search

trailofbits / manticore

Symbolic execution tool
https://blog.trailofbits.com/2017/04/27/manticore-symbolic-execution-for-humans/
GNU Affero General Public License v3.0
3.67k stars 472 forks source link

Invalid memory access on x64 #1377

Open langston-barrett opened 5 years ago

langston-barrett commented 5 years ago

OS / Environment

nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 4.14.102, NixOS, 18.09.2266.aabc61049c0 (Jellyfish)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.1.3`
 - channels(siddharthist): `"unstable-19.03pre164964.b0f40b78513"`
 - channels(root): `"nixos-18.09.2266.aabc61049c0"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

Manticore version

0.2.4

Python version

3.7.2

Dependencies

### Summary of the problem I'm getting an invalid memory access where I don't think there should be one. Symbolic simulation stops on a jump to a valid instruction. ### Step to reproduce the behavior Run this script on this binary: [bomb.zip](https://github.com/trailofbits/manticore/files/2906819/bomb.zip) ### Expected behavior Symbolic execution will reach more instructions than the above. ### Actual behavior Manticore halts. ### Any relevant logs ``` 2019-02-26 09:56:10,330: [2838] m.c.manticore:INFO: Verbosity set to 3. 2019-02-26 09:56:10,340: [2838] m.c.executor:INFO: load state 0 here: 80488e0 2019-02-26 09:56:10,342: [2838] m.n.c.abstractcpu:DEBUG: INSTRUCTION: 0x00000000080488e0: xor ebp, ebp here: 80488e2 2019-02-26 09:56:10,347: [2838] m.n.c.abstractcpu:DEBUG: INSTRUCTION: 0x00000000080488e2: pop esi here: 80488e3 2019-02-26 09:56:10,351: [2838] m.n.c.abstractcpu:DEBUG: INSTRUCTION: 0x00000000080488e3: mov ecx, esp here: 80488e5 2019-02-26 09:56:10,355: [2838] m.n.c.abstractcpu:DEBUG: INSTRUCTION: 0x00000000080488e5: and esp, 0xfffffff8 here: 80488e8 2019-02-26 09:56:10,360: [2838] m.n.c.abstractcpu:DEBUG: INSTRUCTION: 0x00000000080488e8: push eax here: 80488e9 2019-02-26 09:56:10,364: [2838] m.n.c.abstractcpu:DEBUG: INSTRUCTION: 0x00000000080488e9: push esp here: 80488ea 2019-02-26 09:56:10,368: [2838] m.n.c.abstractcpu:DEBUG: INSTRUCTION: 0x00000000080488ea: push edx here: 80488eb 2019-02-26 09:56:10,372: [2838] m.n.c.abstractcpu:DEBUG: INSTRUCTION: 0x00000000080488eb: push 0x80495e4 here: 80488f0 2019-02-26 09:56:10,376: [2838] m.n.c.abstractcpu:DEBUG: INSTRUCTION: 0x00000000080488f0: push 0x80486e0 here: 80488f5 2019-02-26 09:56:10,380: [2838] m.n.c.abstractcpu:DEBUG: INSTRUCTION: 0x00000000080488f5: push ecx here: 80488f6 2019-02-26 09:56:10,384: [2838] m.n.c.abstractcpu:DEBUG: INSTRUCTION: 0x00000000080488f6: push esi here: 80488f7 2019-02-26 09:56:10,388: [2838] m.n.c.abstractcpu:DEBUG: INSTRUCTION: 0x00000000080488f7: push 0x80489b0 here: 80488fc 2019-02-26 09:56:10,392: [2838] m.n.c.abstractcpu:DEBUG: INSTRUCTION: 0x00000000080488fc: call 0x8048800 here: 8048800 2019-02-26 09:56:10,396: [2838] m.n.c.abstractcpu:DEBUG: INSTRUCTION: 0x0000000008048800: jmp dword ptr [0x804b55c] here: 8048806 2019-02-26 09:56:10,400: [2838] m.n.c.abstractcpu:DEBUG: INSTRUCTION: 0x0000000008048806: push 0x70 here: 804880b 2019-02-26 09:56:10,404: [2838] m.n.c.abstractcpu:DEBUG: INSTRUCTION: 0x000000000804880b: jmp 0x8048710 here: 8048710 2019-02-26 09:56:10,407: [2838] m.n.c.abstractcpu:DEBUG: INSTRUCTION: 0x0000000008048710: push dword ptr [0x804b51c] here: 8048716 2019-02-26 09:56:10,411: [2838] m.n.c.abstractcpu:DEBUG: INSTRUCTION: 0x0000000008048716: jmp dword ptr [0x804b520] 2019-02-26 09:56:10,451: [2838] m.c.manticore:INFO: Generated testcase No. 0 - Invalid memory access (mode:x) <0> 2019-02-26 09:56:10,453: [2838] m.c.manticore:INFO: Results in /home/siddharthist/Downloads/bomb2/mcore_wco6lo9x 2019-02-26 09:56:10,453: [2838] m.c.manticore:INFO: Total time: 0.11974239349365234 ``` ``` Command line: 'script.py' Status: Invalid memory access (mode:x) <0> ================ PROC: 00 ================ Memory: 0000000008048000-000000000804a000 r x 00000000 ../bomb/bomb 000000000804a000-000000000804c000 rw 00001000 ../bomb/bomb 00000000bffdf000-00000000c0000000 rwx 00000000 CPU: Instruction: 0x0000000008048716: jmp dword ptr [0x804b520] EAX: 0x0000000000000000 ECX: 0x00000000bfffff4a EDX: 0x0000000000000000 EBX: 0x0000000000000000 ESP: 0x00000000bfffff1c EBP: 0x0000000000000000 ESI: 0x0000000000000001 EDI: 0x0000000000000000 EIP: 0x0000000000000000 CF: 0 SF: 1 ZF: 0 OF: 0 AF: 0 PF: 1 IF: 0 DF: 0 CS: 0, fffff000 (rwx) DS: 0, fffff000 (rwx) ES: 0, fffff000 (rwx) SS: 0, fffff000 (rwx) FS: 0, fffff000 (rwx) GS: 0, fffff000 (rwx) FP0: (0, 0) FP1: (0, 0) FP2: (0, 0) FP3: (0, 0) FP4: (0, 0) FP5: (0, 0) FP6: (0, 0) FP7: (0, 0) TOP: 0 Instruction: 0x8048716 jmp dword ptr [0x804b520]) ```
langston-barrett commented 5 years ago

I get the same behavior on master.

ehennenfent commented 5 years ago

Looks like a problem with the global offset table. I wasn't able to replicate this so I'm guessing it's an issue specific to NixOS. @siddharthist Can you post your libc?

langston-barrett commented 5 years ago

@ehennenfent Thanks for looking into it! Do you mean the version?

$ ldd --version
ldd (GNU libc) 2.27