search

wmkhoo / taintgrind

A taint-tracking plugin for the Valgrind memory checking tool
GNU General Public License v2.0
247 stars 42 forks source link

--909-- warning: evaluate_Dwarf3_Expr: unhandled DW_OP_ 0xf2 #21

Closed vanhauser-thc closed 6 years ago

vanhauser-thc commented 6 years ago

I am experimenting with taintgrind on ARM and it produces tons of lines warning of unhandled DW_OP_0xf2

and in the end it crashes:

0x4009A0D: ??? (in /lib/arm-linux-gnueabihf/ld-2.19.so) | r52_786 <- t230_44
0x4009A13: ??? (in /lib/arm-linux-gnueabihf/ld-2.19.so) | t232_21 <- t227_143
0x4009A13: ??? (in /lib/arm-linux-gnueabihf/ld-2.19.so) | STle(
vex: the `impossible' happened:
   ppIRExpr
vex storage: T total 83361088 bytes allocated
vex storage: P total 0 bytes allocated

valgrind: the 'impossible' happened:
   LibVEX called failure_exit().

host stacktrace:
==1017==    at 0x58025AAC: show_sched_status_wrk (m_libcassert.c:355)
==1017==    by 0x58025C0B: report_and_quit (m_libcassert.c:426)
==1017==    by 0x58025DCF: vgPlain_core_panic_at (m_libcassert.c:502)
==1017==    by 0x58025DEB: vgPlain_core_panic (m_libcassert.c:512)
==1017==    by 0x580448A7: failure_exit (m_translate.c:740)
==1017==    by 0x58104103: vpanic (main_util.c:231)
==1017==    by 0x581099A7: ppIRExpr (ir_defs.c:1394)
==1017==    by 0x581099A7: ppIRExpr (ir_defs.c:1394)
[repeated like 50 times]
==1017==    by 0x581099A7: ppIRExpr (ir_defs.c:1394)

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable (lwpid 1017)
==1017==    at 0x4009A12: ??? (in /lib/arm-linux-gnueabihf/ld-2.19.so)
==1017==    by 0xFFFFFFFF: ???

the command is: valgrind --tool=taintgrind --taint-all=yes --file-filter=/tmp/in/test.rar -- unrar -inul p /tmp/in/test.rar

wmkhoo commented 6 years ago

It looks like an unexpected vex expression was encountered.

Could you run this command: valgrind --tool=taintgrind --trace-flags=10000000 --trace-notbelow=0 --taint-all=yes --file-filter=/tmp/in/test.rar -- unrar -inul p /tmp/in/test.rar 2>&1 | grep -A 20 "0x4009A13: "

I'm interested to know the vex instructions at the offending address.

vanhauser-thc commented 6 years ago

here you go!

# valgrind --tool=taintgrind --trace-flags=10000000 --trace-notbelow=0 --taint-all=yes --file-filter=/tmp/test.rar -- unrar -inul p /tmp/in/test.rar 2>&1 | grep -A 20 "0x4009A13: "
0x4009A13: ??? (in /lib/arm-linux-gnueabihf/ld-2.19.so) | t232_20 <- t227_142
0x4009A13: ??? (in /lib/arm-linux-gnueabihf/ld-2.19.so) | STle(t82) = t230 | Store | 0x0 | --343-- warning: evaluate_Dwarf3_Expr: unhandled DW_OP_ 0xf2
--343-- warning: evaluate_Dwarf3_Expr: unhandled DW_OP_ 0xf2
--343-- warning: evaluate_Dwarf3_Expr: unhandled DW_OP_ 0xf2
--343-- warning: evaluate_Dwarf3_Expr: unhandled DW_OP_ 0xf2
--343-- warning: evaluate_Dwarf3_Expr: unhandled DW_OP_ 0xf2
--343-- warning: evaluate_Dwarf3_Expr: unhandled DW_OP_ 0xf2
7de8a5cc_unknownobj <- t230_43
0x4009A17: ??? (in /lib/arm-linux-gnueabihf/ld-2.19.so) | t235_26 <- t226_139
0x4009A17: ??? (in /lib/arm-linux-gnueabihf/ld-2.19.so) | if (t235) { PUT(0) = 0x400986B:I32; exit-Boring }  | IfGoto | 0x0 | t235_26
==== SB 864 (evchecks 7223) [tid 1] 0x4009a1b UNKNOWN_FUNCTION /lib/arm-linux-gnueabihf/ld-2.19.so+0x9a1b

