search

wmkhoo / taintgrind

A taint-tracking plugin for the Valgrind memory checking tool
GNU General Public License v2.0
247 stars 42 forks source link

crash in experimental feature: tnt_main.c:3102 (vgTaintgrind_h64_put_t): Assertion 'reg < RI_MAX' failed. #15

Closed vanhauser-thc closed 6 years ago

vanhauser-thc commented 6 years ago

When using either the taint-stdin or taint-network option, taintgrind crashes for me:

valgrind --tool=taintgrind --taint-network=yes -- nc -lnvp 80 Taintgrind: tnt_main.c:3102 (vgTaintgrind_h64_put_t): Assertion 'reg < RI_MAX' failed.

this happens after around 1 second after starting, before netcat is receiving any data.

This is on both valgrind 3.13 and 3.12

wmkhoo commented 6 years ago

I wasn't able to reproduce this on my machine (Ubuntu x64). Could you run this debugging patch and paste the output here? Thanks

vanhauser-thc commented 6 years ago

here is the full output:

/prg/tmp/valgrind-3.13.0/inst/bin # ./valgrind --tool=taintgrind --taint-network=yes -- nc -lnvp 80
==16327== Taintgrind, the taint analysis tool
==16327== Copyright (C) 2010-2014, and GNU GPL'd, by Wei Ming Khoo.
==16327== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==16327== Command: nc -lnvp 80
==16327== 
check_reg: reg 864 >= 740

Taintgrind: tnt_main.c:2537 (check_reg): Assertion 'reg < RI_MAX' failed.

host stacktrace:
==16327==    at 0x5802FA8A: show_sched_status_wrk (m_libcassert.c:355)
==16327==    by 0x5802FBA4: report_and_quit (m_libcassert.c:426)
==16327==    by 0x5802FD29: vgPlain_assert_fail (m_libcassert.c:492)
==16327==    by 0x580001C2: check_reg.part.9 (tnt_main.c:2537)
==16327==    by 0x5800D176: vgTaintgrind_h64_put_t (tnt_main.c:3107)
==16327==    by 0x10055BACEF: ???
==16327==    by 0x100315AF2F: ???
==16327==    by 0x1C0F: ???
==16327==    by 0x100200E56F: ???
==16327==    by 0x100315AF17: ???
==16327==    by 0x100315AF2F: ???
==16327==    by 0x10C75: ???
==16327==    by 0x10055BA7F7: ???
==16327==    by 0x1688E: ???

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable (lwpid 16327)
==16327==    at 0x109FCD: ??? (in /usr/local/bin/nc)
==16327==    by 0x10C79C: ??? (in /usr/local/bin/nc)
==16327==    by 0x4E50EBA: (below main) (libc-start.c:266)

btw when compiling I see these warnings, maybe its connected:

tnt_main.c: In function 'vgTaintgrind_h64_puti': tnt_main.c:3167:21: warning: right shift count >= width of type [-Wshift-count-overflow] UInt base = (tt1 >> 32) & 0xffffffff; ^~ tnt_main.c:3170:19: warning: right shift count >= width of type [-Wshift-count-overflow] UInt ix = (tt2 >> 32) & 0xffffffff;

vanhauser-thc commented 6 years ago

that reminds me of this: https://gist.github.com/tkchia/7ba4f8fa3b5007bae48f193bd089d47e#file-taintgrind-ri-max-diff seems to try to take care of the same issue

wmkhoo commented 6 years ago

The patch by @tkchia should work. @tkchia you want to send me a pull request? So I can credit you for the patch.

vanhauser-thc commented 6 years ago

as it is fixed now I am closing the issue, thanks!