Exception: Internal error: cannot translate address
likaiam opened this issue · 6 comments
I was using driller to hybrid fuzz sqlite(a database program),but seemly it can not used to database program and raise Exception("Internal error: cannot translate address").The following is the stacktrace:
Drilling input: b"CREATE TABLE v0 ( v1 INTEGER ) ; SELECT v1 FROM v0 WHERE v1 = 'v0' AND ( v1 = 8 OR v1 =9223372036854775808 ) ORDER BY v1 ; SELECT v1, sum ( v1 ) OVER( PARTITION BY v1 ORDER BY v1 ) FROM v0 ; "
WARNING | 2022-12-19 13:43:46,883 | pyvex.lifting.gym.x86_spotter | The generalized AAM instruction is not supported by VEX, and is handled specially by pyvex. It has no flag handling at present. See pyvex/lifting/gym/x86_spotter.py for details
WARNING | 2022-12-19 13:43:47,228 | cle.backends.tls | The provided object has an invalid tls_data_size. Skip TLS loading.
WARNING | 2022-12-19 13:43:49,888 | cle.backends.tls | The provided object has an invalid tls_data_size. Skip TLS loading.
Traceback (most recent call last):
File "run_driller.py", line 70, in
main()
File "run_driller.py", line 56, in main
for _, new_input in Driller(binary, seed, fuzzer_bitmap).drill_generator():
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/driller/driller_main.py", line 101, in drill_generator
for i in self._drill_input():
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/driller/driller_main.py", line 143, in _drill_input
simgr.step()
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 90, in call
result = current_hook(self.func.self, *args, **kwargs)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/driller_core.py", line 39, in step
simgr.step(stash=stash, **kwargs)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 90, in call
result = current_hook(self.func.self, *args, **kwargs)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 343, in step
return simgr.step(stash=stash, syscall_data=self._syscall_data, fd_bytes=self._fd_bytes, **kwargs)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 90, in call
result = current_hook(self.func.self, *args, **kwargs)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/suggestions.py", line 41, in step
simgr.step(stash=stash, **kwargs)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 95, in call
return self.func(*args, **kwargs)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/sim_manager.py", line 407, in step
successors = self.step_state(state, successor_func=successor_func, error_list=error_list, **run_args)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 90, in call
result = current_hook(self.func.self, *args, **kwargs)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 406, in step_state
self._update_state_tracking(succs[0])
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 574, in _update_state_tracking
self._sync_return(state, idx)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 890, in _sync_return
return self._sync(state, idx, ret_addr)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 893, in _sync
addr_translated = self._translate_state_addr(addr)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 640, in _translate_state_addr
raise Exception("Internal error: cannot translate address")
Exception: Internal error: cannot translate address
This is the script calling Driller.
import errno
import os
import os.path
import sys
import time
from driller import Driller
def save_input(content, dest_dir, count):
"""Saves a new input to a file where AFL can find it.
File will be named id:XXXXXX,driller (where XXXXXX is the current value of
count) and placed in dest_dir.
"""
name = 'id:%06d,driller' % count
with open(os.path.join(dest_dir, name), 'w') as destfile:
destfile.write(content)
def main():
if len(sys.argv) != 3:
print('Usage: %s <fuzzer_output_dir>' % sys.argv[0])
sys.exit(1)
_, binary, fuzzer_dir = sys.argv
# Figure out directories and inputs
with open(os.path.join(fuzzer_dir, 'fuzz_bitmap'),"rb") as bitmap_file:
fuzzer_bitmap = bitmap_file.read()
source_dir = os.path.join(fuzzer_dir, 'queueDrill')
dest_dir = os.path.join(fuzzer_dir, 'queue')
# Make sure destination exists
try:
os.makedirs(dest_dir)
except os.error as e:
if e.errno != errno.EEXIST:
raise
seen = set() # Keeps track of source files already drilled
count = len(os.listdir(dest_dir)) # Helps us name outputs correctly
# Repeat forever in case AFL finds something new
while True:
# Go through all of the files AFL has generated, but only once each
for source_name in os.listdir(source_dir):
if source_name in seen or not source_name.startswith('id:'):
continue
seen.add(source_name)
with open(os.path.join(source_dir, source_name)) as seedfile:
seed = seedfile.read()
print('Drilling input: %s' % seed)
for _, new_input in Driller(binary, seed, fuzzer_bitmap).drill_generator():
save_input(new_input, dest_dir, count)
count += 1
# Try a larger input too because Driller won't do it for you
seed = seed + '0000'
print('Drilling input: %s' % seed)
for _, new_input in Driller(binary, seed, fuzzer_bitmap).drill_generator():
save_input(new_input, dest_dir, count)
count += 1
time.sleep(10)
if name == 'main':
main()
And I also used the docker https://hub.docker.com/r/zjuchenyuan/driller.
When I tried to hybrid fuzz Mp3Gain(the example program),it works.However,when I tried to fuzz sqlite(a database program),it reported the follwoing errors.I don't konw whether Driller(Angr) can be used to database program.
Again,
- there's nothing special about "database programs" that makes angr unable to fuzz them. there must be something else wrong
- please attach the exact binary you're analyzing
sqlite3.zip
this is the binary in the zip
Expect reply.Thank you very much.
Please be patient. Today is Christmas and nobody is working.