wmkhoo
commented
5 years ago I wasn't quite able to generate the same instructions that you mentioned, but I found that taintgrind wasn't keeping track of tainted non-standard variables properly.
Closed vwvw closed 5 years ago
wmkhoo
commented
5 years ago I wasn't quite able to generate the same instructions that you mentioned, but I found that taintgrind wasn't keeping track of tainted non-standard variables properly.
vwvw
commented
5 years ago Thanks for the quick reply ! Here are the files I used. Running with:
../build/bin/valgrind --tool=taintgrind --file-filter=~/c.txt ~/test ~/c.txt
Your fix gives me some better result, but the taint value come from a totally new memory location...
wmkhoo
commented
5 years ago I'm not sure what the program is doing, but it helps to add '--taint-start=0 --taint-len=1' to taint just one byte and see if it makes sense.
wmkhoo
commented
5 years ago I'll close this issue for now. Do reopen if there are still missing taint sources.
When using Taintgrind with file tainting, some taint come from nowhere. 0x4DB643C: __memchr_avx2 (memchr-avx2.S:61) | vpcmpeqb ymm1, ymm0, ymmword ptr [rdi] | Load | 0x0 | 0x4DB643C: __memchr_avx2 (memchr-avx2.S:61) | CmpEQ8x32 | 0x0 | t3_18158 <-
It seems that the instructions vpcmpeqb is considered as a Load but you don't have support for Load with side effects. As taingrind consider only two arguments instead of 3 in vpcmpeqb it fails to propagate the taint further.