Skip to content
This repository was archived by the owner on May 18, 2022. It is now read-only.
This repository was archived by the owner on May 18, 2022. It is now read-only.

stuck in fgets() SimProcedure? #112

Open
Open
stuck in fgets() SimProcedure?#112
@zzloo7

Description

@zzloo7
zzloo7
opened on Apr 6, 2017

I used pathgroup.explorer() to explore paths in Aeon which was reported as vulnerable before in several vulnerability databases(Advisory ID: CVE-2005-1019). I noticed it stuck in a fgets() in the third cycle of a loop, just no response. I have no idea why this woud happen. And I'm unsure what I should do.

Running environment: Ubuntu 15.10
python version: 2.7
angr version: 6.7.3.26

The source code as follow:

int getConfig(char settings[MAX_SETTINGS][MAX_LEN])
{
	char home[MAX_LEN];
	FILE *fp;				/* .rc file handler */
	int numSet = 0;				/* number of settings */

	strcpy(home, getenv("HOME"));		/* get home path */
	strcat(home, "/.aeonrc");		/* full path to rc file */
	fp = fopen(home, "r");		
	if (fp == NULL) return -1; 		/* no cfg - ERROR */
	while (fgets(settings[numSet], MAX_LEN-1, fp) && (numSet < MAX_SETTINGS)) numSet++; //stuck here
	fclose(fp);

	return numSet;
}

Corresponding disassembly code as follow:

	while (fgets(settings[numSet], MAX_LEN-1, fp) && (numSet < MAX_SETTINGS)) numSet++;
  402474:	83 85 e4 fd ff ff 01 	addl   $0x1,-0x21c(%rbp)
  40247b:	8b 85 e4 fd ff ff    	mov    -0x21c(%rbp),%eax
  402481:	48 98                	cltq   
  402483:	48 c1 e0 09          	shl    $0x9,%rax
  402487:	48 89 c2             	mov    %rax,%rdx
  40248a:	48 8b 85 d8 fd ff ff 	mov    -0x228(%rbp),%rax
  402491:	48 8d 0c 02          	lea    (%rdx,%rax,1),%rcx
  402495:	48 8b 85 e8 fd ff ff 	mov    -0x218(%rbp),%rax
  40249c:	48 89 c2             	mov    %rax,%rdx
  40249f:	be ff 01 00 00       	mov    $0x1ff,%esi
  4024a4:	48 89 cf             	mov    %rcx,%rdi
  4024a7:	e8 44 e9 ff ff       	callq  400df0 <fgets@plt>      //stuck here
  4024ac:	48 85 c0             	test   %rax,%rax
  4024af:	74 09                	je     4024ba <getConfig+0xfc>
  4024b1:	83 bd e4 fd ff ff 05 	cmpl   $0x5,-0x21c(%rbp)
  4024b8:	7e ba                	jle    402474 <getConfig+0xb6>

And I checked fgets.py in the simuvex, the process stopped at following statement.

        # read in up to the newline
        ret = self.inline_call(simuvex.SimProcedures['libc.so.6']['read'], fd, dst, distance).ret_expr

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions