search

ucsb-seclab / dr_checker

DR.CHECKER : A Soundy Vulnerability Detection Tool for Linux Kernel Drivers
BSD 2-Clause "Simplified" License
331 stars 71 forks source link

Core dump due to LLVM assert fail on 2 Mediatek drivers #22

Open tnballo opened 6 years ago

tnballo commented 6 years ago

Even with no timeout, Soundy Analysis fails for 8 of the 436 entry points in the provided Mediatek kernel on my machine. 2 of these entry points actually crash Dr. Checker, the crash seems to implicate a failing assert because of an error parsing LLVM IR (operand out of bounds).

To replicate here's a bash script that runs analysis for 4 entry points per the standalone instructions (please update path vars in script accordingly):

  1. mtkfb_ioctl - analysis completes, just to prove my env is setup correctly.
  2. ppm_dlpt_limit_proc_write - triggers the crash.
  3. ppm_thermal_limit_proc_write - triggers the crash.
  4. ppm_dlpt_budget_trans_percentag_proc_write - no crash, just silent failure (no output JSON), not sure why? Orthogonal issue.
#!/bin/bash

dr_checker_path="/home/tballo/proj/dr_checker"
mediatek_bitcode_path="/home/tballo/mediatek_kernel/llvm_bitcode_out"

# Build latest
cd $dr_checker_path/llvm_analysis/MainAnalysisPasses
./build.sh

# Change to dir with analysis shared lib
cd $dr_checker_path/llvm_analysis/MainAnalysisPasses/build_dir/SoundyAliasAnalysis

# *******************************************************************************
# Example of driver for which analysis completes, from the docs.
# Just here to prove that everything is configured and I can run the analysis.
# Aside: 428 of 436 mediatek drivers complete analysis for me.
# *******************************************************************************

#IOCTL:mtkfb_ioctl:/home/tballo/mediatek_kernel/llvm_bitcode_out/drivers/misc/mediatek/leds/llvm_link_final/final_to_check.bc
echo -e "\n[BASH] Running Dr. Checker on mtkfb_ioctl\n" 
opt -load ./libSoundyAliasAnalysis.so -dr_checker \
-toCheckFunction="mtkfb_ioctl" \
-functionType="IOCTL" \
-outputFile="hidraw_ioctl.drcheck.json" \
$mediatek_bitcode_path/drivers/misc/mediatek/leds/llvm_link_final/final_to_check.bc

# *******************************************************************************
# These drivers cause the crash and stack trace, point of this bug report.
# *******************************************************************************

#FileWrite:ppm_dlpt_limit_proc_write:/home/tballo/mediatek_kernel/llvm_bitcode_out/drivers/misc/mediatek/base/power/pbm_v1/llvm_link_final/final_to_check.bc
echo -e "\n[BASH] Running Dr. Checker on ppm_dlpt_limit_proc_write\n" 
opt -load ./libSoundyAliasAnalysis.so -dr_checker \
-toCheckFunction="ppm_dlpt_limit_proc_write" \
-functionType="FileWrite" \
-outputFile="ppm_dlpt_limit_proc_write.drcheck.json" \
$mediatek_bitcode_path/drivers/misc/mediatek/base/power/pbm_v1/llvm_link_final/final_to_check.bc

#FileWrite:ppm_thermal_limit_proc_write:/home/tballo/mediatek_kernel/llvm_bitcode_out/drivers/misc/mediatek/thermal/llvm_link_final/final_to_check.bc
echo -e "\n[BASH] Running Dr. Checker on ppm_thermal_limit_proc_write\n" 
opt -load ./libSoundyAliasAnalysis.so -dr_checker \
-toCheckFunction="ppm_thermal_limit_proc_write" \
-functionType="FileWrite" \
-outputFile="ppm_thermal_limit_proc_write.drcheck.json" \
$mediatek_bitcode_path/drivers/misc/mediatek/thermal/llvm_link_final/final_to_check.bc

# *******************************************************************************
# This driver appears to complete but no output file is produced and run_all.py
# reports it as failed - why?
# *******************************************************************************

