Two Bugs in CFG Generation: Bit-Vector Length Mismatch and List Index Out of Range #426
Description
Description
I found two bugs when trying to get the CFG for the attached binary.
Bug 1: comparing two bit-vectors that have different lengths.
# Contains some debug info
a.args[1]
<BV32 0x1>
ast.all_operations.BVV(1, 1)
<BV1 1>
a.args[1] == ast.all_operations.BVV(1, 1)
Traceback (most recent call last):
File "/home/hongwei/Desktop/Codes/angr-dev/claripy/claripy/backends/backend.py", line 359, in is_false
return self._false_cache[e.cache_key]
File "/usr/lib/python3.10/weakref.py", line 416, in __getitem__
return self.data[ref(key)]
KeyError: <weakref at 0x77598ecf48b0; to 'ASTCacheKey' at 0x77598eee2770>
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/hongwei/Desktop/Codes/angr-dev/claripy/claripy/ast/base.py", line 1191, in _excavate_ite
ast = next(ast_queue[-1])
StopIteration
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/home/hongwei/Desktop/Codes/angr-dev/claripy/claripy/operations.py", line 50, in _op
raise ClaripyOperationError(msg)
claripy.errors.ClaripyOperationError: args' length must all be equal
Potential fix: In simplifications.py, check the length of a.args[x] and b.args[x] before the comparison, or generate BVV 0/1 using the length of a.args[x] and b.args[x].
After fixing bug 1, I found another bug in angr.
Bug 2:
Traceback (most recent call last):
File "/home/hongwei/Desktop/Codes/AMP_pipeline/src/misc/angr_amp_240724.py", line 4, in <module>
cfg = proj.analyses.CFGFast()
File "/home/hongwei/Desktop/Codes/angr-dev/angr/angr/analyses/analysis.py", line 217, in __call__
r = w(*args, **kwargs)
File "/home/hongwei/Desktop/Codes/angr-dev/angr/angr/analyses/analysis.py", line 202, in wrapper
oself.__init__(*args, **kwargs)
File "/home/hongwei/Desktop/Codes/angr-dev/angr/angr/analyses/cfg/cfg_fast.py", line 844, in __init__
self._analyze()
File "/home/hongwei/Desktop/Codes/angr-dev/angr/angr/analyses/forward_analysis/forward_analysis.py", line 269, in _analyze
self._post_analysis()
File "/home/hongwei/Desktop/Codes/angr-dev/angr/angr/analyses/cfg/cfg_fast.py", line 1562, in _post_analysis
self._remove_redundant_overlapping_blocks(function_alignment=4, is_arm=True)
File "/home/hongwei/Desktop/Codes/angr-dev/angr/angr/analyses/cfg/cfg_fast.py", line 3363, in _remove_redundant_overlapping_blocks
if b.instruction_addrs[0] not in a.instruction_addrs and b in self.graph:
IndexError: list index out of range
Potential fix: In cfg_fast.py, check len(b.instruction_addrs) > 0 before accessing instruction_addrs[0].
Steps to reproduce the bug
import angr
path = "program_c.gcc.vuln"
proj = angr.Project(path, load_options={'auto_load_libs': False})
cfg = proj.analyses.CFGFast()
Environment
angr-dev v9.2.112
Additional context
No response