search

vusec / inspectre-gadget

InSpectre Gadget: in-depth inspection and exploitability analysis of Spectre disclosure gadgets
https://vusec.github.io/inspectre-gadget/
Apache License 2.0
37 stars 3 forks source link

Angr "Cannot execute following jumpkind Ijk_SigSEGV" #15

Open andyhhp opened 8 months ago

andyhhp commented 8 months ago 
---------------- [ SCANNER ERROR ] ----------------
where: 0xffff82d0403301a0     started at: 0xffff82d040330170 
Cannot execute following jumpkind Ijk_SigSEGV
Traceback (most recent call last):
  File "/local/inspectre-gadget.git/analyzer/scanner/scanner.py", line 616, in run
    next_states = self.cur_state.step()
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/sim_state.py", line 607, in step
    return self.project.factory.successors(self, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/factory.py", line 77, in successors
    return self.default_engine.process(*args, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/slicing.py", line 20, in process
    return super().process(*args, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/engine.py", line 163, in process
    self.process_successors(self.successors, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/failure.py", line 15, in process_successors
    raise AngrExitError("Cannot execute following jumpkind %s" % jumpkind)
angr.errors.AngrExitError: Cannot execute following jumpkind Ijk_SigSEGV

File: xen-syms.gz Args: --address ffff82d040330170 --name x86emul_read_xcr --base 0xffff82d040200000

The block is:

ffff82d040330170 <x86emul_read_xcr>:
ffff82d040330170:       f3 0f 1e fa             endbr64 
ffff82d040330174:       85 ff                   test   %edi,%edi
ffff82d040330176:       74 68                   je     ffff82d0403301e0 <x86emul_read_xcr+0x70>
ffff82d040330178:       83 ff 01                cmp    $0x1,%edi
ffff82d04033017b:       75 3b                   jne    ffff82d0403301b8 <x86emul_read_xcr+0x48>
ffff82d04033017d:       48 89 e0                mov    %rsp,%rax
ffff82d040330180:       48 0d ff 7f 00 00       or     $0x7fff,%rax
ffff82d040330186:       48 8b 40 c9             mov    -0x37(%rax),%rax
ffff82d04033018a:       48 8b 40 18             mov    0x18(%rax),%rax
ffff82d04033018e:       48 8b 80 90 08 00 00    mov    0x890(%rax),%rax
ffff82d040330195:       f6 80 a0 01 00 00 04    testb  $0x4,0x1a0(%rax)
ffff82d04033019c:       74 1a                   je     ffff82d0403301b8 <x86emul_read_xcr+0x48>
ffff82d04033019e:       89 f9                   mov    %edi,%ecx
ffff82d0403301a0:       0f 01 d0                xgetbv         // <--- here
ffff82d0403301a3:       48 c1 e2 20             shl    $0x20,%rdx
ffff82d0403301a7:       89 c0                   mov    %eax,%eax
ffff82d0403301a9:       48 09 c2                or     %rax,%rdx
ffff82d0403301ac:       31 c0                   xor    %eax,%eax
ffff82d0403301ae:       48 89 16                mov    %rdx,(%rsi)
ffff82d0403301b1:       c3                      retq   
ffff82d0403301b2:       66 0f 1f 44 00 00       nopw   0x0(%rax,%rax,1)
ffff82d0403301b8:       b8 0d 00 00 00          mov    $0xd,%eax
ffff82d0403301bd:       c6 42 3a 03             movb   $0x3,0x3a(%rdx)
ffff82d0403301c1:       66 89 42 38             mov    %ax,0x38(%rdx)
ffff82d0403301c5:       b8 02 00 00 00          mov    $0x2,%eax
ffff82d0403301ca:       c7 42 3c 00 00 00 00    movl   $0x0,0x3c(%rdx)
ffff82d0403301d1:       c6 42 31 01             movb   $0x1,0x31(%rdx)
ffff82d0403301d5:       c3                      retq   
ffff82d0403301d6:       66 2e 0f 1f 84 00 00    nopw   %cs:0x0(%rax,%rax,1)
ffff82d0403301dd:       00 00 00 
ffff82d0403301e0:       48 89 e0                mov    %rsp,%rax
ffff82d0403301e3:       48 0d ff 7f 00 00       or     $0x7fff,%rax
ffff82d0403301e9:       48 8b 40 c9             mov    -0x37(%rax),%rax
ffff82d0403301ed:       48 8b 80 38 0b 00 00    mov    0xb38(%rax),%rax
ffff82d0403301f4:       48 89 06                mov    %rax,(%rsi)
ffff82d0403301f7:       31 c0                   xor    %eax,%eax
ffff82d0403301f9:       c3                      retq

with the where referencing the xgetbv instruction. I can only assume this is an Angr issue, but no clue what Ijk_SigSEGV might be in terms of a jump type.