________________________________________________________________________ ; const char * s
│           0x00400e13      e8b8f8ffff     sym.imp.puts ()            ; int puts(const char *s)
│           0x00400e18      bf38164000     edi = str._e_32m___________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_32m___________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
│           0x00400e1d      e8aef8ffff     sym.imp.puts ()            ; int puts(const char *s)
│           0x00400e22      bf08174000     edi = str._e_33m_________________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_33m_________________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
│           0x00400e27      e8a4f8ffff     sym.imp.puts ()            ; int puts(const char *s)
│           0x00400e2c      bfe0174000     edi = str._e_31m____________________________________________________________________________________________________________________________________________________________________________________________________________ ; str._e_31m____________________________________________________________________________________________________________________________________________________________________________________________________________ ; const char * s
│           0x00400e31      e89af8ffff     sym.imp.puts ()            ; int puts(const char *s)
│           0x00400e36      bf90184000     edi = str._e_0mWelcome_to_Catalyst_systems ; str._e_0mWelcome_to_Catalyst_systems ; const char * s
│           0x00400e3b      e890f8ffff     sym.imp.puts ()            ; int puts(const char *s)
│           0x00400e40      bfb0184000     edi = str.Loading           ; "Loading" @ 0x4018b0 ; const char * format
│           0x00400e45      b800000000     eax = 0
│           0x00400e4a      e8a1f8ffff     sym.imp.printf ()          ; int printf(const char *format)
│           0x00400e4f      488b05721220.  rax = qword [obj.stdout]    ; [0x6020c8:8]=0x4e4728203a434347 ; LEA obj.stdout ; "GCC: (GNU) 6.1.1 20160721 (Red Hat 6.1.1-4)" @ 0x6020c8
│           0x00400e56      4889c7         rdi = rax                   ; FILE *stream
│           0x00400e59      e8d2f8ffff     sym.imp.fflush ()          ; int fflush(FILE *stream)
│           0x00400e5e      c745fc000000.  dword [rbp - local_4h] = 0
└       ┌─< 0x00400e65      eb44           goto loc.00400eab
├ loc.00400eab 123
│   loc.00400eab ();
│           ; var int local_18h @ rbp-0x18
│           ; var int local_10h @ rbp-0x10
│           ; var int local_8h @ rbp-0x8
│              ; JMP XREF from 0x00400e65 (main)
│           0x00400eab      bf0a000000     edi = 0xa                   ; size_t size
│           0x00400eb0      e80bf8ffff     sym.imp.putchar ()         ; sym.imp.malloc-0x60;  void *malloc(size_t size)
│           0x00400eb5      bfb8184000     edi = str.Username:         ; "Username: " @ 0x4018b8 ; const char * format
│           0x00400eba      b800000000     eax = 0
│           0x00400ebf      e82cf8ffff     sym.imp.printf ()          ; int printf(const char *format)
│           0x00400ec4      488b45f0       rax = qword [rbp - local_10h]
│           0x00400ec8      4889c6         rsi = rax
│           0x00400ecb      bfc3184000     edi = 0x4018c3              ; const char * format
│           0x00400ed0      b800000000     eax = 0
│           0x00400ed5      e866f8ffff     sym.imp.__isoc99_scanf ()  ; int scanf(const char *format)
│           0x00400eda      bfc6184000     edi = str.Password:         ; "Password: " @ 0x4018c6 ; const char * format
│           0x00400edf      b800000000     eax = 0
│           0x00400ee4      e807f8ffff     sym.imp.printf ()          ; int printf(const char *format)
│           0x00400ee9      488b45e8       rax = qword [rbp - local_18h]
│           0x00400eed      4889c6         rsi = rax
│           0x00400ef0      bfc3184000     edi = 0x4018c3              ; const char * format
│           0x00400ef5      b800000000     eax = 0
│           0x00400efa      e841f8ffff     sym.imp.__isoc99_scanf ()  ; int scanf(const char *format)
│           0x00400eff      bfd1184000     edi = str.Logging_in        ; "Logging in" @ 0x4018d1 ; const char * format
│           0x00400f04      b800000000     eax = 0
│           0x00400f09      e8e2f7ffff     sym.imp.printf ()          ; int printf(const char *format)
│           0x00400f0e      488b05b31120.  rax = qword [obj.stdout]    ; [0x6020c8:8]=0x4e4728203a434347 ; LEA obj.stdout ; "GCC: (GNU) 6.1.1 20160721 (Red Hat 6.1.1-4)" @ 0x6020c8
│           0x00400f15      4889c7         rdi = rax                   ; FILE *stream
│           0x00400f18      e813f8ffff     sym.imp.fflush ()          ; int fflush(FILE *stream)
│           0x00400f1d      c745f8000000.  dword [rbp - local_8h] = 0
└       ┌─< 0x00400f24      eb3e           goto loc.00400f64

[Manouchehri]

Fish wasn't able to reproduce this issue.

Will reopen after I confirm if it's not just my system.

[Manouchehri]

Reopening, reproducible on a different VM (new install with angr-dev's setup.sh).

(angr) dave@xen16:~/angr-doc/examples/catalyst# python solve.py 
WARNING | 2017-02-03 20:13:52,705 | angr.project | Re-hooking symbol puts
WARNING | 2017-02-03 20:13:52,706 | angr.project | Re-hooking symbol putchar
WARNING | 2017-02-03 20:13:52,706 | angr.project | Re-hooking symbol printf
Python 2.7.13 (default, Dec 18 2016, 20:19:42) 
Type "copyright", "credits" or "license" for more information.

IPython 5.2.2 -- An enhanced Interactive Python.
?         -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help      -> Python's own help system.
object?   -> Details about 'object', use 'object??' for extra details.

In [1]: path_group
Out[1]: <PathGroup with 1 errored>

In [2]: path_group.errored
Out[2]: [<Errored Path with 16 runs (at 0x1000020, SimMemoryLimitError)>]

In [3]: e.debug() # e = path_group.errored[0]

You are currently into an embedded ipython shell,
the configuration will not be loaded.

> /root/angr-dev/simuvex/simuvex/plugins/symbolic_memory.py(323)_resolve_size_range()
    322             if i > self._maximum_concrete_size:
--> 323                 raise SimMemoryLimitError("Concrete size %d outside of allowable limits" % i)
    324             return i, i

ipdb> up
> /root/angr-dev/simuvex/simuvex/plugins/symbolic_memory.py(488)_load()
    487         # for now, we always load the maximum size
--> 488         _,max_size = self._resolve_size_range(size)
    489         if options.ABSTRACT_MEMORY not in self.state.options and self.state.se.symbolic(size):

ipdb> up
> /root/angr-dev/simuvex/simuvex/storage/memory.py(715)load()
    714 
--> 715         a,r,c = self._load(addr_e, size_e, condition=condition_e, fallback=fallback_e)
    716         add_constraints = self.state._inspect_getattr('address_concretization_add_constraints', add_constraints)

ipdb> up
> /root/angr-dev/simuvex/simuvex/s_format.py(429)_parse()
    428 
--> 429         fmt_xpr = self.state.memory.load(fmtstr_ptr, length)
    430 

ipdb> print fmtstr_ptr
<SAO <BV64 0x401088>>