search

chenyueqi / w2l

25 stars 5 forks source link

Errors when using bitcodedst.py to generate ir #2

Closed Yuuoniy closed 3 years ago

Yuuoniy commented 3 years ago

Hi, I occur some errors when using bitcodedst.py to generate ir for linux-5.5.3. it can generate ir for part of source, while has errors for other parts. Could you provide any suggestions to help me sort this out? Thank you very much. I follow the instructions:

make defconfig
# gcc
make -j$MAKE_JOBS
#clang
ln -s ../../scripts/bitcodedst.py ./
./bitcodedst.py
 And part of error log below:
make[5]: *** No rule to make target 'drivers/gpu/drm/bridge/panel.ll'.  Stop.
make[4]: *** [__build] Error 2
make[3]: *** [drivers/gpu/drm/bridge] Error 2
make[2]: *** [drivers/gpu/drm] Error 2
make[1]: *** [drivers/gpu] Error 2
make: *** [drivers] Error 2
make[6]: *** No rule to make target 'drivers/gpu/drm/i915/display/intel_ddi.ll'.  Stop.
make[5]: *** [__build] Error 2
make[4]: *** [drivers/gpu/drm/i915/display] Error 2
make[3]: *** [drivers/gpu/drm/i915] Error 2
make[2]: *** [drivers/gpu/drm] Error 2
make[1]: *** [drivers/gpu] Error 2
make: *** [drivers] Error 2
make[6]: *** No rule to make target 'drivers/gpu/drm/i915/display/intel_bw.ll'.  Stop.
make[5]: *** [__build] Error 2
make[4]: *** [drivers/gpu/drm/i915/display] Error 2
make[3]: *** [drivers/gpu/drm/i915] Error 2
make[2]: *** [drivers/gpu/drm] Error 2
make[1]: *** [drivers/gpu] Error 2
make: *** [drivers] Error 2
make[6]: *** No rule to make target 'drivers/gpu/drm/i915/display/intel_quirks.ll'.  Stop.
make[5]: *** [__build] Error 2
make[4]: *** [drivers/gpu/drm/i915/display] Error 2
make[3]: *** [drivers/gpu/drm/i915] Error 2
make[2]: *** [drivers/gpu/drm] Error 2
make[1]: *** [drivers/gpu] Error 2
make: *** [drivers] Error 2
make[6]: *** No rule to make target 'drivers/gpu/drm/i915/display/intel_atomic.ll'.  Stop.
make[5]: *** [__build] Error 2
make[4]: *** [drivers/gpu/drm/i915/display] Error 2
make[3]: *** [drivers/gpu/drm/i915] Error 2
make[2]: *** [drivers/gpu/drm] Error 2
make[1]: *** [drivers/gpu] Error 2
make: *** [drivers] Error 2

Besides, it has some errors about finding include files:

In file included from drivers/gpu/drm/i915/i915_irq.c:40:
drivers/gpu/drm/i915/display/intel_display_types.h:46:10: fatal error: 'i915_drv.h' file not found
#include "i915_drv.h"
         ^~~~~~~~~~~~
make[2]: *** No rule to make target 'arch/x86/pci/early.ll'.  Stop.
make[1]: *** [__build] Error 2
make: *** [arch/x86] Error 2

and I find file i915_drv.h in drivers/gpu/drm/i915/i915_drv.h (similar errors for files in drivers/gpu/drm/i915/display, cause they couldn't find include files in drivers/gpu/drm/i915) A anthoer specific example:

make CC=clang-9 ./arch/x86/pci/common.ll
  CC      scripts/mod/empty.o
  MKELF   scripts/mod/elfconfig.h
  HOSTCC  scripts/mod/modpost.o
  CC      scripts/mod/devicetable-offsets.s
  HOSTCC  scripts/mod/file2alias.o
  HOSTCC  scripts/mod/sumversion.o
  HOSTLD  scripts/mod/modpost
  CC      kernel/bounds.s
  CC      arch/x86/kernel/asm-offsets.s
  CALL    scripts/checksyscalls.sh
  CALL    scripts/atomic/check-atomics.sh
  DESCEND  objtool
make[2]: *** No rule to make target 'arch/x86/pci/common.ll'.  Stop.
scripts/Makefile.build:484: recipe for target '__build' failed
make[1]: *** [__build] Error 2
Makefile:1652: recipe for target 'arch/x86' failed
make: *** [arch/x86] Error 2

and I see scripts/Makefile.build:484: recipe for target '__build' failed in error log many times. I look into this but don't why.

