Running raw bytecode results in multiple python errors and manticore hang

[noobdoesre]

OS / Environment

No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.3 LTS Release: 16.04 Codename: xenial

Manticore version

Version: 0.1.9

Python version

Python 2.7.12

Dependencies

capstone==3.0.5rc2 cryptography==1.7.1 enum34==1.1.6 idna==2.2 ipaddress==1.0.17 keyring==10.1 keyrings.alt==1.3 manticore==0.1.9 ply==3.11 pyasn1==0.1.9 pycrypto==2.6.1 pyelftools==0.24 pygobject==3.22.0 pysha3==1.0.2 Pyste==0.9.10 python-apt==1.4.0b3 pyxdg==0.25 SecretStorage==2.3.1 six==1.10.0 unicorn==1.0.1 z3-solver==4.5.1.0.post2

Summary of the problem

Trying to run code of https://ropsten.etherscan.io/address/0x5fa35d68db2282fc3fd54c260876e6761d56839f#code results in numerous errors which look like use-after-free.

Step to reproduce the behavior

from manticore.ethereum import ManticoreEVM

m = ManticoreEVM()
m.verbosity(10)

init_bytecode = '60606040526004361061004c576000357c0100000000000000000000000000000000000000000000000000000000900463ffffffff1680636a5e26501461005157806375a4e3a01461007e575b600080fd5b341561005c57600080fd5b6100646100cd565b604051808215151515815260200191505060405180910390f35b6100b360048080357bffffffffffffffffffffffffffffffffffffffffffffffffffffffff19169060200190919050506100df565b604051808215151515815260200191505060405180910390f35b6000809054906101000a900460ff1681565b6000806000806000806706f05b59d3b2000034101515156100ff57600080fd5b600092505b60048360ff1610156101a457868360ff1660048110151561012157fe5b1a7f0100000000000000000000000000000000000000000000000000000000000000027f0100000000000000000000000000000000000000000000000000000000000000900491506030821015801561017b575060398211155b15610197576030820390506004810a8401935080600a86020194505b8280600101935050610104565b848414156101cf5760016000806101000a81548160ff021916908315150217905550600195506101d4565b600095505b50505050509190505600a165627a7a72305820ef3a95c05bae54c166857bce3345654b9ae06cc26d4637aa06930da6d62ac70d0029'.decode('hex')

user_account = m.create_account(balance=100000000000000000)
m.world.set_balance(user_account, 1000000000000000000)

contract_account = m.create_contract(owner=user_account, init=init_bytecode)
print "[+] Creating a contract account", contract_account
symbolic_data = m.make_symbolic_buffer(36)
m.transaction(caller=user_account,
                address=contract_account,
                data=symbolic_data,
                value=None)

Expected behavior

Code is emulated successfully or the tool reports that emulation failed.

Actual behavior

Numerous python errors are reported and manticore hangs.

Any relevant logs

python it-fails.py
2018-06-06 16:32:40,748: [71746] m.manticore:DEBUG: Starting 10 processes.
2018-06-06 16:32:40,852: [71786] m.c.s.solver:DEBUG: Z3 version: Version(major=4, minor=5, patch=1)
2018-06-06 16:32:40,852: [71784] m.c.s.solver:DEBUG: Z3 version: Version(major=4, minor=5, patch=1)
2018-06-06 16:32:40,857: [71785] m.c.s.solver:DEBUG: Z3 version: Version(major=4, minor=5, patch=1)
2018-06-06 16:32:40,941: [71786] m.c.executor:INFO: load state 0
2018-06-06 16:32:40,974: [71791] m.c.s.solver:DEBUG: Z3 version: Version(major=4, minor=5, patch=1)
2018-06-06 16:32:40,979: [71796] m.c.s.solver:DEBUG: Z3 version: Version(major=4, minor=5, patch=1)
2018-06-06 16:32:40,987: [71807] m.c.s.solver:DEBUG: Z3 version: Version(major=4, minor=5, patch=1)
2018-06-06 16:32:41,000: [71799] m.c.s.solver:DEBUG: Z3 version: Version(major=4, minor=5, patch=1)
2018-06-06 16:32:41,008: [71786] m.c.executor:ERROR: Exception: object of type 'NoneType' has no len()
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/manticore-0.1.9-py2.7.egg/manticore/core/executor.py", line 461, in run
    if not current_state.execute():
  File "/usr/local/lib/python2.7/dist-packages/manticore-0.1.9-py2.7.egg/manticore/core/state.py", line 127, in execute
    result = self._platform.execute()
  File "/usr/local/lib/python2.7/dist-packages/manticore-0.1.9-py2.7.egg/manticore/platforms/evm.py", line 2475, in execute
    self.current_vm.execute()
  File "/usr/local/lib/python2.7/dist-packages/manticore-0.1.9-py2.7.egg/manticore/platforms/evm.py", line 1341, in execute
    result = self._handler(*arguments)
  File "/usr/local/lib/python2.7/dist-packages/manticore-0.1.9-py2.7.egg/manticore/platforms/evm.py", line 1307, in _handler
    return implementation(*arguments)
  File "/usr/local/lib/python2.7/dist-packages/manticore-0.1.9-py2.7.egg/manticore/platforms/evm.py", line 1646, in CALLDATASIZE
    return len(self.data)
TypeError: object of type 'NoneType' has no len()

