search

vusec / inspectre-gadget

InSpectre Gadget: in-depth inspection and exploitability analysis of Spectre disclosure gadgets
https://vusec.github.io/inspectre-gadget/
Apache License 2.0
37 stars 3 forks source link

Assertion failure in add_nodes #12

Closed andyhhp closed 6 months ago

andyhhp commented 8 months ago

This includes the minor adjustment in #11 

[MAIN]  Analyzing gadget at address 0xffff82d04021e360 free_pirq_struct ...
[MAIN]  Found 2 potential transmissions.
[MAIN]  Found 0 tainted function pointers.
Traceback (most recent call last):
  File "/local/inspectre-gadget.git/./inspectre", line 105, in <module>
    args.func(args)
  File "/local/inspectre-gadget.git/./inspectre", line 44, in run_analyzer
    analyzer.run(binary=args.binary,
  File "/local/inspectre-gadget.git/analyzer/analyzer.py", line 267, in run
    analyse_gadget(proj, g[0], g[1], config, csv_filename, tfp_csv_filename, asm_folder)
  File "/local/inspectre-gadget.git/analyzer/analyzer.py", line 167, in analyse_gadget
    transmissions.extend(transmissionAnalysis.get_transmissions(t))
  File "/local/inspectre-gadget.git/analyzer/analysis/transmissionAnalysis.py", line 160, in get_transmissions
    d = get_dependency_graph(potential_t, canonical_expr)
  File "/local/inspectre-gadget.git/analyzer/analysis/transmissionAnalysis.py", line 137, in get_dependency_graph
    d.add_constraints([x[1] for x in potential_t.constraints])
  File "/local/inspectre-gadget.git/analyzer/analysis/dependencyGraph.py", line 267, in add_constraints
    self.add_nodes(sym)
  File "/local/inspectre-gadget.git/analyzer/analysis/dependencyGraph.py", line 233, in add_nodes
    assert(len(attacker_annos) + len(load_annos) + len(uncontrolled_annos) == 1)
AssertionError

I'm afraid that I can't reproduce it by analysing free_pirq_struct in isolation, which means it depends on some prior work. I'll see if I can narrow it down at all.

andyhhp commented 8 months ago

This is reproducible when scanning all of Xen's ENDBR sites, skipping parse_event_log_entry to work around #13

Files: xen-syms.gz addr-list-all.csv

AlviseDeFaveri commented 6 months ago

We have pinpointed this to a few instances where angr transfers all the annotations of the original expression to the new expression during various semplification steps. We fixed some of the cases by rolling our own simplify(), but internally angr still does this in some cases.

Not closing until we are able to remove all the instances of this.

AlviseDeFaveri commented 6 months ago

Fixed by https://github.com/vusec/inspectre-gadget/commit/ec5f37463ffa3894a5d2afeda0e8c01f9a2cb753, closing