search

vusec / inspectre-gadget

InSpectre Gadget: in-depth inspection and exploitability analysis of Spectre disclosure gadgets
https://vusec.github.io/inspectre-gadget/
Apache License 2.0
37 stars 3 forks source link

Unsupported dirty helper amd64g_dirtyhelper_IRETQ #9

Closed andyhhp closed 8 months ago

andyhhp commented 8 months ago

Found another 

---------------- [ SCANNER ERROR ] ----------------
in basic block: 0xffff82d040202023     started at:0xffff82d040202023
Unsupported dirty helper amd64g_dirtyhelper_IRETQ
Traceback (most recent call last):
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/heavy.py", line 321, in _perform_vex_stmt_Dirty_call
    func = getattr(dirty, func_name)
AttributeError: module 'angr.engines.vex.heavy.dirty' has no attribute 'amd64g_dirtyhelper_IRETQ'

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/local/inspectre-gadget.git/analyzer/scanner/scanner.py", line 567, in run
    next_states = self.cur_state.step()
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/sim_state.py", line 607, in step
    return self.project.factory.successors(self, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/factory.py", line 77, in successors
    return self.default_engine.process(*args, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/slicing.py", line 20, in process
    return super().process(*args, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/engine.py", line 163, in process
    self.process_successors(self.successors, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/failure.py", line 24, in process_successors
    return super().process_successors(successors, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/syscall.py", line 26, in process_successors
    return super().process_successors(successors, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/hook.py", line 56, in process_successors
    return super().process_successors(successors, procedure=procedure, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/unicorn.py", line 389, in process_successors
    return super().process_successors(successors, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/soot/engine.py", line 68, in process_successors
    return super().process_successors(successors, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/heavy.py", line 174, in process_successors
    self.handle_vex_block(irsb)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/super_fastpath.py", line 25, in handle_vex_block
    super().handle_vex_block(irsb)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/slicing.py", line 26, in handle_vex_block
    super().handle_vex_block(irsb)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/actions.py", line 31, in handle_vex_block
    super().handle_vex_block(irsb)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/inspect.py", line 49, in handle_vex_block
    super().handle_vex_block(irsb)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/light.py", line 548, in handle_vex_block
    self._handle_vex_stmt(stmt)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/slicing.py", line 30, in _handle_vex_stmt
    super()._handle_vex_stmt(stmt)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/inspect.py", line 44, in _handle_vex_stmt
    super()._handle_vex_stmt(stmt)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/resilience.py", line 39, in inner
    return getattr(super(VEXResilienceMixin, self), func)(*iargs, **ikwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/heavy.py", line 245, in _handle_vex_stmt
    super()._handle_vex_stmt(stmt)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/light.py", line 52, in _handle_vex_stmt
    handler(stmt)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/light.py", line 237, in _handle_vex_stmt_Dirty
    return self._perform_vex_stmt_Dirty(
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/light.py", line 248, in _perform_vex_stmt_Dirty
    retval = self._perform_vex_stmt_Dirty_call(func_name, ty, args)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/actions.py", line 77, in _perform_vex_stmt_Dirty_call
    result = super()._perform_vex_stmt_Dirty_call(func_name, ty, exprs, func=None)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/inspect.py", line 19, in _perform_vex_stmt_Dirty_call
    retval = super()._perform_vex_stmt_Dirty_call(func_name, ty, args, func=func)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/resilience.py", line 39, in inner
    return getattr(super(VEXResilienceMixin, self), func)(*iargs, **ikwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/heavy.py", line 323, in _perform_vex_stmt_Dirty_call
    raise errors.UnsupportedDirtyError(f"Unsupported dirty helper {func_name}") from e
angr.errors.UnsupportedDirtyError: Unsupported dirty helper amd64g_dirtyhelper_IRETQ

The basic block is very simple here:

ffff82d040202023 <entry_nop>:
ffff82d040202023:       f3 0f 1e fa             endbr64 
ffff82d040202027:       48 cf                   iretq

Files: xen-syms.gz addr-list-all.csv

SanWieb commented 8 months ago

Thanks!

I think we can simple suppress this error, right? After iretq we have to stop the symbolic execution anyway.

andyhhp commented 8 months ago

IRETQ is architecturally serialising, and a huge pile microcode. It's fine to terminate the terminate the symbolic execution path here, if that is really what the error is getting at.

SanWieb commented 8 months ago

Fixed by https://github.com/vusec/inspectre-gadget/commit/b8bcbe4d88dfb03b6990ee47e3f8e016e828dd69