search

vusec / inspectre-gadget

InSpectre Gadget: in-depth inspection and exploitability analysis of Spectre disclosure gadgets
https://vusec.github.io/inspectre-gadget/
Apache License 2.0
37 stars 3 forks source link

operation Iop_And8 received too large an argument #6

Closed andyhhp closed 8 months ago

andyhhp commented 8 months ago

When trying this scanner on Xen, I've got the 38 instances of the following:

---------------- [ SCANNER ERROR ] ----------------
where: 0xffff82d04020192e     started at:0xffff82d040201820
operation Iop_And8 received too large an argument
Traceback (most recent call last):
  File "/local/inspectre-gadget.git/analyzer/scanner/scanner.py", line 567, in run
    next_states = self.cur_state.step()
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/sim_state.py", line 607, in step
    return self.project.factory.successors(self, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/factory.py", line 77, in successors
    return self.default_engine.process(*args, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/slicing.py", line 20, in process
    return super().process(*args, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/engine.py", line 163, in process
    self.process_successors(self.successors, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/failure.py", line 24, in process_successors
    return super().process_successors(successors, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/syscall.py", line 26, in process_successors
    return super().process_successors(successors, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/hook.py", line 56, in process_successors
    return super().process_successors(successors, procedure=procedure, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/unicorn.py", line 389, in process_successors
    return super().process_successors(successors, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/soot/engine.py", line 68, in process_successors
    return super().process_successors(successors, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/heavy.py", line 174, in process_successors
    self.handle_vex_block(irsb)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/super_fastpath.py", line 25, in handle_vex_block
    super().handle_vex_block(irsb)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/slicing.py", line 26, in handle_vex_block
    super().handle_vex_block(irsb)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/actions.py", line 31, in handle_vex_block
    super().handle_vex_block(irsb)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/inspect.py", line 49, in handle_vex_block
    super().handle_vex_block(irsb)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/light.py", line 548, in handle_vex_block
    self._handle_vex_stmt(stmt)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/slicing.py", line 30, in _handle_vex_stmt
    super()._handle_vex_stmt(stmt)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/inspect.py", line 44, in _handle_vex_stmt
    super()._handle_vex_stmt(stmt)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/resilience.py", line 39, in inner
    return getattr(super(VEXResilienceMixin, self), func)(*iargs, **ikwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/heavy.py", line 245, in _handle_vex_stmt
    super()._handle_vex_stmt(stmt)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/light.py", line 52, in _handle_vex_stmt
    handler(stmt)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/light.py", line 203, in _handle_vex_stmt_WrTmp
    self._perform_vex_stmt_WrTmp(stmt.tmp, self._analyze_vex_stmt_WrTmp_data(stmt.data))
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/light.py", line 200, in _analyze_vex_stmt_WrTmp_data
    return self._handle_vex_expr(*a, **kw)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/inspect.py", line 35, in _handle_vex_expr
    return super()._handle_vex_expr(expr)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/light.py", line 56, in _handle_vex_expr
    result = handler(expr)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/light.py", line 119, in _handle_vex_expr_Binop
    return self._handle_vex_expr_Op(expr)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/light.py", line 128, in _handle_vex_expr_Op
    return self._perform_vex_expr_Op(expr.op, [self._handle_vex_expr(arg) for arg in expr.args])
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/actions.py", line 50, in _perform_vex_expr_Op
    result = super()._perform_vex_expr_Op(op, exprs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/resilience.py", line 39, in inner
    return getattr(super(VEXResilienceMixin, self), func)(*iargs, **ikwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/claripy/datalayer.py", line 125, in _perform_vex_expr_Op
    return simop.calculate(*args)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/claripy/irop.py", line 430, in calculate
    return self.extend_size(self._calculate(args))
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/claripy/irop.py", line 483, in _op_mapped
    raise SimOperationError("operation %s received too large an argument" % self.name)
angr.errors.SimOperationError: operation Iop_And8 received too large an argument

