Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

TypeError: run_initializer() takes 1 positional argument but 6 were given

See original GitHub issue

I have this very simple C program with a buffer overflow on the stack:

#include <stdio.h>
#include <string.h>

int main(int argc, char* argv[]) {
    char buf[32];
    strcpy(buf,argv[1]);
    printf("Input:%s\n",buf);
    return 0;
}

I compiled it using gcc -g -fno-stack-protector -z execstack -o csbo csbo.c. Now I have the following code in angr:


def main():

    # Tell angr to go through strcpy
    proj = angr.Project("./csbo", exclude_sim_procedures_list=["strcpy"])

    options = {
        angr.options.SYMBOL_FILL_UNCONSTRAINED_MEMORY,
        angr.options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS,
        angr.options.CONSTRAINT_TRACKING_IN_SOLVER
    }
    options.update(angr.options.unicorn)
    state = proj.factory.entry_state(
        add_options=options,
        remove_options={
            angr.options.LAZY_SOLVES,
            angr.options.SYMBOLIC_MEMORY_NO_SINGLEVALUE_OPTIMIZATIONS
        }
    )

    # We're looking for unconstrained paths
    sm = proj.factory.simulation_manager(state, save_unconstrained=True)

    # Step execution until we find unconstrained paths
    while sm.active and not sm.unconstrained:
        sm.step()

    print(sm)

    # Make a copy of the state
    if not sm.unconstrained:
        raise Exception("Uh oh! Did not find any unconstrained paths!")
    s = sm.unconstrained[0].copy()

    print(s)


if __name__ == '__main__':
    main()

In the logs I can see that it encounters unconstrained paths. After some time, it fails with the following trace:

Traceback (most recent call last):
  File "solve2.py", line 49, in <module>
    main()
  File "solve2.py", line 36, in main
    sm.step()
  File "/home/vivin/Projects/rampage/venv/lib/python3.7/site-packages/angr/sim_manager.py", line 343, in step
    successors = self.step_state(state, successor_func=successor_func, **run_args)
  File "/home/vivin/Projects/rampage/venv/lib/python3.7/site-packages/angr/sim_manager.py", line 381, in step_state
    successors = self.successors(state, successor_func=successor_func, **run_args)
  File "/home/vivin/Projects/rampage/venv/lib/python3.7/site-packages/angr/sim_manager.py", line 420, in successors
    return self._project.factory.successors(state, **run_args)
  File "/home/vivin/Projects/rampage/venv/lib/python3.7/site-packages/angr/factory.py", line 54, in successors
    return self.project.engines.successors(*args, **kwargs)
  File "/home/vivin/Projects/rampage/venv/lib/python3.7/site-packages/angr/engines/hub.py", line 128, in successors
    r = engine.process(state, **kwargs)
  File "/home/vivin/Projects/rampage/venv/lib/python3.7/site-packages/angr/engines/hook.py", line 55, in process
    return self.project.factory.procedure_engine.process(state, procedure, force_addr=force_addr, **kwargs)
  File "/home/vivin/Projects/rampage/venv/lib/python3.7/site-packages/angr/engines/procedure.py", line 31, in process
    force_addr=force_addr)
  File "/home/vivin/Projects/rampage/venv/lib/python3.7/site-packages/angr/engines/engine.py", line 60, in process
    self._process(new_state, successors, *args, **kwargs)
  File "/home/vivin/Projects/rampage/venv/lib/python3.7/site-packages/angr/engines/procedure.py", line 65, in _process
    inst = procedure.execute(state, successors, ret_to=ret_to)
  File "/home/vivin/Projects/rampage/venv/lib/python3.7/site-packages/angr/sim_procedure.py", line 182, in execute
    r = getattr(inst, inst.run_func)(*sim_args, **inst.kwargs)
TypeError: run_initializer() takes 1 positional argument but 6 were given

The binary takes in a command-line argument, but I have not specified it as symbolic. I was just curious to see how angr would behave in this situation; specifically whether it could tell that the unconstrained paths could be caused by the command-line argument. I’m not sure if that’s the reason for this particular error or not.

Issue Analytics

State:
Created 4 years ago
Comments:5 (4 by maintainers)

Top GitHub Comments

3reactions

rhelmotcommented, Jun 5, 2019

ah. well. this one is pretty much just your fault.

you didn’t provide any command line arguments, so this means that argv is just the name of the program and argc is 1. So your program is dereferencing null and you’re not seeing it because you added SYMBOL_FILL_UNCONSTRAINED_MEMORY. Then, this particular error pops up because there is a path that overwrites exactly two of the bytes of the return address, so the first one is anything-but-null and the second is null. This is 255 possible addresses, i.e. few enough for angr to explore them all explicitly. Because the original return address was to the externs segment, this means that we now have states pointing at every address in the first 256 bytes of the externs segment (except the first one), and they’re going to try to run the hooked procedures at those addresses. It’s a gigantic shitshow, and this is one of the things that falls out of it. I guess there could be a better error message, but this is just a disaster.

1reaction

rhelmotcommented, Jun 5, 2019

With the new commit, this eventuality will result in SimShadowStackError("I can't emulate this consequence of stack smashing"), which will be caught and put into the errored list, and the script finishes correctly.