Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Two Bugs in CFG Generation: Bit-Vector Length Mismatch and List Index Out of Range #426

Open
hwu71 opened this issue Jul 24, 2024 · 1 comment
Open

Two Bugs in CFG Generation: Bit-Vector Length Mismatch and List Index Out of Range #426

hwu71 opened this issue Jul 24, 2024 · 1 comment
Labels
bug needs-triage

Comments

@hwu71
Copy link
Collaborator

hwu71 commented Jul 24, 2024

Description

I found two bugs when trying to get the CFG for the attached binary.

Bug 1: comparing two bit-vectors that have different lengths.

# Contains some debug info
a.args[1]
<BV32 0x1>
ast.all_operations.BVV(1, 1)
<BV1 1>

a.args[1] == ast.all_operations.BVV(1, 1)
Traceback (most recent call last):
  File "/home/hongwei/Desktop/Codes/angr-dev/claripy/claripy/backends/backend.py", line 359, in is_false
    return self._false_cache[e.cache_key]
  File "/usr/lib/python3.10/weakref.py", line 416, in __getitem__
    return self.data[ref(key)]
KeyError: <weakref at 0x77598ecf48b0; to 'ASTCacheKey' at 0x77598eee2770>

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/hongwei/Desktop/Codes/angr-dev/claripy/claripy/ast/base.py", line 1191, in _excavate_ite
    ast = next(ast_queue[-1])
StopIteration

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/home/hongwei/Desktop/Codes/angr-dev/claripy/claripy/operations.py", line 50, in _op
    raise ClaripyOperationError(msg)
claripy.errors.ClaripyOperationError: args' length must all be equal

Potential fix: In simplifications.py, check the length of a.args[x] and b.args[x] before the comparison, or generate BVV 0/1 using the length of a.args[x] and b.args[x].

After fixing bug 1, I found another bug in angr.
Bug 2:

Traceback (most recent call last):
  File "/home/hongwei/Desktop/Codes/AMP_pipeline/src/misc/angr_amp_240724.py", line 4, in <module>
    cfg = proj.analyses.CFGFast()
  File "/home/hongwei/Desktop/Codes/angr-dev/angr/angr/analyses/analysis.py", line 217, in __call__
    r = w(*args, **kwargs)
  File "/home/hongwei/Desktop/Codes/angr-dev/angr/angr/analyses/analysis.py", line 202, in wrapper
    oself.__init__(*args, **kwargs)
  File "/home/hongwei/Desktop/Codes/angr-dev/angr/angr/analyses/cfg/cfg_fast.py", line 844, in __init__
    self._analyze()
  File "/home/hongwei/Desktop/Codes/angr-dev/angr/angr/analyses/forward_analysis/forward_analysis.py", line 269, in _analyze
    self._post_analysis()
  File "/home/hongwei/Desktop/Codes/angr-dev/angr/angr/analyses/cfg/cfg_fast.py", line 1562, in _post_analysis
    self._remove_redundant_overlapping_blocks(function_alignment=4, is_arm=True)
  File "/home/hongwei/Desktop/Codes/angr-dev/angr/angr/analyses/cfg/cfg_fast.py", line 3363, in _remove_redundant_overlapping_blocks
    if b.instruction_addrs[0] not in a.instruction_addrs and b in self.graph:
IndexError: list index out of range

Potential fix: In cfg_fast.py, check len(b.instruction_addrs) > 0 before accessing instruction_addrs[0].

Steps to reproduce the bug

import angr
path = "program_c.gcc.vuln"
proj = angr.Project(path, load_options={'auto_load_libs': False})
cfg = proj.analyses.CFGFast()

program_c.gcc.zip

Environment

angr-dev v9.2.112

Additional context

No response
@twizmwazin
Copy link
Member

@hwu71 Can you submit PRs with each of those fixes?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@twizmwazin @hwu71