An issue of libdft(libdft_core.c)

[mcgrady1]

Hi, (1) Some types of instruction, for example movdqu, which would influence the taint analysis result , are ignored by libdft, so how can you get the right taint result? (2) XADD instruction, source operand could be a memory operand?(xadd_m2r) Thanks for your reply!

[tosanjay]

Hi, Please note that libdft does not have full support of all x86 instructions, including SSE, thus it does not handle instructions involving xmm reg. to my understanding, XADD does not have src as mem.

[mcgrady1]

Hi, (1)I know, but some programs will use SSE, which will influence the taint and fuzzing result
(2)You are right, so the xadd_m2r_xxx function may be wrong, can you check the source code?

[vivek425ster]

Hi, Regarding you second point the xadd_m2r_xxx analysis is specific to instructions which have memory operand as destination, the naming convention is such as the first m specifies the destination operand type and second r specifies the src operand type. https://github.com/vusec/vuzzer/blob/master/support/libdft/src/libdft_core.c#L7114. Please check here that we call that analysis routine when the first operand (destination operand) is memory .

[mcgrady1]

source coe: tag_t dst_tag = thread_ctx->vcpu.gpr[dst][1]; tag_t src_tag = tag_dir_getb(tag_dir, src);

thread_ctx->vcpu.gpr[dst][1] = tag_combine(dst_tag, src_tag); tag_dir_setb(tag_dir, src, dst_tag);

xadd instruction: Temporary = Source + Destination; Source = Destination; Destination = Temporary;

I don't think this code is correct.

[lzyplayer]

HI, I 'm deploying vuzzer on exactly the same platform as suggested. while changing flags,i found out makefile.libdft is presented on vuzzer/support directory ,not under the vuzzer/support/libdft.

Also,i think a "#" is missing(the 4th flag) in makeflie.libdft, something wrong happened while generating? Thanks for your reply!

[vivek425ster]

Hi,

You need to run the command make support-libdft from the top folder.