search

hase-project / hase

Timeless debugging with symbolic execution and processor trace
BSD 2-Clause "Simplified" License
74 stars 8 forks source link

strstr passes None to solver. #40

Closed Mic92 closed 5 years ago

Mic92 commented 5 years ago 
Traceback (most recent call last):
  File "/local/incoop/hase/hase/symbex/tracer.py", line 371, in execute
    state, num_inst=1  # , force_addr=addr
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/factory.py", line 49, in successors
    return self.project.engines.successors(*args, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/hub.py", line 128, in successors
    r = engine.process(state, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/hook.py", line 51, in process
    return self.project.factory.procedure_engine.process(state, procedure, force_addr=force_addr, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/procedure.py", line 31, in process
    force_addr=force_addr)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/engine.py", line 55, in process
    self._process(new_state, successors, *args, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/procedure.py", line 65, in _process
    inst = procedure.execute(state, successors, ret_to=ret_to)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/sim_procedure.py", line 174, in execute
    r = getattr(inst, inst.run_func)(*sim_args, **inst.kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/procedures/libc/strstr.py", line 78, in run
    super().run(haystack_strlen, needle_addr, haystack_strlen, needle_strlen)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/procedures/libc/strstr.py", line 19, in run
    haystack_strlen = self.inline_call(strlen, haystack_addr) if haystack_strlen is None else haystack_strlen
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/sim_procedure.py", line 289, in inline_call
    return p.execute(self.state, None, arguments=e_args)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/sim_procedure.py", line 174, in execute
    r = getattr(inst, inst.run_func)(*sim_args, **inst.kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/procedures/libc/strlen.py", line 81, in run
    return super().run(s, wchar)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/procedures/libc/strlen.py", line 56, in run
    r, c, i = self.state.memory.find(s, null_seq, search_len, max_symbolic_bytes=max_symbolic_bytes, step=step, chunk_size=chunk_size)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/storage/memory.py", line 869, in find
    step=step, disable_actions=disable_actions, inspect=inspect, chunk_size=chunk_size)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/state_plugins/symbolic_memory.py", line 592, in _find
    disable_actions=disable_actions, inspect=inspect)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/storage/memory.py", line 764, in load
    events=not disable_actions, ret_on_segv=ret_on_segv)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/state_plugins/symbolic_memory.py", line 531, in _load
    if self.state.solver.symbolic(dst) and options.AVOID_MULTIVALUED_READS in self.state.options:
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/state_plugins/solver.py", line 814, in symbolic
    return e.symbolic
AttributeError: 'NoneType' object has no attribute 'symbolic'
Mic92 commented 5 years ago 
ERROR   | 2018-11-28 15:58:12,811 | root | Error while finding successor for recordings/file-3-4a51454.tar.gz
Traceback (most recent call last):
  File "/local/incoop/hase/hase/symbex/tracer.py", line 378, in execute
    state, num_inst=1  # , force_addr=addr
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/factory.py", line 49, in successors
    return self.project.engines.successors(*args, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/hub.py", line 128, in successors
    r = engine.process(state, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/hook.py", line 51, in process
    return self.project.factory.procedure_engine.process(state, procedure, force_addr=force_addr, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/procedure.py", line 31, in process
    force_addr=force_addr)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/engine.py", line 55, in process
    self._process(new_state, successors, *args, **kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/engines/procedure.py", line 65, in _process
    inst = procedure.execute(state, successors, ret_to=ret_to)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/sim_procedure.py", line 174, in execute
    r = getattr(inst, inst.run_func)(*sim_args, **inst.kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/procedures/libc/strstr.py", line 78, in run
    super().run(haystack_strlen, needle_addr, haystack_strlen, needle_strlen)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/procedures/libc/strstr.py", line 19, in run
    haystack_strlen = self.inline_call(strlen, haystack_addr) if haystack_strlen is None else haystack_strlen
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/sim_procedure.py", line 289, in inline_call
    return p.execute(self.state, None, arguments=e_args)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/sim_procedure.py", line 174, in execute
    r = getattr(inst, inst.run_func)(*sim_args, **inst.kwargs)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/procedures/libc/strlen.py", line 81, in run
    return super().run(s, wchar)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/procedures/libc/strlen.py", line 56, in run
    r, c, i = self.state.memory.find(s, null_seq, search_len, max_symbolic_bytes=max_symbolic_bytes, step=step, chunk_size=chunk_size)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/storage/memory.py", line 869, in find
    step=step, disable_actions=disable_actions, inspect=inspect, chunk_size=chunk_size)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/state_plugins/symbolic_memory.py", line 592, in _find
    disable_actions=disable_actions, inspect=inspect)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/storage/memory.py", line 764, in load
    events=not disable_actions, ret_on_segv=ret_on_segv)
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/state_plugins/symbolic_memory.py", line 531, in _load
    if self.state.solver.symbolic(dst) and options.AVOID_MULTIVALUED_READS in self.state.options:
  File "/local/incoop/hase/.direnv/python-3.6.6/lib/python3.6/site-packages/angr/state_plugins/solver.py", line 814, in symbolic
    return e.symbolic
AttributeError: 'NoneType' object has no attribute 'symbolic'
Airtnp commented 5 years ago

Is your angr version updated to current hack? That may be the strlen not return error solved in previous angr hack commits

Airtnp commented 5 years ago

To be precise, is angr/**/libc/strlen.py has return before super()?

Mic92 commented 5 years ago

If you made fixes to angr, can you put the updated hash here? https://github.com/hase-project/hase/blob/master/setup.py#L14

Airtnp commented 5 years ago

Oh it's not the case. What are the problematic traces?

Mic92 commented 5 years ago

It should be in file-3-4a51454.tar.gz. But I saw the same error in other file bugs.

Airtnp commented 5 years ago

Oh it's misspelling error here. https://github.com/hase-project/angr/blob/angr-hacks-8.18.10.25/angr/procedures/libc/strstr.py#L78

Airtnp commented 5 years ago

solved in https://github.com/hase-project/angr/pull/2

Mic92 commented 5 years ago

Btw. you can also write fixes #<issuenumber> in the commit message to automatically close issues.