#FileWrite:ppm_dlpt_budget_trans_percentage_proc_write:/home/tballo/mediatek_kernel/llvm_bitcode_out/drivers/misc/mediatek/base/power/pbm_v1/llvm_link_final/final_to_check.bc
echo -e "\n[BASH] Running Dr. Checker on ppm_dlpt_budget_trans_percentag_proc_write\n" 
opt -load ./libSoundyAliasAnalysis.so -dr_checker \
-toCheckFunction="ppm_dlpt_budget_trans_percentag_proc_write" \
-functionType="FileWrite" \
-outputFile="ppm_dlpt_budget_trans_percentag_proc_write.drcheck.json" \
$mediatek_bitcode_path/drivers/misc/mediatek/base/power/pbm_v1/llvm_link_final/final_to_check.bc

Here is the output of the above script, including a strack trace for the crashes:

[*] Trying to Run Cmake
mkdir: cannot create directory ‘build_dir’: File exists
-- Configuring done
-- Generating done
-- Build files have been written to: /home/tballo/proj/dr_checker/llvm_analysis/MainAnalysisPasses/build_dir
[*] Trying to make
[  5%] Built target Utils
[  9%] Built target LinuxKernelCustomizations
[ 12%] Built target Customizations
[ 18%] Built target RangeAnalysis
[ 59%] Built target SoundyAliasAnalysis
[100%] Built target SoundyAliasAnalysisStatic

[BASH] Running Dr. Checker on mtkfb_ioctl

WARNING: You're attempting to print out a bitcode file.
This is inadvisable as it may cause display problems. If
you REALLY want to taste LLVM bitcode first-hand, you
can force output with the `-f' option.

Provided Function Type:IOCTL, Function Name:mtkfb_ioctl
Analyzing:0 init functions
Starting Analyzing function:mtkfb_ioctl
[+] Writing output to:hidraw_ioctl.drcheck.json
[+] Return message from file write:Success
[+] Writing Instr output to:hidraw_ioctl.drcheck.json.instr_warngs.json
[+] Return message from file write:Success

[BASH] Running Dr. Checker on ppm_dlpt_limit_proc_write

WARNING: You're attempting to print out a bitcode file.
This is inadvisable as it may cause display problems. If
you REALLY want to taste LLVM bitcode first-hand, you
can force output with the `-f' option.