The start and operation addresses are from:

ffff82d040201820 <common_interrupt>:  // <--- start
ffff82d040201820:       0f 1f 00                nopl   (%rax)
ffff82d040201823:       48 83 c4 88             add    $0xffffffffffffff88,%rsp
ffff82d040201827:       fc                      cld    
ffff82d040201828:       48 89 7c 24 70          mov    %rdi,0x70(%rsp)
ffff82d04020182d:       31 ff                   xor    %edi,%edi
ffff82d04020182f:       48 89 74 24 68          mov    %rsi,0x68(%rsp)
ffff82d040201834:       31 f6                   xor    %esi,%esi
ffff82d040201836:       48 89 54 24 60          mov    %rdx,0x60(%rsp)
ffff82d04020183b:       31 d2                   xor    %edx,%edx
ffff82d04020183d:       48 89 4c 24 58          mov    %rcx,0x58(%rsp)
ffff82d040201842:       31 c9                   xor    %ecx,%ecx
ffff82d040201844:       48 89 44 24 50          mov    %rax,0x50(%rsp)
ffff82d040201849:       31 c0                   xor    %eax,%eax
ffff82d04020184b:       4c 89 44 24 48          mov    %r8,0x48(%rsp)
ffff82d040201850:       4c 89 4c 24 40          mov    %r9,0x40(%rsp)
ffff82d040201855:       4c 89 54 24 38          mov    %r10,0x38(%rsp)
ffff82d04020185a:       4c 89 5c 24 30          mov    %r11,0x30(%rsp)
ffff82d04020185f:       45 31 c0                xor    %r8d,%r8d
ffff82d040201862:       45 31 c9                xor    %r9d,%r9d
ffff82d040201865:       45 31 d2                xor    %r10d,%r10d
ffff82d040201868:       45 31 db                xor    %r11d,%r11d
ffff82d04020186b:       48 89 5c 24 28          mov    %rbx,0x28(%rsp)
ffff82d040201870:       31 db                   xor    %ebx,%ebx
ffff82d040201872:       48 89 6c 24 20          mov    %rbp,0x20(%rsp)
ffff82d040201877:       48 8d 6c 24 20          lea    0x20(%rsp),%rbp
ffff82d04020187c:       48 f7 d5                not    %rbp
ffff82d04020187f:       4c 89 64 24 18          mov    %r12,0x18(%rsp)
ffff82d040201884:       4c 89 6c 24 10          mov    %r13,0x10(%rsp)
ffff82d040201889:       4c 89 74 24 08          mov    %r14,0x8(%rsp)
ffff82d04020188e:       4c 89 3c 24             mov    %r15,(%rsp)
ffff82d040201892:       45 31 e4                xor    %r12d,%r12d
ffff82d040201895:       45 31 ed                xor    %r13d,%r13d
ffff82d040201898:       45 31 f6                xor    %r14d,%r14d
ffff82d04020189b:       45 31 ff                xor    %r15d,%r15d
ffff82d04020189e:       49 c7 c6 ff 7f 00 00    mov    $0x7fff,%r14
ffff82d0402018a5:       49 09 e6                or     %rsp,%r14
ffff82d0402018a8:       66 0f 1f 84 00 00 00    nopw   0x0(%rax,%rax,1)
ffff82d0402018af:       00 00 
ffff82d0402018b1:       66 0f 1f 84 00 00 00    nopw   0x0(%rax,%rax,1)
ffff82d0402018b8:       00 00 
ffff82d0402018ba:       66 0f 1f 84 00 00 00    nopw   0x0(%rax,%rax,1)
ffff82d0402018c1:       00 00 
ffff82d0402018c3:       0f 1f 80 00 00 00 00    nopl   0x0(%rax)
ffff82d0402018ca:       66 0f 1f 84 00 00 00    nopw   0x0(%rax,%rax,1)
ffff82d0402018d1:       00 00 
ffff82d0402018d3:       66 0f 1f 84 00 00 00    nopw   0x0(%rax,%rax,1)
ffff82d0402018da:       00 00 
ffff82d0402018dc:       66 0f 1f 84 00 00 00    nopw   0x0(%rax,%rax,1)
ffff82d0402018e3:       00 00 
ffff82d0402018e5:       66 0f 1f 84 00 00 00    nopw   0x0(%rax,%rax,1)
ffff82d0402018ec:       00 00 
ffff82d0402018ee:       66 0f 1f 84 00 00 00    nopw   0x0(%rax,%rax,1)
ffff82d0402018f5:       00 00 
ffff82d0402018f7:       66 0f 1f 44 00 00       nopw   0x0(%rax,%rax,1)
ffff82d0402018fd:       66 0f 1f 84 00 00 00    nopw   0x0(%rax,%rax,1)
ffff82d040201904:       00 00 
ffff82d040201906:       66 0f 1f 84 00 00 00    nopw   0x0(%rax,%rax,1)
ffff82d04020190d:       00 00 
ffff82d04020190f:       66 0f 1f 84 00 00 00    nopw   0x0(%rax,%rax,1)
ffff82d040201916:       00 00 
ffff82d040201918:       66 0f 1f 44 00 00       nopw   0x0(%rax,%rax,1)
ffff82d04020191e:       49 8b 4e e1             mov    -0x1f(%r14),%rcx
ffff82d040201922:       41 8a 5e f9             mov    -0x7(%r14),%bl
ffff82d040201926:       49 89 cf                mov    %rcx,%r15
ffff82d040201929:       48 85 c9                test   %rcx,%rcx
ffff82d04020192c:       74 1c                   je     ffff82d04020194a <common_interrupt+0x12a>
ffff82d04020192e:       41 c6 46 f9 00          movb   $0x0,-0x7(%r14)   // <--- operation
ffff82d040201933:       0f 22 d9                mov    %rcx,%cr3
ffff82d040201936:       4d 89 66 e1             mov    %r12,-0x1f(%r14)
ffff82d04020193a:       f6 84 24 88 00 00 00    testb  $0x3,0x88(%rsp)
ffff82d040201941:       03 
ffff82d040201942:       4d 0f 45 fc             cmovne %r12,%r15
ffff82d040201946:       41 0f 45 dc             cmovne %r12d,%ebx
ffff82d04020194a:       0f 1f 44 00 00          nopl   0x0(%rax,%rax,1)
ffff82d04020194f:       48 89 e7                mov    %rsp,%rdi