Here is my environment:

$ gcc --version
gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
$ make --version
GNU Make 4.1
Built for x86_64-pc-linux-gnu
$ clang-9 --version
clang version 9.0.0
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /root/o/llvm-9.0/build/bin
Yuuoniy commented 3 years ago

Anyway,I run the analyzer on the linux ir you provide and the incomplete ir I generate in local. I have some questions about the result. Run command:

nohup ./analyzer -debug-verbose 0 -dump-leakers -dump-alias `find ~/o/w2l/code/linux-5.5.3-def-ir-
debug -name "*\.ll"` 2>../../out/all/latest-linux-5.5.3-def &

They both printing LeakStructMap with 43 structures and the information of AllocInst、LeakInst and so on. Here are the 43 structures(grep the result with [+] struct)

[+] struct.kobj_uevent_env
[+] struct.kioctx
[+] struct.proc_dir_entry
[+] struct.snd_pcm_mmap_control
[+] struct.snd_pcm_mmap_status
[+] struct.ip_sf_socklist
[+] struct.pipe_buffer
[+] struct.snd_pcm_runtime
[+] struct.xfrm_replay_state_esn
[+] struct.nlattr
[+] struct.rpc_task
[+] struct.station_info
[+] struct.sk_buff
[+] struct.dst_entry
[+] struct.group_info
[+] struct.nfs4_lockdata
[+] struct.nfs4_opendata
[+] struct.iovec
[+] struct.ipt_replace
[+] struct.elf64_phdr
[+] struct.nfs4_delegreturndata
[+] struct.ftrace_buffer_info
[+] struct.hid_device
[+] struct.bio_vec
[+] struct.scatterlist
[+] struct.xfrm_policy
[+] struct.fname
[+] struct.sem_array
[+] struct.inode
[+] struct.mon_reader_bin
[+] struct.policy_load_memory
[+] struct.vc_data
[+] struct.seq_file
[+] struct.dm_ioctl
[+] struct.mon_reader_text
[+] struct.n_tty_data
[+] struct.debug_buffer
[+] struct.usb_host_config
[+] struct.net_device
[+] struct.perf_event
[+] struct.configfs_buffer
[+] struct.usblp
[+] struct.regmap

Compared with the structure in Table 4 in paper, I find some structures in Table 4 do not show here. While according to my understanding, I think structures in LeakStructMap should contain all the elastic objects shown in Table 4. And I miss something? Besides, the result end with printing structModuleMap、leakInstMap、allocInstMap、leakerList、allocSyscallMap、leakSyscallMap,but all of them are empty, It this result as expected? Or I need to configure something to make it work.

=========  printing structModuleMap ==========
====== end printing structModuleMap ==========

=========  printing leakInstMap ==========
====== end printing leakInstMap ==========

=========  printing allocInstMap ==========
====== end printing allocInstMap ==========

=========  printing leakerList ==========
====== end printing leakerList ==========

========= printing allocSyscallMap & leakSyscallMap ==========
======== end printing allocSyscallMap & leakSyscallMap =======

Sincerely hope to get your help with this, Thank you for any suggestion or comment.

Markakd commented 3 years ago

Hi, thanks for your interest.

I am not sure if this is due to the incompleteness of IR. You're welcome to use this tool to generate a complete set of IR for the Linux kernel. After getting the IR, please enable --ignore-reachable when running the analyzer.

We ran our experiments on Linux kernel 5.5.3, the results might be different if you test that on a different version of Linux kernel.

Yuuoniy commented 3 years ago

Thanks for your reply, I will look into this tool. After adding --ignore-reachable, I get the 88 structures, including all elastic objects shown in Table 4.

By the way, as you mentioned in the paper (in A.3):

We will make all these vulnerabilities available in virtual machines and release the exploits crafted by using elastic kernel objects.

While I couldn't see them here. It would be very helpful if you kindly provide the virtual machines which including those vulnerabilities (or part of) you experiment on.

chenyueqi commented 3 years ago

Thanks for your reply, I will look into this tool. After adding --ignore-reachable, I get the 88 structures, including all elastic objects shown in Table 4.

By the way, as you mentioned in the paper (in A.3):

We will make all these vulnerabilities available in virtual machines and release the exploits crafted by using elastic kernel objects.

While I couldn't see them here. It would be very helpful if you kindly provide the virtual machines which including those vulnerabilities (or part of) you experiment on.

Thanks for reminding. I will pack them up when I get time. You can find some samples here.

Yuuoniy commented 3 years ago

Thank you very much. I would like to subscribe to it. XD