This repository was archived by the owner on Aug 23, 2022. It is now read-only.
This repository was archived by the owner on Aug 23, 2022. It is now read-only.
mcsema-lift crash (Segmentation fault) #735
Open
Description
Hi,
When using mcsema-lift, I get an segmentation fault.
Docker image: https://hub.docker.com/layers/trailofbits/mcsema/llvm1100-ubuntu20.04-amd64/images/sha256-50e3e04fdcce8e83ea801542dcf7fdd902306674028a829ab0dcaa0161a07a72?context=explore
File: test3.c
#include <stdio.h>
int get_sign(int x) {
if (x == 0)
return 0;
if (x < 0)
return -1;
else
return 1;
}
int main() {
int a;
scanf("%d", &a);
int res = get_sign(a);
if(res > 0)
printf("%d is positive\n", a);
else if(res < 0)
printf("%d is negative\n", a);
else
printf("%d is zero\n", a);
return 0;
}
> clang --version
clang version 11.0.1
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
> clang -g -O0 -fno-stack-protector -no-pie -Wall test3.c -o test3
> '/home/fredyr4zox/Downloads/IDA Pro/IDA Pro 7.5/idat64.exe' -S"/home/fredyr4zox/.local/lib/python3.8/site-packages/mcsema_disass-3.1.3.8-py3.8.egg/mcsema_disass/ida7/get_cfg.py --output /home/fredyr4zox/Builds/Thesis/test3.cfg --log_file /home/fredyr4zox/Builds/Thesis/log --arch amd64 --os linux --entrypoint main" /home/fredyr4zox/Builds/Thesis/test3
> sudo docker run -it --ipc=host --entrypoint=/bin/bash -v /home/fredyr4zox/Downloads/IDA\ Pro/:/mcsema/ida -v "$(pwd)":/mcsema/local trailofbits/mcsema:llvm1100-ubuntu20.04-amd64
root@692d6bc95e1c:/# cd /mcsema/local/
root@692d6bc95e1c:/mcsema/local# mcsema-lift-11.0 --arch amd64 --os linux --cfg test3.cfg --output test3.bc
Segmentation fault (core dumped)
root@692d6bc95e1c:/mcsema/local# // I installed GDB and GEF for GDB
root@692d6bc95e1c:/mcsema/local# gdb mcsema-lift-11.0
.......................
(gdb) r --arch amd64 --os linux --cfg test3.cfg --output test3.bc
.......................
0x54f0c1 <remill::CallersOf(llvm::Function*)+97> cmp BYTE PTR [r15+0x10], 0x17
0x54f0c6 <remill::CallersOf(llvm::Function*)+102> mov ecx, 0x0
0x54f0cb <remill::CallersOf(llvm::Function*)+107> cmova rcx, r15
→ 0x54f0cf <remill::CallersOf(llvm::Function*)+111> movzx edx, BYTE PTR [rcx+0x10]
0x54f0d3 <remill::CallersOf(llvm::Function*)+115> cmp dl, 0x1d
0x54f0d6 <remill::CallersOf(llvm::Function*)+118> je 0x54f0b0 <remill::CallersOf(llvm::Function*)+80>
0x54f0d8 <remill::CallersOf(llvm::Function*)+120> cmp dl, 0x23
0x54f0db <remill::CallersOf(llvm::Function*)+123> je 0x54f0b0 <remill::CallersOf(llvm::Function*)+80>
0x54f0dd <remill::CallersOf(llvm::Function*)+125> cmp dl, 0x50
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "mcsema-lift-11.", stopped 0x54f0cf in remill::compat::llvm::CallSite::CallSite (), reason: SIGSEGV
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x54f0cf → remill::compat::llvm::CallSite::CallSite(this=<optimized out>, user=0x360bec0)
[#1] 0x54f0cf → remill::CallersOf(func=<optimized out>)
[#2] 0x4793eb → mcsema::(anonymous namespace)::ReplaceUndefIntrinsic(function=0x27d63f8)
[#3] 0x4793eb → mcsema::(anonymous namespace)::RemoveUndefFuncCalls()
[#4] 0x4793eb → mcsema::CleanUpModule(cfg_module=0x327a270)
[#5] 0x4750f1 → mcsema::LiftCodeIntoModule(cfg_module=0x327a270)
[#6] 0x48a34c → main(argc=<optimized out>, argv=<optimized out>)
This is very weird since it is a simple program.
The zip file attached has all the files. The .c file, the compiled program, and the 3 files from the mcsema-disass comand.
mcsema-lift-issue.zip
Metadata
Metadata
Assignees
Labels
No labels