Failure: Concretized 2 values (must be exactly 1) in eval_exact
Closed this issue · 1 comments
andyhhp commented
With #6 fixed, I see a new error, with 24 instances:
---------------- [ SCANNER ERROR ] ----------------
in basic block: 0xffff82d040342588 started at:0xffff82d040201790
Concretized 2 values (must be exactly 1) in eval_exact
Traceback (most recent call last):
File "/local/inspectre-gadget.git/analyzer/scanner/scanner.py", line 567, in run
next_states = self.cur_state.step()
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/sim_state.py", line 607, in step
return self.project.factory.successors(self, **kwargs)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/factory.py", line 77, in successors
return self.default_engine.process(*args, **kwargs)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/slicing.py", line 20, in process
return super().process(*args, **kwargs)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/engine.py", line 163, in process
self.process_successors(self.successors, **kwargs)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/failure.py", line 24, in process_successors
return super().process_successors(successors, **kwargs)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/syscall.py", line 26, in process_successors
return super().process_successors(successors, **kwargs)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/hook.py", line 56, in process_successors
return super().process_successors(successors, procedure=procedure, **kwargs)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/unicorn.py", line 389, in process_successors
return super().process_successors(successors, **kwargs)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/soot/engine.py", line 68, in process_successors
return super().process_successors(successors, **kwargs)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/heavy.py", line 174, in process_successors
self.handle_vex_block(irsb)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/super_fastpath.py", line 25, in handle_vex_block
super().handle_vex_block(irsb)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/slicing.py", line 26, in handle_vex_block
super().handle_vex_block(irsb)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/actions.py", line 31, in handle_vex_block
super().handle_vex_block(irsb)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/inspect.py", line 49, in handle_vex_block
super().handle_vex_block(irsb)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/light.py", line 550, in handle_vex_block
self._handle_vex_defaultexit(irsb.next, irsb.jumpkind)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/slicing.py", line 36, in _handle_vex_defaultexit
super()._handle_vex_defaultexit(expr, jumpkind)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/light.py", line 553, in _handle_vex_defaultexit
self._perform_vex_defaultexit(self._analyze_vex_defaultexit(expr) if expr is not None else None, jumpkind)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/actions.py", line 237, in _perform_vex_defaultexit
super()._perform_vex_defaultexit(target, jumpkind)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/heavy.py", line 360, in _perform_vex_defaultexit
self.successors.add_successor(
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/successors.py", line 131, in add_successor
self._preprocess_successor(state, add_guard=add_guard)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/successors.py", line 173, in _preprocess_successor
self._manage_callstack(state)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/successors.py", line 195, in _manage_callstack
ret_addr = state.mem[state.regs._sp].long.concrete
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/state_plugins/view.py", line 276, in concrete
return self._type.extract(self.state, self._addr, True)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/sim_type.py", line 406, in extract
out = state.memory.load(addr, self.size // state.arch.byte_width, endness=state.arch.memory_endness)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/storage/memory_mixins/unwrapper_mixin.py", line 15, in load
return super().load(
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/storage/memory_mixins/name_resolution_mixin.py", line 67, in load
return super().load(addr, size=size, **kwargs)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/storage/memory_mixins/bvv_conversion_mixin.py", line 30, in load
return super().load(addr, size=size, fallback=fallback_bv, **kwargs)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/storage/memory_mixins/clouseau_mixin.py", line 98, in load
self.state._inspect(
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/sim_state.py", line 400, in _inspect
self.inspect.action(*args, **kwargs)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/state_plugins/inspect.py", line 275, in action
bp.fire(self.state)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/state_plugins/inspect.py", line 215, in fire
self.action(state)
File "/local/inspectre-gadget.git/analyzer/scanner/scanner.py", line 293, in load_hook_after
l.info(f"Load@{hex(state.addr)}: {load_addr}")
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/sim_state.py", line 381, in addr
return self.solver.eval_one(self.regs._ip)
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/state_plugins/solver.py", line 942, in eval_one
return self.eval_exact(e, 1, cast_to, **{k: v for (k, v) in kwargs.items() if k != "default"})[0]
File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/state_plugins/solver.py", line 1070, in eval_exact
raise SimValueError("Concretized %d values (must be exactly %d) in eval_exact" % (len(r), n))
angr.errors.SimValueError: Concretized 2 values (must be exactly 1) in eval_exact
Unfortunately, I'm at a complete loss as to what it's trying to tell me. The basic block identified is:
ffff82d040342588: 49 8b 44 24 08 mov 0x8(%r12),%rax
ffff82d04034258d: 4c 89 e7 mov %r12,%rdi
ffff82d040342590: ff 50 28 callq *0x28(%rax)
ffff82d040342593: 41 8b 14 24 mov (%r12),%edx
ffff82d040342597: f6 c2 10 test $0x10,%dl
ffff82d04034259a: 0f 84 10 03 00 00 je ffff82d0403428b0 <do_IRQ+0x3c0>
Files:
xen-syms.gz
addr-list.csv
and --base 0xffff82d040200000
SanWieb commented
For the Linux kernel we used the indirect thunk arrays as indirect branch sink. I just added support for fully symbolic branches, so they should now be detected as a dispatch gadgets (i.e., tainted function pointer (TFP)).
Note that in the doc the TFP CSV file argument was missing, you can add it with the flag --tfp-output. Although most TFPs are exploitable, we will make a simple reasoner for it also #10.