2018-06-06 16:32:41,015: [71804] m.c.s.solver:DEBUG: Z3 version: Version(major=4, minor=5, patch=1)
2018-06-06 16:32:41,017: [71792] m.c.s.solver:DEBUG: Z3 version: Version(major=4, minor=5, patch=1)
2018-06-06 16:32:41,018: [71788] m.c.s.solver:DEBUG: Z3 version: Version(major=4, minor=5, patch=1)
Process Process-5:
Traceback (most recent call last):
  File "/usr/lib/python2.7/multiprocessing/process.py", line 258, in _bootstrap
    self.run()
  File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/local/lib/python2.7/dist-packages/manticore-0.1.9-py2.7.egg/manticore/core/executor.py", line 503, in run
    self._publish('will_terminate_state', current_state, current_state_id, e)
  File "/usr/local/lib/python2.7/dist-packages/manticore-0.1.9-py2.7.egg/manticore/utils/event.py", line 118, in _publish
    self._publish_impl(_name, *args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/manticore-0.1.9-py2.7.egg/manticore/utils/event.py", line 126, in _publish_impl
    callback(robj(), *args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/manticore-0.1.9-py2.7.egg/manticore/ethereum.py", line 1462, in _terminate_state_callback
    assert tx.result in {'SELFDESTRUCT', 'RETURN', 'STOP'}
AssertionError

[feliam]

Hey @noobdoesre ! Thank you for reporting this. I'll take a look asap.

[arun-munagala]

The same with this bytecode as well "60606040523615601d5760e060020a6000350463e522538181146059575b6081346060908152600160a060020a033316907fe1fffcc4923d04b559f4d29a8bfc6cda04eb5b0d3c460751c2402c5c5cc9109c90602090a25b565b6081600054600160a060020a0390811633919091161415605757600054600160a060020a0316ff5b00"

[feliam]

Ok. I just run it and I manage to reproduce them successfully. It looks like those bytecodes are runtime bytecode (as opposed to init bytecode) and you are trying to use it in a CREATE transaction with them. Runtime bytecode will normally use CALLDATA from tx and that's empty in a CREATE tx.

So if you want to just paste the runtime bytecode into some account without running the init bytecode you could...

contract_account = m.create_account(code=bytecode, balance=10000000)

The error messages are bad. And CALLDATA should be empty there but not None in your examples. I'll fix those soon. Thanks.

[arun-munagala]

Yes. I was trying to run the runtime bytecode. Thank you!

[arun-munagala]

I did the above and used "contract_account = m.create_account(code=bytecode, balance=10000000)" for the runtime bytecode. I then get the following error:

Traceback (most recent call last): File "examples/evm/bytecode_manticore.py", line 155, in m.finalize() File "/home/iam/.virtualenvs/manticore-6excCQm7/local/lib/python2.7/site-packages/manticore/ethereum.py", line 1971, in finalize md = self.get_metadata(address) UnboundLocalError: local variable 'address' referenced before assignment

[feliam]

Oh yes! There is an indentation bug there: https://github.com/trailofbits/manticore/blob/master/manticore/ethereum.py#L1971 We'll fix asap.

Send More! thanks.

[offlinemark]

@feliam is there an issue tracking that bug, or is it already fixed in one of your branches? if it's not addressed yet, can you make a quick issue for it? 🙏

[offlinemark]

it is addressed here: https://github.com/trailofbits/manticore/pull/926/files#diff-6cf4568b5e8712514d226faa04e417fbR2188

[offlinemark]

closing since this was merged into master in #926