Markakd/GREBE

Some bitcode files are not generated when building the kernel with customized llvm.

Closed this issue · 5 comments

DarkBoulder commented

I am trying to analyze this crash: https://syzkaller.appspot.com/bug?id=bdeea91ae259b3a42aa8ed8d8c91afd871eb5d80, and I compiled the clang with your patch. However, when I compiled the Linux kernel with command

make CC="/path/to/clang/" -j64

, I didn't get all .c files' bitcode file, and the missing bitcode files is needed. The error messages are as follows:

executing ~/GREBE/analyzer/build/lib/analyzer --crash-report=./case/report --call-graph=./case/report_cg.txt ./case/linux-bitcode/lib/list_debug.c.bc ./case/linux-bitcode/crypto/algapi.c.bc ./case/linux-bitcode/crypto/pcrypt.c.bc ./case/linux-bitcode/crypto/pcrypt.c.bc ./case/linux-bitcode/crypto/algboss.c.bc ./case/linux-bitcode/kernel/kthread.c.bc ./case/linux-bitcode/arch/x86/entry/entry_64.S.bc 

Total 7 file(s)
/home/ws/GREBE/analyzer/build/lib/analyzer: error loading file './case/linux-bitcode/lib/list_debug.c.bc'
/home/ws/GREBE/analyzer/build/lib/analyzer: error loading file './case/linux-bitcode/crypto/pcrypt.c.bc'
/home/ws/GREBE/analyzer/build/lib/analyzer: error loading file './case/linux-bitcode/crypto/pcrypt.c.bc'
/home/ws/GREBE/analyzer/build/lib/analyzer: error loading file './case/linux-bitcode/arch/x86/entry/entry_64.S.bc'
inserting __list_del_entry_valid __list_del_entry
inserting __list_del_entry list_del
inserting list_del crypto_drop_spawn
inserting crypto_drop_spawn crypto_drop_aead
inserting crypto_drop_aead pcrypt_create_aead
inserting pcrypt_create_aead pcrypt_create
inserting pcrypt_create cryptomgr_probe
inserting cryptomgr_probe kthread
inserting kthread ret_from_fork
Here is the crash location __list_del_entry_valid lib/list_debug.c:51 explicit checking? 1
analyzer: /home/ws/GREBE/analyzer/src/lib/CrashAnalyzer.cc:248: void CrashAnalyzer::dump(llvm::StringRef): Assertion `Ctx->TaintSrc.size() > 0 || Ctx->TmpTaintSrc.size() > 0' failed.
 #0 0x00000000005d57ff llvm::sys::PrintStackTrace(llvm::raw_ostream&) (/home/ws/GREBE/analyzer/build/lib/analyzer+0x5d57ff)
 #1 0x00000000005d3a82 llvm::sys::RunSignalHandlers() (/home/ws/GREBE/analyzer/build/lib/analyzer+0x5d3a82)
 #2 0x00000000005d6075 SignalHandler(int) (/home/ws/GREBE/analyzer/build/lib/analyzer+0x5d6075)
 #3 0x00007ff1fd922420 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x14420)
 #4 0x00007ff1fd41100b raise /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:51:1
 #5 0x00007ff1fd3f0859 abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:81:7
 #6 0x00007ff1fd3f0729 get_sysdep_segment_value /build/glibc-SzIz7B/glibc-2.31/intl/loadmsgcat.c:509:8
 #7 0x00007ff1fd3f0729 _nl_load_domain /build/glibc-SzIz7B/glibc-2.31/intl/loadmsgcat.c:970:34
 #8 0x00007ff1fd401fd6 (/lib/x86_64-linux-gnu/libc.so.6+0x33fd6)
 #9 0x0000000000563d83 CrashAnalyzer::dump(llvm::StringRef) /home/ws/GREBE/analyzer/src/lib/CrashAnalyzer.cc:0:5
#10 0x0000000000563b78 CrashAnalyzer::dump() /home/ws/GREBE/analyzer/src/lib/CrashAnalyzer.cc:233:1
#11 0x000000000052e50a main /home/ws/GREBE/analyzer/src/lib/KAMain.cc:269:16
#12 0x00007ff1fd3f2083 __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:342:3
#13 0x000000000052c95e _start (/home/ws/GREBE/analyzer/build/lib/analyzer+0x52c95e)
Stack dump:
0.	Program arguments: /home/ws/GREBE/analyzer/build/lib/analyzer --crash-report=./case/report --call-graph=./case/report_cg.txt ./case/linux-bitcode/lib/list_debug.c.bc ./case/linux-bitcode/crypto/algapi.c.bc ./case/linux-bitcode/crypto/pcrypt.c.bc ./case/linux-bitcode/crypto/pcrypt.c.bc ./case/linux-bitcode/crypto/algboss.c.bc ./case/linux-bitcode/kernel/kthread.c.bc ./case/linux-bitcode/arch/x86/entry/entry_64.S.bc 
Aborted (core dumped)
Traceback (most recent call last):
  File "run_analyze.py", line 68, in <module>
    run_case(sys.argv[1])
  File "run_analyze.py", line 65, in run_case
    shutil.copyfile("/tmp/ca_result", case_path+"/sts.txt")
  File "/usr/lib/python3.8/shutil.py", line 264, in copyfile
    with open(src, 'rb') as fsrc, open(dst, 'wb') as fdst:
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/ca_result'

So is my kernel compile command wrong?

