Decaf crashes every time the traced process exits due to segmentation fault

[gabriel]

Hi all,

Previously I use TEMU for dynamic tracing and tainting. Now I switch to DECAF due to several advantages of DECAF over TEMU. However, DECAF crashes every time when the monitored guest process ends. For example, I load plugin callbacktests and issue 'do_callbacktests foo'. When foo ends, DECAF will throw segmentation fault in the host (core dump).

Here is the steps I configure DECAF and run the example:

Host: Ubuntu 12.04.5 64bit with kernel 3.13.0-32-generic

Guest: Ubuntu 12.04.5 32bit with kernel 3.5.0-54-generic

The DECAF is downloaded from github. (https://github.com/sycurelab/DECAF)

1.  ./configure  --disable-docs
2. make
3. The change to procinfo.ini:

total=6
[6]

strName = 3.5.0-54-generic
init_task_addr  = 3246813696
init_task_size  = 3248
ts_tasks        = 444
ts_pid          = 524
ts_tgid         = 528
ts_group_leader = 560
ts_thread_group = 616
ts_real_parent  = 536
ts_mm           = 472
ts_stack        = 4
module_name   = 12
module_size   = 228
module_init   = 220
module_list   = 4
ts_real_cred    = 736
ts_cred         = 740
ts_comm         = 744
cred_uid        = 4
cred_gid        = 8

that

cred_euid       = 20
cred_egid       = 24
mm_mmap         = 0
mm_pgd          = 40
mm_arg_start    = 156
mm_start_brk    = 144
mm_brk          = 148
mm_start_stack  = 152
vma_vm_start    = 4
vma_vm_end      = 8
vma_vm_next     = 12
vma_vm_file     = 80
vma_vm_flags    = 28
vma_vm_pgoff    = 76
file_dentry     = 12
file_inode      = 32
dentry_d_name   = 20
dentry_d_iname  = 36
dentry_d_parent = 16
ti_task         = 0
inode_ino   = 40
proc_fork_connector  = 3241884080
proc_exit_connector  = 3241885840
proc_exec_connector  = 3241884368
vma_link  = 3239236336
vma_adjust  = 3239236624
remove_vma  = 3239234960
modules  = 3246901080
trim_init_extable  = 3238242624

gabriel@u1264:~/decaf-git/decaf/i386-softmmu$ ./qemu-system-i386 -monitor stdio -m 512 -netdev user,id=mynet -device rtl8139,netdev=mynet ~/vm/u1232.qcow2
QEMU 1.0 monitor - type 'help' for more information
(qemu) inside bdrv open, drv addr= 0x9dc99fe0, size= 53687091200
fs_open = Fragment
inside bdrv open, drv addr= 0x9ddfe830, size= 0
fs_open error!
inside vmi init

Procinfo path: /home/gabriel/decaf-git/decaf/i386-softmmu/../shared/kernelinfo/procinfo_generic/procinfo.ini
Total Sections: 6
Match 3.5.0-54-generic
swapper task @ [c1867200]
its linux
(qemu) load_plugin ../plugins/callbacktests/callbacktests.so
Hello World
A program name was not specified, so we will use sort.exe
Tests will be completed using: sort.exe (case sensitive).
  Run the program to start the first test
../plugins/callbacktests/callbacktests.so is loaded successfully!
(qemu) do_callbacktests foo
Tests will be completed using: foo (case sensitive).
  Run the program to start the first test
(qemu)
**********************************************
Running the Block Begin Single test
Process [foo] with pid [2253] started at 1506795139:363939
Registering for callback
Callback Registered
Callback Count = 4338377
Process [foo] with pid [2253] ended at 1506795148:768833
Segmentation fault (core dumped)


The foo program is from TEMU tutorial : foo.c

#include <stdio.h>

int main(int argc, char **argv)
{
  int x;
  scanf("%d", &x);
  if (x != 5)
      printf("Hello\n");
  return 0;
}

I also tried the plugin "tracecap.so", the same error occurs and DECAF exits though the trace is generated and saved before the crash. I'm not sure what I missed during the configuration. 

Please help me out. Thanks in advance!

Best,
Gabriel

[gabriel]

And I tried to use GDB. The problem is located at /decaf/shared/utils/Output.c:32 :

32>>void DECAF_printf(const char* fmt, ...)

33>>{

34>> va_list ap;

35>>  va_start(ap, fmt);

36>>  DECAF_vprintf(ofp, fmt, ap);

37>>  va_end(ap);

38>>} 

[Heng Yin]

You might want to look at the back trace to find out which function calls this function. Looks like the arguments are corrupted. 

Heng

--
You received this message because you are subscribed to the Google Groups "decaf-platform-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to decaf-platform-di...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[gabriel]

Thank you, Heng. 

I tried to debug but GDB could not resolve most of the symbols. When I tried to reconfigure DECAF with option "--enable-debug" then "make", I got the errors: 

decaf/target-i386/translate.c:6869:22: error: incompatible types when assigning to type ‘TCGv_i32’ from type ‘TCGv_ptr’ :

> t_cur_pc = tcg_const_ptr(cur_pc);

There are multiple occurrences of this incompatibility. I checked the source code,  both 'TCGv_i32’  and ‘TCGv_ptr’ are defined as 'int'. Maybe I misunderstand it.

Later I chose an old version of DECAF(1.6) and it works smoothly for now.

[Xunchao Hu]

Can you have a test on ubuntu14.04 and later?

--
You received this message because you are subscribed to the Google Groups "decaf-platform-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to decaf-platform-discuss+unsub...@googlegroups.com.

[gabriel]

Thanks for your points Xunchao. Actually, I did try it on Ubuntu 14.04 and the errors are the same: 

1. DECAF will crash after plugin has done the execution; For example, normally when using calltracetest.so on guest command "ls", the message after the previous test is "Please execute ls again to start next test" and DECAF is still running. In my case DECAF just crashed due to seg fault.

2. configure with "--enable-debug" then make will throw incompatibility issue.