search

vusec / vuzzer64

This implements a 64-bit version of vusec/vuzzer fuzzing tool.
Apache License 2.0
175 stars 51 forks source link

libdft64 is following taint not correctly #6

Open vanhauser-thc opened 5 years ago

vanhauser-thc commented 5 years ago

I compiled libdft with pin-3.7 and EWAHBoolArray-0.4.0.

As the command line options to watch file descriptions etc have been removed I added just this to the code:

diff --git a/libdft64/syscall_desc.cpp b/libdft64/syscall_desc.cpp
index 22bcc7f..16949b5 100644
--- a/libdft64/syscall_desc.cpp
+++ b/libdft64/syscall_desc.cpp
@@ -951,12 +951,12 @@ post_open_hook(THREADID tid, syscall_ctx_t *ctx)
        LOG("In open\n");
        const std::string fdn = fdname(fd);

-       if( !in_dtracker_whitelist(fdn) && !path_isdir(fdn)){
+       if(fdn.find("/tmp/", 0) == 0 || ( !in_dtracker_whitelist(fdn) && !path_isdir(fdn))){
                fdset.insert(fd);
                flag = 1;
                LOG("Inserted " + fdn + " " + decstr(fd) + ".\n");
        }else{
-               LOG("Info ignoring fd " + decstr(fd) + "\n");
+               LOG("Info ignoring fd " + decstr(fd) + " " + fdn + "\n");
        }
 }

Some output excerpts of "pin -follow_execv -t ./obj-intel64/libdft-dta.so -- unrar x /tmp/test.rar ":

It taints stuff it should not:

 In open
 in_dtracker_whitelist /lib/x86_64-linux-gnu/libm-2.28.so
 Info ignoring fd 3 /lib/x86_64-linux-gnu/libm-2.28.so
 Setting taint 3 832 bytes

it specifically says "ignoring fd" but still setting taint. this happens all over the place

however it also taints correctly:

 In open
 Inserted /tmp/test.rar 3.
 Setting taint 3 7 bytes
 Setting taint 3 7 bytes
 Setting taint 3 6 bytes
 Setting taint 3 7 bytes
 Setting taint 3 35 bytes

this looks good

but then never follows the taint:

 In open
 in_dtracker_whitelist /prg/tmp/vuzzer64/libdft64/test.txt
 Info ignoring fd 4 /prg/tmp/vuzzer64/libdft64/test.txt
 In mmap -1 0 bytes
 Setting taint 3 14 bytes
 close 4
 Setting taint 3 7 bytes
 close 3
(end of pintool.log)

that fd 4 should have tainted bytes written is not reported.

same if "md5sum /tmp/test.rar" is done, it should show tainted writes to stdout.

vanhauser-thc commented 5 years ago

the tainting of read on wrong fd's are because the log entry is wrong, this corrects it:

diff --git a/libdft64/syscall_desc.cpp b/libdft64/syscall_desc.cpp
index 22bcc7f..616fcc0 100644
--- a/libdft64/syscall_desc.cpp
+++ b/libdft64/syscall_desc.cpp
@@ -900,7 +900,6 @@ post_read_hook(THREADID tid, syscall_ctx_t *ctx)
        nbytes = (uint32_t)ctx->ret;

        int fd = ctx->arg[SYSCALL_ARG0];
-       LOG("Setting taint " + decstr(fd) + "\n");
        /*std::set<int>::iterator it;
        for(it=fdset.begin();it!=fdset.end();it++){
                LOG(decstr(*it) + "\n");
@@ -915,6 +914,7 @@ post_read_hook(THREADID tid, syscall_ctx_t *ctx)
                }else{
                        read_
                }*/
+               LOG("Setting taint " + decstr(fd) + " " + decstr(nbytes) + " bytes\n");
                read_offset_start = lseek(fd, 0, SEEK_CUR);
                if(unlikely(read_offset_start < 0)){
                        LOG("Error on lseeking " + decstr(fd) + "\n");
RKX1209 commented 5 years ago

@vanhauser-thc So is it working fine now with this patch? I mean wrong log entry is a only problem?