Provided Function Type:FileWrite, Function Name:ppm_dlpt_limit_proc_write
Analyzing:0 init functions
Starting Analyzing function:ppm_dlpt_limit_proc_write
opt: /home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/include/llvm/IR/Instructions.h:1543: llvm::Value* llvm::CallInst::getArgOperand(unsigned int) const: Assertion `i < getNumArgOperands() && "Out of bounds!"' failed.
#0 0x0000000002795587 llvm::sys::PrintStackTrace(llvm::raw_ostream&) (/home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/build/bin/opt+0x2795587)
#1 0x00000000027958df PrintStackTraceSignalHandler(void*) (/home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/build/bin/opt+0x27958df)
#2 0x0000000002793d25 llvm::sys::RunSignalHandlers() (/home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/build/bin/opt+0x2793d25)
#3 0x0000000002794ece SignalHandler(int) (/home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/build/bin/opt+0x2794ece)
#4 0x00007f523ad83390 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x11390)
#5 0x00007f5239f22428 gsignal /build/glibc-Cl5G7W/glibc-2.23/signal/../sysdeps/unix/sysv/linux/raise.c:54:0
#6 0x00007f5239f2402a abort /build/glibc-Cl5G7W/glibc-2.23/stdlib/abort.c:91:0
#7 0x00007f5239f1abd7 __assert_fail_base /build/glibc-Cl5G7W/glibc-2.23/assert/assert.c:92:0
#8 0x00007f5239f1ac82 (/lib/x86_64-linux-gnu/libc.so.6+0x2dc82)
#9 0x00007f5239be7dd9 llvm::CallInst::getArgOperand(unsigned int) const /home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/include/llvm/IR/Instructions.h:1544:0
#10 0x00007f5239c27ff5 DRCHECKER::TaintedSizeDetector::visitCallInst(llvm::CallInst&, llvm::Function*, std::vector<llvm::Instruction*, std::allocator<llvm::Instruction*> >*, std::vector<llvm::Instruction*, std::allocator<llvm::Instruction*> >*) /home/tballo/proj/dr_checker/llvm_analysis/MainAnalysisPasses/SoundyAliasAnalysis/src/bug_detectors/TaintedSizeDetector.cpp:30:0
#11 0x00007f5239bd1468 DRCHECKER::GlobalVisitor::processCalledFunction(llvm::CallInst&, llvm::Function*) /home/tballo/proj/dr_checker/llvm_analysis/MainAnalysisPasses/SoundyAliasAnalysis/src/GlobalVisitor.cpp:124:0
#12 0x00007f5239bd193c DRCHECKER::GlobalVisitor::visitCallInst(llvm::CallInst&) /home/tballo/proj/dr_checker/llvm_analysis/MainAnalysisPasses/SoundyAliasAnalysis/src/GlobalVisitor.cpp:202:0
#13 0x00007f5239bdac71 llvm::InstVisitor<DRCHECKER::GlobalVisitor, void>::delegateCallInst(llvm::CallInst&) /home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/include/llvm/IR/InstVisitor.h:282:0
#14 0x00007f5239bd68a7 llvm::InstVisitor<DRCHECKER::GlobalVisitor, void>::visitCall(llvm::CallInst&) /home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/include/llvm/IR/Instruction.def:186:0
#15 0x00007f5239bd3ed5 llvm::InstVisitor<DRCHECKER::GlobalVisitor, void>::visit(llvm::Instruction&) /home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/include/llvm/IR/Instruction.def:186:0
#16 0x00007f5239bd2b64 DRCHECKER::GlobalVisitor::visit(llvm::Instruction&) /home/tballo/proj/dr_checker/llvm_analysis/MainAnalysisPasses/SoundyAliasAnalysis/include/GlobalVisitor.h:85:0
#17 0x00007f5239bd4b29 void llvm::InstVisitor<DRCHECKER::GlobalVisitor, void>::visit<llvm::ilist_iterator<llvm::Instruction> >(llvm::ilist_iterator<llvm::Instruction>, llvm::ilist_iterator<llvm::Instruction>) /home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/include/llvm/IR/InstVisitor.h:91:0
#18 0x00007f5239bd1c31 DRCHECKER::GlobalVisitor::visit(llvm::BasicBlock*) /home/tballo/proj/dr_checker/llvm_analysis/MainAnalysisPasses/SoundyAliasAnalysis/src/GlobalVisitor.cpp:284:0
#19 0x00007f5239bd1de6 DRCHECKER::GlobalVisitor::analyze() /home/tballo/proj/dr_checker/llvm_analysis/MainAnalysisPasses/SoundyAliasAnalysis/src/GlobalVisitor.cpp:298:0
#20 0x00007f5239bf9607 DRCHECKER::SAAPass::runOnModule(llvm::Module&) /home/tballo/proj/dr_checker/llvm_analysis/MainAnalysisPasses/SoundyAliasAnalysis/src/SoundyAliasAnalysis.cpp:250:0
#21 0x000000000222f440 (anonymous namespace)::MPPassManager::runOnModule(llvm::Module&) (/home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/build/bin/opt+0x222f440)
#22 0x000000000222fb71 llvm::legacy::PassManagerImpl::run(llvm::Module&) (/home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/build/bin/opt+0x222fb71)
#23 0x000000000222fd7d llvm::legacy::PassManager::run(llvm::Module&) (/home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/build/bin/opt+0x222fd7d)
#24 0x0000000000f6b423 main (/home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/build/bin/opt+0xf6b423)
#25 0x00007f5239f0d830 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:325:0
#26 0x0000000000f46279 _start (/home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/build/bin/opt+0xf46279)
Stack dump:
0.  Program arguments: opt -load ./libSoundyAliasAnalysis.so -dr_checker -toCheckFunction=ppm_dlpt_limit_proc_write -functionType=FileWrite -outputFile=ppm_dlpt_limit_proc_write.drcheck.json /home/tballo/mediatek_kernel/llvm_bitcode_out/drivers/misc/mediatek/base/power/pbm_v1/llvm_link_final/final_to_check.bc 
1.  Running pass 'Soundy Driver Checker' on module '/home/tballo/mediatek_kernel/llvm_bitcode_out/drivers/misc/mediatek/base/power/pbm_v1/llvm_link_final/final_to_check.bc'.
./for_bug_report.sh: line 37: 18828 Aborted                 (core dumped) opt -load ./libSoundyAliasAnalysis.so -dr_checker -toCheckFunction="ppm_dlpt_limit_proc_write" -functionType="FileWrite" -outputFile="ppm_dlpt_limit_proc_write.drcheck.json" $mediatek_bitcode_path/drivers/misc/mediatek/base/power/pbm_v1/llvm_link_final/final_to_check.bc

