Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Multiple occurences of NT_PRSTATUS notes in core file
See original GitHub issueI have a core dump from gdb when running Firefox. Since it has multiple threads, in my core file, there are multiple NT_PRSTATUS. When loading with elf backend, it throws:
Traceback (most recent call last):
File "CVE-2018-18492.py", line 12, in <module>
e = executor.Executor("/nas/ug16zy2/core", log_interval=100, log_file='out.log', debug=False)
File "/home/ug16zy2/angr-dev/symbolic/executor.py", line 23, in __init__
self.ap = angr.Project(self.core_file, main_opts={'backend': 'elfcore'},rebase_granularity=0x1000)
File "/home/ug16zy2/angr-dev/angr/angr/project.py", line 128, in __init__
self.loader = cle.Loader(self.filename, concrete_target=concrete_target, **load_options)
File "/home/ug16zy2/angr-dev/cle/cle/loader.py", line 134, in __init__
self.initial_load_objects = self._internal_load(main_binary, *preload_libs, preloading=True)
File "/home/ug16zy2/angr-dev/cle/cle/loader.py", line 664, in _internal_load
main_obj = self._load_object_isolated(main_spec)
File "/home/ug16zy2/angr-dev/cle/cle/loader.py", line 767, in _load_object_isolated
return backend_cls(full_spec, is_main_bin=self.main_object is None, loader=self, **options)
File "/home/ug16zy2/angr-dev/cle/cle/backends/elf/elfcore.py", line 73, in __init__
self.__extract_note_info()
File "/home/ug16zy2/angr-dev/cle/cle/backends/elf/elfcore.py", line 103, in __extract_note_info
self.__parse_notes(seg_readelf)
File "/home/ug16zy2/angr-dev/cle/cle/backends/elf/elfcore.py", line 133, in __parse_notes
raise CLEError("Multiple occurences of NT_PRSTATUS notes in core file")
cle.errors.CLEError: Multiple occurences of NT_PRSTATUS notes in core file
How should I load this core dump in this case?
I think I just need symbolic execution on Thread 0, so I make it only considers prostates[0] in elfcore.py:
prstatus = [x for x in self.notes if x.n_type == 'NT_PRSTATUS']
# if len(prstatus) > 1:
# raise CLEError("Multiple occurences of NT_PRSTATUS notes in core file")
prstatus = prstatus[0]
Not sure if it is ok. However it seems that the memory region corresponding Thread Information Block pointed by fs register is not loaded because during symbolic execution, it says the memory pointed by fs is uninitialised.
I checked that the loader contains a ELFTLSObject of address [0x80000:0x105010], but the fs register points to 0x3e29286100000000, which I think should be a TLS block?
In [12]: self.ap.loader.all_objects
Out[12]:
[<ExternObject Object cle##externs, maps [0x0:0x80000]>,
<ELFTLSObject Object cle##tls, maps [0x80000:0x105010]>,
<KernelObject Object cle##kernel, maps [0x106000:0x10e000]>,
<ELFCore Object core, maps [0x3480acd42000:0xffffffffff600fff]>]
In [13]: s.regs.fs
Out[13]: <BV64 0x3e29286100000000>
Can anyone help me? Thanks!
Issue Analytics
- State:
- Created 4 years ago
- Comments:10 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I genuinely do not know how the decision to include or exclude given segments from the core file is made, but I’ve hacked together the best solution I can. Your secondary problem should be fixed now.
I implemented the thing I described in the feat/coredump_threads branch, which now has an angr component which lets you say which thread you’d like to initialize with. The reason it took so long is that I started trying to make it work on arches other than amd64 and it’s honestly a shitshow out there. The core dumps that gdb generates for i386 literally don’t contain enough information to match up thread local storage regions with threads (but cores generated by the kernel do!) and then everything went straight to shit when I tried to look at a mips coredump.