Open GoogleCodeExporter opened 8 years ago
GoogleCodeExporter
commented
8 years ago Sorry.. misleading title. I was originally trying this on Fedora 16 and got
this error, but valgrind included with 0.4 does not support the 3.x kernel
series, so I moved to the CentOS 5.8 where I could compare both versions.Original comment by cp_...@yahoo.com on 9 May 2012 at 12:12
GoogleCodeExporter
commented
8 years ago More info... even though I could get 0.6.0 to build in the manner described
above, it failed to solve the sample file input example. Version 0.4 worked
correctly.Original comment by cp_...@yahoo.com on 9 May 2012 at 3:30
GoogleCodeExporter
commented
8 years ago Unfortunately, it looks like the update to PL.y due to yacc/bison compatibility
problem slipped being commited. Replacing stp-ver-0.1-11-18-2008/parser/PL.y
with this version should fix make process for non-bison users.
Can you provide more info (avalanche output etc.) on sample failing?Original comment by m.k.erma...@gmail.com on 14 May 2012 at 8:22
Attachments:
GoogleCodeExporter
commented
8 years ago tar zxf Desktop/avalanche-0.6.tar.gz
cp Desktop/PL.y avalanche-0.6.0/stp-ver-0.1-11-18-2008/parser/PL.y
cd avalanche-0.6.0/
./configure
make
su -c "make install"
everything built cleanly... but the sample still fails...
$ od seed
0000000 000000 000000
0000004
$ avalanche -v --filename=seed ./sample2 seed
Avalanche, a dynamic analysis tool. Mon May 14 07:35:55 2012
Iteration 1. Mon May 14 07:35:55 2012
Inputs size = 1.
Selected next input with score 1346.
Unique error(s) found: 0.
Time statistics: 0 sec, tracegrind: 0, covgrind: 0, stp: 0.
If I explicitly run it with a bad file, then it works...
$ echo 'bad!' > bad
$ avalanche -v --filename=bad ./sample2 bad
Avalanche, a dynamic analysis tool. Mon May 14 07:38:03 2012
Error detected. Mon May 14 07:38:03 2012
Process terminating with default action of signal 6 (SIGABRT)
at 0x3E0F030285: raise (in /lib64/libc-2.5.so)
by 0x3E0F031D2F: abort (in /lib64/libc-2.5.so)
by 0x4005AB: main (in /home/vegs-usr/avalanche-0.4/samples/simple/sample2)
Dumping input to file exploit_0_0.
Command: ./sample2 exploit_0_0
Iteration 1. Mon May 14 07:38:03 2012
Inputs size = 1.
Selected next input with score 1277.
Unique error(s) found: 1.
Error #0: Received SIGABRT
Inputs: exploit_0_0;
Command: ./sample2 exploit_0_0
Time statistics: 0 sec, tracegrind: 0, covgrind: 0, stp: 0.
Original comment by cp_...@yahoo.com on 14 May 2012 at 11:39
GoogleCodeExporter
commented
8 years ago And with the debug flag...
$ avalanche -v --debug --filename=seed ./sample2 seed
Avalanche, a dynamic analysis tool. Mon May 14 07:55:12 2012
Running plugin Covgrind.
Executing command: /usr/local/bin/../lib/avalanche/valgrind, with args:
/usr/local/bin/../lib/avalanche/valgrind --tool=covgrind --trace-children=no -v
--alarm=300 --log-file=/tmp/avalanche-jfilik/execution.log
--filename=/tmp/avalanche-jfilik/basic_blocks.log ./sample2 seed
Covgrind is finished.
First score = 1346.
Iteration 1. Mon May 14 07:55:12 2012
Inputs size = 1.
Selected next input with score 1346.
Running plugin Tracegrind.
Executing command: /usr/local/bin/../lib/avalanche/valgrind, with args:
/usr/local/bin/../lib/avalanche/valgrind --tool=tracegrind --trace-children=no
--startdepth=1 --temp-dir=/tmp/avalanche-jfilik/ --invertdepth=100
--dump-prediction=yes --file=seed
--log-file=/tmp/avalanche-jfilik/execution.log ./sample2 seed
Tracegrind exited on signal.
Failure in Tracegrind.
No QUERY's found.
Unique error(s) found: 0.
Time statistics: 0 sec, tracegrind: 0, covgrind: 0, stp: 0.
Original comment by cp_...@yahoo.com on 14 May 2012 at 11:56
GoogleCodeExporter
commented
8 years ago It looks like tracegrind fails to produce trace for STP. Can you run tracegrind
explicitly? You'll need to omit temp-dir and log-file options:
/usr/local/bin/../lib/avalanche/valgrind --tool=tracegrind --trace-children=no
--startdepth=1 --invertdepth=100 --dump-prediction=yes --file=seed ./sample2
seedOriginal comment by m.k.erma...@gmail.com on 14 May 2012 at 1:34
GoogleCodeExporter
commented
8 years ago ==4875== Tracegrind-1.0, valgrind IR to STP declarations converter
==4875== Copyright (C) iisaev
==4875== Using Valgrind-3.7.0.SVN and LibVEX; rerun with -h for copyright info
==4875== Command: ./sample2 seed
==4875==
==4875==
==4875== Process terminating with default action of signal 11 (SIGSEGV)
==4875== Access not within mapped region at address 0x1C
==4875== at 0x3E0EC00A70: ??? (in /lib64/ld-2.5.so)
==4875== by 0x1: ???
==4875== by 0x7FEFFFF7E: ???
==4875== by 0x7FEFFFF88: ???
==4875== If you believe this happened as a result of a stack
==4875== overflow in your program's main thread (unlikely but
==4875== possible), you can try to increase the size of the
==4875== main thread stack using the --main-stacksize= flag.
==4875== The main thread stack size used in this run was 10485760.
==4875==
==4875== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Segmentation fault
GDB shows:
Program received signal SIGSEGV, Segmentation fault.
createTaintedTemp (basicBlockLowerBytes=<value optimized out>,
basicBlockUpperBytes=<value optimized out>) at tg_main.c:3440
3440 curNode->visited++;
curNode is null...Original comment by cp_...@yahoo.com on 14 May 2012 at 1:46
GoogleCodeExporter
commented
8 years ago Could you try this patch?
cd avalanche-0.6.0
patch -p0 -i tracegrind_patchOriginal comment by m.k.erma...@gmail.com on 14 May 2012 at 3:09
Attachments:
GoogleCodeExporter
commented
8 years ago Thanks! That seems to have fixed it on CentOS 5.8 and Fedora 16. Great job.Original comment by cp_...@yahoo.com on 14 May 2012 at 3:32
Original issue reported on code.google.com by
cp_...@yahoo.comon 9 May 2012 at 12:08