[BASH] Running Dr. Checker on ppm_thermal_limit_proc_write

WARNING: You're attempting to print out a bitcode file.
This is inadvisable as it may cause display problems. If
you REALLY want to taste LLVM bitcode first-hand, you
can force output with the `-f' option.

Provided Function Type:FileWrite, Function Name:ppm_thermal_limit_proc_write
Analyzing:0 init functions
Starting Analyzing function:ppm_thermal_limit_proc_write
opt: /home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/include/llvm/IR/Instructions.h:1543: llvm::Value* llvm::CallInst::getArgOperand(unsigned int) const: Assertion `i < getNumArgOperands() && "Out of bounds!"' failed.
#0 0x0000000002795587 llvm::sys::PrintStackTrace(llvm::raw_ostream&) (/home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/build/bin/opt+0x2795587)
#1 0x00000000027958df PrintStackTraceSignalHandler(void*) (/home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/build/bin/opt+0x27958df)
#2 0x0000000002793d25 llvm::sys::RunSignalHandlers() (/home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/build/bin/opt+0x2793d25)
#3 0x0000000002794ece SignalHandler(int) (/home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/build/bin/opt+0x2794ece)
#4 0x00007efe6cc29390 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x11390)
#5 0x00007efe6bdc8428 gsignal /build/glibc-Cl5G7W/glibc-2.23/signal/../sysdeps/unix/sysv/linux/raise.c:54:0
#6 0x00007efe6bdca02a abort /build/glibc-Cl5G7W/glibc-2.23/stdlib/abort.c:91:0
#7 0x00007efe6bdc0bd7 __assert_fail_base /build/glibc-Cl5G7W/glibc-2.23/assert/assert.c:92:0
#8 0x00007efe6bdc0c82 (/lib/x86_64-linux-gnu/libc.so.6+0x2dc82)
#9 0x00007efe6ba8ddd9 llvm::CallInst::getArgOperand(unsigned int) const /home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/include/llvm/IR/Instructions.h:1544:0
#10 0x00007efe6bacdff5 DRCHECKER::TaintedSizeDetector::visitCallInst(llvm::CallInst&, llvm::Function*, std::vector<llvm::Instruction*, std::allocator<llvm::Instruction*> >*, std::vector<llvm::Instruction*, std::allocator<llvm::Instruction*> >*) /home/tballo/proj/dr_checker/llvm_analysis/MainAnalysisPasses/SoundyAliasAnalysis/src/bug_detectors/TaintedSizeDetector.cpp:30:0
#11 0x00007efe6ba77468 DRCHECKER::GlobalVisitor::processCalledFunction(llvm::CallInst&, llvm::Function*) /home/tballo/proj/dr_checker/llvm_analysis/MainAnalysisPasses/SoundyAliasAnalysis/src/GlobalVisitor.cpp:124:0
#12 0x00007efe6ba7793c DRCHECKER::GlobalVisitor::visitCallInst(llvm::CallInst&) /home/tballo/proj/dr_checker/llvm_analysis/MainAnalysisPasses/SoundyAliasAnalysis/src/GlobalVisitor.cpp:202:0
#13 0x00007efe6ba80c71 llvm::InstVisitor<DRCHECKER::GlobalVisitor, void>::delegateCallInst(llvm::CallInst&) /home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/include/llvm/IR/InstVisitor.h:282:0
#14 0x00007efe6ba7c8a7 llvm::InstVisitor<DRCHECKER::GlobalVisitor, void>::visitCall(llvm::CallInst&) /home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/include/llvm/IR/Instruction.def:186:0
#15 0x00007efe6ba79ed5 llvm::InstVisitor<DRCHECKER::GlobalVisitor, void>::visit(llvm::Instruction&) /home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/include/llvm/IR/Instruction.def:186:0