------------------------ Front end ------------------------

        (thumb) 0x4009A1A:  str r3, [r7, #28]

              ------ IMark(0x4009A1A, 2, 1) ------
              t0 = 0x0:I32
              PUT(392) = t0
              t1 = 0x1:I32
              PUT(392) = t0
              if (CmpNE32(t1,0x0:I32)) { STle(Add32(GET:I32(36),0x1C:I32)) = GET:I32(20) }
--
0x4009A13: ??? (in /lib/arm-linux-gnueabihf/ld-2.19.so) | t232_21 <- t227_143
0x4009A13: ??? (in /lib/arm-linux-gnueabihf/ld-2.19.so) | STle(
vex: the `impossible' happened:
   ppIRExpr
vex storage: T total 83361088 bytes allocated
vex storage: P total 0 bytes allocated

valgrind: the 'impossible' happened:
   LibVEX called failure_exit().

host stacktrace:
==343==    at 0x58025AAC: show_sched_status_wrk (m_libcassert.c:355)
==343==    by 0x58025C0B: report_and_quit (m_libcassert.c:426)
==343==    by 0x58025DCF: vgPlain_core_panic_at (m_libcassert.c:502)
==343==    by 0x58025DEB: vgPlain_core_panic (m_libcassert.c:512)
==343==    by 0x580448A7: failure_exit (m_translate.c:740)
==343==    by 0x58104103: vpanic (main_util.c:231)
==343==    by 0x581099A7: ppIRExpr (ir_defs.c:1394)
==343==    by 0x581099A7: ppIRExpr (ir_defs.c:1394)
==343==    by 0x581099A7: ppIRExpr (ir_defs.c:1394)
==343==    by 0x581099A7: ppIRExpr (ir_defs.c:1394)
==343==    by 0x581099A7: ppIRExpr (ir_defs.c:1394)
wmkhoo commented 6 years ago

Thanks, but I don't quite see the vex instructions from that address. Maybe this command instead: valgrind --tool=taintgrind --trace-flags=10000000 --trace-notbelow=0 --taint-all=yes --file-filter=/tmp/in/test.rar -- unrar -inul p /tmp/in/test.rar 2>&1 | grep -A 20 "IMark(0x4009A13,"

Thanks

vanhauser-thc commented 6 years ago

that grep found no match. I am attaching the full output in a gzip. taintgrind.debug.gz

wmkhoo commented 6 years ago

Not sure if this solves the issue. Please try it and see.

vanhauser-thc commented 6 years ago

still crashes, full log is attached taint.log.gz

vanhauser-thc commented 6 years ago

if you are interested I can set up an ARM device for you to ssh in (in a security enclave, nothing else in it and no sensitive data on the device). just send me a public ssh key

wmkhoo commented 6 years ago

It's still crashing isn't it.. Ok, I'll email you my key. Thanks for setting it up.

vanhauser-thc commented 6 years ago

with the the last repository changes you did it does not crash anymore. on the other hand it is still not terminating after 5 hours running ... ;) but I think that is an issue in valgrind not taintgrind...

thanks for the fix, I will close the issue then.

vanhauser-thc commented 6 years ago

if you still want to play around on an ARM I can set this up tomorrow, my current test system is an usbarmory which is super slow, tomorrow I should have an raspberry 3 b+ which should be ok-

wmkhoo commented 6 years ago

That'll be a great help, thanks.