Closed andyhhp closed 8 months ago
Hi Andrew,
Thanks for opening the issue and the files to reproduce it, which helped a lot in debugging the issue.
Although the debug trace outputs where: 0xffff82d04020192e
, the instruction that triggered the bug is at 0xffff82d04020193a
. We output the basic block address because Angr processes (steps) with one block at a time, so we only know at which block the error occurred. I will add extra info to the output to make it clear that is the error occurred somewhere in the basic block.
The instruction that triggers the bug is as follows, so that also explain why it consists of a Iop_And8
instruction:
ffff82d04020193a: f6 84 24 88 00 00 00 testb $0x3,0x88(%rsp)
It is actually a bug in our tool. There was a off-by-one error in our memory model which resulted in a too large size for one operand. I will push a fix.
Thanks again!
When trying this scanner on Xen, I've got the 38 instances of the following:
The start and operation addresses are from:
Singled out, that's:
so I'm confused as to why angr thinks it is an
Iop_And8
instruction.Here are all the files to reproduce: xen-syms.gz addr-list.csv
xen-syms is the the finally linked object with all debugging symbols before we package it up to be bootable. One thing that
angr
asked for was passing--base 0xffff82d040200000
which it couldn't seem to extract from the ELF headers. Everything else is per the default docs.