Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exception: Internal error: cannot translate address #95

Open
likaiam opened this issue Dec 23, 2022 · 6 comments
Open

Exception: Internal error: cannot translate address #95

likaiam opened this issue Dec 23, 2022 · 6 comments

Comments

@likaiam
Copy link

likaiam commented Dec 23, 2022

I was using driller to hybrid fuzz sqlite(a database program),but seemly it can not used to database program and raise Exception("Internal error: cannot translate address").The following is the stacktrace:
Drilling input: b"CREATE TABLE v0 ( v1 INTEGER ) ; SELECT v1 FROM v0 WHERE v1 = 'v0' AND ( v1 = 8 OR v1 =9223372036854775808 ) ORDER BY v1 ; SELECT v1, sum ( v1 ) OVER( PARTITION BY v1 ORDER BY v1 ) FROM v0 ; "
WARNING | 2022-12-19 13:43:46,883 | pyvex.lifting.gym.x86_spotter | The generalized AAM instruction is not supported by VEX, and is handled specially by pyvex. It has no flag handling at present. See pyvex/lifting/gym/x86_spotter.py for details
WARNING | 2022-12-19 13:43:47,228 | cle.backends.tls | The provided object has an invalid tls_data_size. Skip TLS loading.
WARNING | 2022-12-19 13:43:49,888 | cle.backends.tls | The provided object has an invalid tls_data_size. Skip TLS loading.
Traceback (most recent call last):
File "run_driller.py", line 70, in
main()
File "run_driller.py", line 56, in main
for _, new_input in Driller(binary, seed, fuzzer_bitmap).drill_generator():
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/driller/driller_main.py", line 101, in drill_generator
for i in self._drill_input():
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/driller/driller_main.py", line 143, in _drill_input
simgr.step()
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 90, in call
result = current_hook(self.func.self, *args, **kwargs)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/driller_core.py", line 39, in step
simgr.step(stash=stash, **kwargs)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 90, in call
result = current_hook(self.func.self, *args, **kwargs)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 343, in step
return simgr.step(stash=stash, syscall_data=self._syscall_data, fd_bytes=self._fd_bytes, **kwargs)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 90, in call
result = current_hook(self.func.self, *args, **kwargs)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/suggestions.py", line 41, in step
simgr.step(stash=stash, **kwargs)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 95, in call
return self.func(*args, **kwargs)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/sim_manager.py", line 407, in step
successors = self.step_state(state, successor_func=successor_func, error_list=error_list, **run_args)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 90, in call
result = current_hook(self.func.self, *args, **kwargs)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 406, in step_state
self._update_state_tracking(succs[0])
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 574, in _update_state_tracking
self._sync_return(state, idx)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 890, in _sync_return
return self._sync(state, idx, ret_addr)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 893, in _sync
addr_translated = self._translate_state_addr(addr)
File "/home/linuxbrew/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 640, in _translate_state_addr
raise Exception("Internal error: cannot translate address")
Exception: Internal error: cannot translate address
@likaiam
Copy link
Author

likaiam commented Dec 23, 2022

This is the script calling Driller.

import errno
import os
import os.path
import sys
import time
from driller import Driller
def save_input(content, dest_dir, count):
"""Saves a new input to a file where AFL can find it.
File will be named id:XXXXXX,driller (where XXXXXX is the current value of
count) and placed in dest_dir.
"""
name = 'id:%06d,driller' % count
with open(os.path.join(dest_dir, name), 'w') as destfile:
destfile.write(content)
def main():
if len(sys.argv) != 3:
print('Usage: %s <fuzzer_output_dir>' % sys.argv[0])
sys.exit(1)
_, binary, fuzzer_dir = sys.argv
# Figure out directories and inputs
with open(os.path.join(fuzzer_dir, 'fuzz_bitmap'),"rb") as bitmap_file:
fuzzer_bitmap = bitmap_file.read()
source_dir = os.path.join(fuzzer_dir, 'queueDrill')
dest_dir = os.path.join(fuzzer_dir, 'queue')
# Make sure destination exists
try:
os.makedirs(dest_dir)
except os.error as e:
if e.errno != errno.EEXIST:
raise
seen = set() # Keeps track of source files already drilled
count = len(os.listdir(dest_dir)) # Helps us name outputs correctly
# Repeat forever in case AFL finds something new
while True:
# Go through all of the files AFL has generated, but only once each
for source_name in os.listdir(source_dir):
if source_name in seen or not source_name.startswith('id:'):
continue
seen.add(source_name)
with open(os.path.join(source_dir, source_name)) as seedfile:
seed = seedfile.read()
print('Drilling input: %s' % seed)
for _, new_input in Driller(binary, seed, fuzzer_bitmap).drill_generator():
save_input(new_input, dest_dir, count)
count += 1
# Try a larger input too because Driller won't do it for you
seed = seed + '0000'
print('Drilling input: %s' % seed)
for _, new_input in Driller(binary, seed, fuzzer_bitmap).drill_generator():
save_input(new_input, dest_dir, count)
count += 1
time.sleep(10)
if name == 'main':
main()

@likaiam
Copy link
Author

likaiam commented Dec 23, 2022

And I also used the docker https://hub.docker.com/r/zjuchenyuan/driller.
When I tried to hybrid fuzz Mp3Gain(the example program),it works.However,when I tried to fuzz sqlite(a database program),it reported the follwoing errors.I don't konw whether Driller(Angr) can be used to database program.
image

@rhelmot
Copy link
Member

rhelmot commented Dec 23, 2022

Again,

  • there's nothing special about "database programs" that makes angr unable to fuzz them. there must be something else wrong
  • please attach the exact binary you're analyzing

@likaiam
Copy link
Author

likaiam commented Dec 23, 2022

sqlite3.zip
this is the binary in the zip

@likaiam
Copy link
Author

likaiam commented Dec 25, 2022

Expect reply.Thank you very much.

@rhelmot
Copy link
Member

rhelmot commented Dec 25, 2022

Please be patient. Today is Christmas and nobody is working.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rhelmot @likaiam