DarkBoulder commented

It seems like the command

make allyesconfig

could fully compile all Linux kernel .c files and generate bitcode file.

DarkBoulder commented

Now I have another problem:

executing /home/aota08/GREBE/GREBE/analyzer/build/lib/analyzer --crash-report=/home/aota08/GREBE/GREBE/fuzzer/workdir/crash_report/1.txt --call-graph=/home/aota08/GREBE/GREBE/fuzzer/workdir/crash_report/1.txt_cg.txt /home/aota08/GREBE/linux-kernel/linux-5.6/net/l2tp/l2tp_core.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/net/core/sock.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/kernel/rcu/tree.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/kernel/rcu/tree.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/kernel/softirq.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/kernel/softirq.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/kernel/softirq.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/arch/x86/kernel/apic/apic.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/arch/x86/entry/entry_64.S.bc 

Total 9 file(s)
/home/aota08/GREBE/GREBE/analyzer/build/lib/analyzer: error loading file '/home/aota08/GREBE/linux-kernel/linux-5.6/arch/x86/entry/entry_64.S.bc'
inserting l2tp_session_free __sk_destruct
inserting __sk_destruct rcu_do_batch
inserting rcu_do_batch rcu_core
inserting rcu_core __do_softirq
inserting __do_softirq invoke_softirq
inserting invoke_softirq irq_exit
inserting irq_exit exiting_irq
inserting exiting_irq smp_apic_timer_interrupt
inserting smp_apic_timer_interrupt apic_timer_interrupt
Here is the crash location l2tp_session_free net/l2tp/l2tp_core.c:1572 explicit checking? 1
analyzer: /home/aota08/GREBE/GREBE/analyzer/src/lib/CrashAnalyzer.cc:248: void CrashAnalyzer::dump(llvm::StringRef): Assertion `Ctx->TaintSrc.size() > 0 || Ctx->TmpTaintSrc.size() > 0' failed.
/home/aota08/GREBE/GREBE/analyzer/build/lib/analyzer[0x4babdf]
/home/aota08/GREBE/GREBE/analyzer/build/lib/analyzer[0x4b8e72]
/home/aota08/GREBE/GREBE/analyzer/build/lib/analyzer[0x4bb455]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x11390)[0x7fa406c63390]
/lib/x86_64-linux-gnu/libc.so.6(gsignal+0x38)[0x7fa40601c438]
/lib/x86_64-linux-gnu/libc.so.6(abort+0x16a)[0x7fa40601e03a]
/lib/x86_64-linux-gnu/libc.so.6(+0x2dbe7)[0x7fa406014be7]
/lib/x86_64-linux-gnu/libc.so.6(+0x2dc92)[0x7fa406014c92]
/home/aota08/GREBE/GREBE/analyzer/build/lib/analyzer[0x44aee5]
/home/aota08/GREBE/GREBE/analyzer/build/lib/analyzer[0x44acf8]
/home/aota08/GREBE/GREBE/analyzer/build/lib/analyzer[0x415f83]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fa406007840]
/home/aota08/GREBE/GREBE/analyzer/build/lib/analyzer[0x414349]
Stack dump:
0.      Program arguments: /home/aota08/GREBE/GREBE/analyzer/build/lib/analyzer --crash-report=/home/aota08/GREBE/GREBE/fuzzer/workdir/crash_report/1.txt --call-graph=/home/aota08/GREBE/GREBE/fuzzer/workdir/crash_report/1.txt_cg.txt /home/aota08/GREBE/linux-kernel/linux-5.6/net/l2tp/l2tp_core.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/net/core/sock.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/kernel/rcu/tree.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/kernel/rcu/tree.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/kernel/softirq.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/kernel/softirq.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/kernel/softirq.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/arch/x86/kernel/apic/apic.c.bc /home/aota08/GREBE/linux-kernel/linux-5.6/arch/x86/entry/entry_64.S.bc 
Aborted (core dumped)
Traceback (most recent call last):
  File "run_analyze.py", line 72, in <module>
    run_case(sys.argv[1], sys.argv[2])
  File "run_analyze.py", line 69, in run_case
    shutil.copyfile("/tmp/ca_result", report_path+"_sts.txt")
  File "/usr/lib/python3.5/shutil.py", line 114, in copyfile
    with open(src, 'rb') as fsrc:
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/ca_result'

Why does the assertion `Ctx->TaintSrc.size() > 0 || Ctx->TmpTaintSrc.size() > 0' failed when I have all the required bitcode files?

Markakd commented

Hey, sorry for the late reply.

It looks like the taint source is not found. There might be some bugs in analyzing the crash location.

DarkBoulder commented

I realized that I need to use the kernel version and config options described in syzbot report, like this, and the analysis can run correctly. Sorry for my interruption.

M1ld22 commented

I realized that I need to use the kernel version and config options described in syzbot report, like this, and the analysis can run correctly. Sorry for my interruption.

I realized that I need to use the kernel version and config options described in syzbot report, like this, and the analysis can run correctly. Sorry for my interruption.

hi, I met a same problem. I use the kernel version and config from your link.

But it still report "analyzer: /home/aota08/GREBE/GREBE/analyzer/src/lib/CrashAnalyzer.cc:248: void CrashAnalyzer::dump(llvm::StringRef): Assertion `Ctx->TaintSrc.size() > 0 || Ctx->TmpTaintSrc.size() > 0' failed."

can you give me some advice? thanks