Singled out, that's:

ffff82d04020192e:       41 c6 46 f9 00          movb   $0x0,-0x7(%r14)   // <--- operation

so I'm confused as to why angr thinks it is an Iop_And8 instruction.

Here are all the files to reproduce: xen-syms.gz addr-list.csv

xen-syms is the the finally linked object with all debugging symbols before we package it up to be bootable. One thing that angr asked for was passing --base 0xffff82d040200000 which it couldn't seem to extract from the ELF headers. Everything else is per the default docs.

SanWieb commented 8 months ago

Hi Andrew,

Thanks for opening the issue and the files to reproduce it, which helped a lot in debugging the issue.

Although the debug trace outputs where: 0xffff82d04020192e, the instruction that triggered the bug is at 0xffff82d04020193a. We output the basic block address because Angr processes (steps) with one block at a time, so we only know at which block the error occurred. I will add extra info to the output to make it clear that is the error occurred somewhere in the basic block.

The instruction that triggers the bug is as follows, so that also explain why it consists of a Iop_And8 instruction:

ffff82d04020193a: f6 84 24 88 00 00 00 testb $0x3,0x88(%rsp)

It is actually a bug in our tool. There was a off-by-one error in our memory model which resulted in a too large size for one operand. I will push a fix.

Thanks again!