search

prosyslab / DAFL-artifact

35 stars 3 forks source link

Error while running SPARROW on lua (lua-5.4.0) #13

Open hy38 opened 2 weeks ago

hy38 commented 2 weeks ago

Hello,

Thank you for your amazing work :)

I'm facing an error while generating a DFG with Sparrow on Lua.

Settings

The target line is set at /benchmark/target/line/lua/2020-24370 as follows:

ldebug.c:241

/benchmark/run_smake.sh is set as follows:

#!/bin/bash
set -x
. $(dirname $0)/build_bench_common.sh
mkdir -p /benchmark/smake-out

export CC="clang"
export CXX="clang++"
export CMAKE_EXPORT_COMPILE_COMMANDS=1

### Program: lua-5.4.0
cd /benchmark
program="lua-5.4.0"
binaries="lua"
build_target $program $CC $CXX " "
cd /benchmark/RUNDIR-$program/$program
make clean
yes | /smake/smake --init
/smake/smake -j 1
cd /benchmark/RUNDIR-$program
for binary in $binaries; do
    cp -r lua-5.4.0/sparrow/$binary /benchmark/smake-out/$binary || exit 1
done

SLICE_TARGETS is set at scripts/benchmark.py as follows:

SLICE_TARGETS = {
    'lua': {
        'frontend':'cil',
        'entry_point':'main',
        'bugs': ['2020-24370']
    },
}

Sparrow is run with the following command:

python3 /benchmark/scripts/run_sparrow.py all thin

Running Sparrow

I get the following error with my target line number 241 (ldebug.c:241):

Pre-analysis completes: 57.762084
Fatal error: exception Failure("Error: target not found")
Raised at Stdlib.failwith in file "stdlib.ml", line 29, characters 17-33
Called from SlicingUtils.find_target_node_set in file "src/slicing/slicingUtils.ml", line 74, characters 43-77
Called from SlicingUtils.register_target in file "src/slicing/slicingUtils.ml", line 80, characters 22-58
Called from Stdlib__List.iter in file "list.ml", line 110, characters 12-15
Called from DugSlicer.construct_dug in file "src/slicing/dugSlicer.ml", line 41, characters 2-36
Called from DugSlicer.run in file "src/slicing/dugSlicer.ml", line 301, characters 12-48
Called from Dune__exe__Main.run_slicing in file "src/core/main.ml", line 115, characters 4-24
Called from Dune__exe__Main in file "src/core/main.ml", line 153, characters 8-15

Target Line Number Comparison

I debugged the line numbers for comparison in slicingUtils.ml and found that my target line ldebug.c:241 was missing while there exists the buggy function's entry line.

I referred #12 and ensured that my target line does not include multiple-lined if-condition. My target function (and line 241) is as below:

LUA_API const char *lua_getlocal (lua_State *L, const lua_Debug *ar, int n) {  // FUNCTION ENTRY LINE: 228
  const char *name;
  lua_lock(L);
  if (ar == NULL) {  /* information about non-active function? */
    if (!isLfunction(s2v(L->top - 1)))  /* not a Lua function? */
      name = NULL;
    else  /* consider live variables at function start (parameters) */
      name = luaF_getlocalname(clLvalue(s2v(L->top - 1))->p, n, 0);
  }
  else {  /* active function; get information through 'ar' */
    StkId pos = NULL;  /* to avoid warnings */
    name = luaG_findlocal(L, ar->i_ci, n, &pos);
    if (name) {
      setobjs2s(L, L->top, pos);  // TARGET LINE: 241
      api_incr_top(L);
    }
  }
  lua_unlock(L);
  return name;
}

Setting an alternative line as target

By setting the target line to the function entry point (line 228) alternatively, I could pass the above "target not found" error. However, I faced another one: "empty list to list_max()"

Pre-analysis completes: 56.982242
#Procs : 557
#Nodes : 20696
Access Analysis begins...
Access Analysis completes: 2.061712
DUG construction begins...
[============================================================] (557/557)
[============================================================] (2014/2014)
draw intra-procedural edges
draw inter-procedural edges
DUG construction completes: 6.536617
Fatal error: exception Failure("empty list to list_max()")
Raised at Stdlib.failwith in file "stdlib.ml", line 29, characters 17-33
Called from OutputDFG.stringfy_nodes in file "src/slicing/outputDFG.ml", line 65, characters 17-49
Called from DugSlicer.perform_slicing in file "src/slicing/dugSlicer.ml", line 278, characters 18-58
Called from DugSlicer.run in file "src/slicing/dugSlicer.ml" (inlined), line 302, characters 12-40
Called from Stdlib__List.iter in file "list.ml", line 110, characters 12-15
Called from Stdlib__List.iter in file "list.ml" (inlined), line 108, characters 13-64
Called from DugSlicer.run in file "src/slicing/dugSlicer.ml", line 302, characters 2-56
Called from Dune__exe__Main.run_slicing in file "src/core/main.ml", line 115, characters 4-24
Called from Dune__exe__Main in file "src/core/main.ml", line 153, characters 8-15

