Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The FormatString interpreter incorrectly calculates the length of the string to be read. #4616

Open
AlaRduTP opened this issue May 4, 2024 · 0 comments · May be fixed by #4617
Open

The FormatString interpreter incorrectly calculates the length of the string to be read. #4616

AlaRduTP opened this issue May 4, 2024 · 0 comments · May be fixed by #4617
Labels
bug Something is broken needs-triage Issue has yet to be looked at by a maintainer

Comments

@AlaRduTP
Copy link

AlaRduTP commented May 4, 2024

Description

Within the FormatString.interpret() function, when simfd.read_storage is not an instance of SimPackets, the function interprets s specifiers by locating a newline in the input file. The length of the string to be read will be inaccurately calculated under the following condition:

  • There is no newline in the first max_str_len bytes of the input file,
    AND the max_str_len-th byte is symbolic.

In such case, the interpreter will only read the first max_str_len - 1 bytes, whereas it should read all max_str_len bytes.

Steps to reproduce the bug

test.c

#include <stdio.h>
#include <string.h>

/*
 *  gcc -g -o test test.c
 */

int main(void) {
    char buf[0x20] = {0};
    scanf("%16s", buf);
}

Memory layout of test:

0000000000001169 <main>:
    1169:	f3 0f 1e fa          	endbr64
...
    11b7:	e8 b4 fe ff ff       	callq  1070 <__isoc99_scanf@plt>
    11bc:	b8 00 00 00 00       	mov    $0x0,%eax
    11c1:	48 8b 55 f8          	mov    -0x8(%rbp),%rdx
...
    11d6:	c3                   	retq

POC.py

import angr
import claripy

AFTER_SCANF = 0x4011bc
BYTES_LEN = 16
TARGET = './test'

def test_interpret_fmt_str():
    proj = angr.Project(TARGET, load_debug_info=True, auto_load_libs=False)
    proj.kb.dvars.load_from_dwarf()

    blist = claripy.BVS(f'bytes', 8 * BYTES_LEN)
    stdin = angr.SimFile('/dev/stdin', content=blist)

    state = proj.factory.entry_state(stdin=stdin)
    simfd = state.posix.get_fd(0)

    assert not isinstance(simfd.read_storage, angr.SimPackets)

    simgr = proj.factory.simgr(state)
    simgr.run(until=(lambda sm: sm.active[0].addr == AFTER_SCANF))

    state = simgr.active[0]
    buf = state.dvars['buf'].deref.mem.array(BYTES_LEN).resolved

    assert buf[-1].symbolic


if __name__ == '__main__':
    test_interpret_fmt_str()

Only 15 bytes (symbolic vars) are read into the buf.

Traceback (most recent call last):
  File "POC.py", line 30, in <module>
    test_interpret_fmt_str()
  File "POC.py", line 26, in test_interpret_fmt_str
    assert buf[-1].symbolic
AssertionError

Environment

angr environment report

Date: 2024-05-04 15:06:37.851751
Running in virtual environment at /home/alardutp/test-angr/.venv
/home/alardutp/test-angr/.venv/lib/python3.8/site-packages/angr/misc/bug_report.py:88: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
import pkg_resources # pylint:disable=import-outside-toplevel
Platform: linux-x86_64
Python version: 3.8.10 (default, Nov 22 2023, 10:22:35)
[GCC 9.4.0]
######## angr #########
Python found it in /home/alardutp/test-angr/.venv/lib/python3.8/site-packages/angr/init.py
Pip version angr 9.2.101
Couldn't find git info
######## ailment #########
Python found it in /home/alardutp/test-angr/.venv/lib/python3.8/site-packages/ailment/init.py
Pip version ailment 9.2.101
Couldn't find git info
######## cle #########
Python found it in /home/alardutp/test-angr/.venv/lib/python3.8/site-packages/cle/init.py
Pip version cle 9.2.101
Couldn't find git info
######## pyvex #########
Python found it in /home/alardutp/test-angr/.venv/lib/python3.8/site-packages/pyvex/init.py
Pip version pyvex 9.2.101
Couldn't find git info
######## claripy #########
Python found it in /home/alardutp/test-angr/.venv/lib/python3.8/site-packages/claripy/init.py
Pip version claripy 9.2.101
Couldn't find git info
######## archinfo #########
Python found it in /home/alardutp/test-angr/.venv/lib/python3.8/site-packages/archinfo/init.py
Pip version archinfo 9.2.101
Couldn't find git info
######## z3 #########
Python found it in /home/alardutp/test-angr/.venv/lib/python3.8/site-packages/z3/init.py
Pip version z3-solver 4.10.2.0
Couldn't find git info
######## unicorn #########
Python found it in /home/alardutp/test-angr/.venv/lib/python3.8/site-packages/unicorn/init.py
Pip version unicorn 2.0.1.post1
Couldn't find git info
######### Native Module Info ##########
angr: <CDLL '/home/alardutp/test-angr/.venv/lib/python3.8/site-packages/angr/state_plugins/../lib/angr_native.so', handle 2e19630 at 0x7f0c53b2adf0>
unicorn: <CDLL '/home/alardutp/test-angr/.venv/lib/python3.8/site-packages/unicorn/lib/libunicorn.so.2', handle 28808b0 at 0x7f0c56dbdc10>
pyvex: <cffi.api._make_ffi_library..FFILibrary object at 0x7f0c57a749d0>
z3: <CDLL '/home/alardutp/test-angr/.venv/lib/python3.8/site-packages/z3/lib/libz3.so', handle 23e2b40 at 0x7f0c59933730>

Additional context

No response
@AlaRduTP AlaRduTP added bug Something is broken needs-triage Issue has yet to be looked at by a maintainer labels May 4, 2024
@AlaRduTP AlaRduTP linked a pull request May 4, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is broken needs-triage Issue has yet to be looked at by a maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix: FormatString.Interpret() AlaRduTP/angr
1 participant
@AlaRduTP