#16 0x00007efe6ba78b64 DRCHECKER::GlobalVisitor::visit(llvm::Instruction&) /home/tballo/proj/dr_checker/llvm_analysis/MainAnalysisPasses/SoundyAliasAnalysis/include/GlobalVisitor.h:85:0
#17 0x00007efe6ba7ab29 void llvm::InstVisitor<DRCHECKER::GlobalVisitor, void>::visit<llvm::ilist_iterator<llvm::Instruction> >(llvm::ilist_iterator<llvm::Instruction>, llvm::ilist_iterator<llvm::Instruction>) /home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/include/llvm/IR/InstVisitor.h:91:0
#18 0x00007efe6ba77c31 DRCHECKER::GlobalVisitor::visit(llvm::BasicBlock*) /home/tballo/proj/dr_checker/llvm_analysis/MainAnalysisPasses/SoundyAliasAnalysis/src/GlobalVisitor.cpp:284:0
#19 0x00007efe6ba77de6 DRCHECKER::GlobalVisitor::analyze() /home/tballo/proj/dr_checker/llvm_analysis/MainAnalysisPasses/SoundyAliasAnalysis/src/GlobalVisitor.cpp:298:0
#20 0x00007efe6ba9f607 DRCHECKER::SAAPass::runOnModule(llvm::Module&) /home/tballo/proj/dr_checker/llvm_analysis/MainAnalysisPasses/SoundyAliasAnalysis/src/SoundyAliasAnalysis.cpp:250:0
#21 0x000000000222f440 (anonymous namespace)::MPPassManager::runOnModule(llvm::Module&) (/home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/build/bin/opt+0x222f440)
#22 0x000000000222fb71 llvm::legacy::PassManagerImpl::run(llvm::Module&) (/home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/build/bin/opt+0x222fb71)
#23 0x000000000222fd7d llvm::legacy::PassManager::run(llvm::Module&) (/home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/build/bin/opt+0x222fd7d)
#24 0x0000000000f6b423 main (/home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/build/bin/opt+0xf6b423)
#25 0x00007efe6bdb3830 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:325:0
#26 0x0000000000f46279 _start (/home/tballo/proj/dr_checker/helper_scripts/drchecker_deps/llvm/build/bin/opt+0xf46279)
Stack dump:
0.  Program arguments: opt -load ./libSoundyAliasAnalysis.so -dr_checker -toCheckFunction=ppm_thermal_limit_proc_write -functionType=FileWrite -outputFile=ppm_thermal_limit_proc_write.drcheck.json /home/tballo/mediatek_kernel/llvm_bitcode_out/drivers/misc/mediatek/thermal/llvm_link_final/final_to_check.bc 
1.  Running pass 'Soundy Driver Checker' on module '/home/tballo/mediatek_kernel/llvm_bitcode_out/drivers/misc/mediatek/thermal/llvm_link_final/final_to_check.bc'.
./for_bug_report.sh: line 45: 18896 Aborted                 (core dumped) opt -load ./libSoundyAliasAnalysis.so -dr_checker -toCheckFunction="ppm_thermal_limit_proc_write" -functionType="FileWrite" -outputFile="ppm_thermal_limit_proc_write.drcheck.json" $mediatek_bitcode_path/drivers/misc/mediatek/thermal/llvm_link_final/final_to_check.bc

[BASH] Running Dr. Checker on ppm_dlpt_budget_trans_percentag_proc_write

WARNING: You're attempting to print out a bitcode file.
This is inadvisable as it may cause display problems. If
you REALLY want to taste LLVM bitcode first-hand, you
can force output with the `-f' option.

Provided Function Type:FileWrite, Function Name:ppm_dlpt_budget_trans_percentag_proc_write
Analyzing:0 init functions

Let me know if I can provide more info. Thanks!

Machiry commented 5 years ago

@tnballo Sorry for getting back at this soo late. If you happen to have the bc file, Specifically, /home/tballo/mediatek_kernel/llvm_bitcode_out/drivers/misc/mediatek/thermal/llvm_link_final/final_to_check.bc, Could you share it please?