Could you please give me some insights about this bug?

goodtaeeun commented 1 week ago

Hi, the analyzer reports that your target function is unreachable from the main function. I may be able to fix this issue if you could provide a stack trace of your target bug.

hy38 commented 1 week ago

Thank you for your reply :)

Here's the stack trace of lua (CVE-2020-24370), while my target line is ldebug.c:241

root@fa25a91af839:/benchmark# ./bin/ASAN/lua-2020-24370 poc/lua/2020-24370
AddressSanitizer:DEADLYSIGNAL
=================================================================
==11380==ERROR: AddressSanitizer: SEGV on unknown address 0x6198000005d0 (pc 0x7fb6b7951c12 bp 0x7fff99a0c850 sp 0x7fff99a0c008 T0)
==11380==The signal is caused by a READ memory access.
error: failed to decompress '.debug_aranges', zlib is not available
error: failed to decompress '.debug_info', zlib is not available
error: failed to decompress '.debug_abbrev', zlib is not available
error: failed to decompress '.debug_line', zlib is not available
error: failed to decompress '.debug_str', zlib is not available
error: failed to decompress '.debug_loc', zlib is not available
error: failed to decompress '.debug_ranges', zlib is not available
    #0 0x7fb6b7951c12  (/lib/x86_64-linux-gnu/libc.so.6+0xbbc12)
    #1 0x499241 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #2 0x4db93e in lua_getlocal /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/ldebug.c:241:7
    #3 0x556efd in db_getlocal /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/ldblib.c:218:12
    #4 0x4e595a in luaD_call /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/ldo.c:482:11
    #5 0x53a8e6 in luaV_execute /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/lvm.c:1615:9
    #6 0x4e605c in luaD_call /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/ldo.c:504:7
    #7 0x4e6303 in luaD_callnoyield /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/ldo.c:526:3
    #8 0x4d50c1 in lua_callk /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/lapi.c:979:5
    #9 0x554f31 in generic_reader /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/lbaselib.c:352:3
    #10 0x5405ae in luaZ_fill /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/lzio.c:28:10
    #11 0x4e8dba in f_parser /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/ldo.c:789:11
    #12 0x4e2094 in luaD_rawrunprotected /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/ldo.c:148:3
    #13 0x4e8064 in luaD_pcall /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/ldo.c:749:12
    #14 0x4e881e in luaD_protectedparser /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/ldo.c:813:12
    #15 0x4d5f22 in lua_load /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/lapi.c:1053:12
    #16 0x553de2 in luaB_load /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/lbaselib.c:379:14
    #17 0x4e595a in luaD_call /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/ldo.c:482:11
    #18 0x53a8e6 in luaV_execute /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/lvm.c:1615:9
    #19 0x4e605c in luaD_call /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/ldo.c:504:7
    #20 0x4e6303 in luaD_callnoyield /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/ldo.c:526:3
    #21 0x4d5d90 in f_call /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/lapi.c:997:3
    #22 0x4e2094 in luaD_rawrunprotected /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/ldo.c:148:3
    #23 0x4e8064 in luaD_pcall /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/ldo.c:749:12
    #24 0x4d55f3 in lua_pcallk /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/lapi.c:1023:14
    #25 0x4caeb0 in docall /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/lua.c:139:12
    #26 0x4cabd6 in handle_script /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/lua.c:228:14
    #27 0x4c993b in pmain /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/lua.c:603:7
    #28 0x4e595a in luaD_call /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/ldo.c:482:11
    #29 0x4e6303 in luaD_callnoyield /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/ldo.c:526:3
    #30 0x4d5d90 in f_call /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/lapi.c:997:3
    #31 0x4e2094 in luaD_rawrunprotected /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/ldo.c:148:3
    #32 0x4e8064 in luaD_pcall /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/ldo.c:749:12
    #33 0x4d55f3 in lua_pcallk /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/lapi.c:1023:14
    #34 0x4c9200 in main /benchmark/RUNDIR-lua-5.4.0/lua-5.4.0/lua.c:629:12
    #35 0x7fb6b78ba082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #36 0x41e56d in _start (/benchmark/bin/ASAN/lua-2020-24370+0x41e56d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xbbc12)
==11380==ABORTING