Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PANDA[taint2]WARNING: Variable shift amount for opcode 25; control bits may be incorrect. #1494

Open
CorneliaStreet1 opened this issue Apr 12, 2024 · 1 comment
Open

PANDA[taint2]WARNING: Variable shift amount for opcode 25; control bits may be incorrect. #1494

CorneliaStreet1 opened this issue Apr 12, 2024 · 1 comment

Comments

@CorneliaStreet1
Copy link

CorneliaStreet1 commented Apr 12, 2024
edited
Loading

I fixed the taint.py in example/taint2, however I got the warnning and I don't know how to fix it.
I am running panda in a virtualBox virtual machine, Ubuntu 22.04
Is there any way to fix this problem?

Here is my code:

from pandare import Panda

panda = Panda(generic='x86_64')

@panda.queue_blocking
def driver():
panda.revert_sync('root')
print(panda.run_serial_cmd("grep root /etc/passwd"))
panda.end_analysis()

@panda.cb_after_machine_init
def setup(cpu):
print("===>taint enabled<===")
# Enable tainting
panda.taint_enable()

'''
require was deprecated
'''
panda.load_plugin("osi")
panda.load_plugin("osi_linux")
panda.load_plugin("taint2")

def fd_to_fname(cpu, fd):
proc = panda.plugins['osi'].get_current_process(cpu)
procname = panda.ffi.string(proc.name) if proc != panda.ffi.NULL else "error"
fname_ptr = panda.plugins['osi_linux'].osi_linux_fd_to_filename(cpu, proc, fd)
fname = panda.ffi.string(fname_ptr) if fname_ptr != panda.ffi.NULL else "error"
return fname

@panda.ppp("syscalls2", "on_sys_read_return")
def read(cpu, tb, fd, buf, cnt):
fname = fd_to_fname(cpu, fd)
fnamestr = fname.decode('utf-8', 'ignore')
print(f"read {fnamestr}")
if fnamestr == "/etc/passwd":
label = 1
for idx in range(cnt):
panda.taint_label_ram(buf + idx, label)
label = label + 1

@panda.queue_blocking
@panda.ppp("taint2", "on_branch2")
def something(addr, size, from_helper, tainted):
print("Tainted branch")

panda.run()
@LauraLMann
Copy link
Collaborator

That warning is due to a deficiency in the taint2 plugin, in the taint_mix function when an LLVM shift instruction is encountered where the amount to shift is a variable. There's a long comment there explaining what is going on. It would take code changes to taint2 to fix it, if it is fixable. Maybe in some of the simpler cases something sensible could be done to the controlled bits masks, but I doubt there is a logical thing to do to the controlled bits masks in all cases where the shift amount is a variable whose bits are only PARTIALLY controlled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LauraLMann @CorneliaStreet1