Closed aditi-gupta closed 5 years ago
I've reproduced the issue, you need a few tweaks to manticore to do it, checkout this branch: https://github.com/trailofbits/manticore/tree/dev-973-dbg
that branch contains the fixes:
some notes from trying to debug:
from inspecting the pkl file of the state, we can see the crashing instruction
In [2]: x = pickle.load(open('test_00000000.pkl'))
In [3]: x
Out[3]: <manticore.core.state.State at 0x7fbd881aebd0>
In [4]: print x.cpu
Instruction: 0x000000000043a08f: cmp rdx, qword ptr [rax + 0x18]
RAX: 0x0000000000000000
RCX: 0x0000000000000110
RDX: 0x00000000006d98e0
RBX: 0x00000000006d9880
RSP: 0x00007ffffffff3e0
RBP: 0x0000000000000001
RSI: 0x0000000000000000
RDI: 0x00000000006dec70
R8: 0x00000000006dd880
R9: 0x0000000000000000
R10: 0x0000000000000009
R11: 0x0000000000000004
R12: 0x00000000006dec70
R13: 0x00000000006dec60
R14: 0x0000000000001010
R15: 0x00000000006dfc70
RIP: 0x000000000043a093
EFLAGS: 0x0000000000000000
CF: 0
SF: 0
ZF: 0
OF: 0
AF: 0
PF: 0
IF: 0
DF: 0
CS: 0, fffff000 (rwx)
DS: 0, fffff000 (rwx)
ES: 0, fffff000 (rwx)
SS: 0, fffff000 (rwx)
FS: 6dd880, 4000 (rw)
GS: 0, fffff000 (rwx)
FP0: (0, 0)
FP1: (0, 0)
FP2: (0, 0)
FP3: (0, 0)
FP4: (0, 0)
FP5: (0, 0)
FP6: (0, 0)
FP7: (0, 0)
TOP: 0
the crashing insn is in free()
. RAX is 0 when it shouldn't be.
tested that the bug doesn't go away when using the capstone next
branch, it might be a undiscovered bug in capstone, or in manticore.
ideas to try further:
nopping out Eventful._publish
makes it faster to execute to the crash, but also disables the event infrastructure for generating testcases and reporting "Invalid memory exception" etc
Some updates;
Stack trace for the issue;
main-
0x0000000000400e20 <+723>: call 0x429010 <fclose>
0x0000000000429142 <+306>: call 0x42e5d0 <_IO_new_file_close_it>
0x000000000042e6a7 <+215>: call 0x4306c0 <_IO_setb>
0x0000000000430706 <+70>: call 0x439d40 <free>
I noticed fopen
on a target statically compiled under Ubuntu 18.04 uses openat
vs open
when built on 16.04. Recompiling the rsa_sign
target under 16.04 appears to have resolved the above issue, it seems that the usage of Linux.sys_openat
may be problematic? More testing is needed
Update;
I was not able to reproduce the issue in the original target by compiling a random test example that uses fopen
to invoke openat
on 18.04. So it is something specific to the rsa_sign
target.
https://github.com/trailofbits/manticore/issues/940 could be related, it deals with openat also. in fact one of the changes in the dev-973-dbg branch is from there
OS / Environment
Ubuntu 18.04
Manticore version
0.1.10 with some slight changes
rsa_sign.zip rsa_priv.txt
In order to reproduce the issue, you need an example.txt file to sign. It doesn't matter what is in it. You also need the attached rsa_priv.txt file.