Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segmentation fault in Pluto::BogusControlFlowPass #70

Open
mitsuakki opened this issue Nov 12, 2024 · 1 comment
Open

Segmentation fault in Pluto::BogusControlFlowPass #70

mitsuakki opened this issue Nov 12, 2024 · 1 comment

Comments

@mitsuakki
Copy link

mitsuakki commented Nov 12, 2024
edited
Loading

I encountered a segmentation fault while running the Pluto::BogusControlFlowPass on my LLVM IR code. The issue occurs when running the pass with opt, resulting in a crash. The error happens specifically when attempting to analyze and transform the control flow in the main.ll IR file.

The crash happens consistently with the following command:

opt -load-pass-plugin=./lib/libpasses-18.so -passes "pluto-bogus-control-flow" main.ll -S -o bogus.ll -debug-pass-manager

The libpasses-18.so file is just the compilation result of this code, that consist of using passes to apply various obfuscation methods.

The result of the command above is:

Running analysis: InnerAnalysisManagerProxy<FunctionAnalysisManager, Module> on [module]
Running pass: Pluto::BogusControlFlowPass on main (57 instructions)
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.      Program arguments: opt -load-pass-plugin=./lib/libpasses-17.so -passes pluto-bogus-control-flow dump/pluto/main.ll -S -o dump/pluto/bogus/bogus.ll -debug-pass-manager
 #0 0x00007879d5394716 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/lib/x86_64-linux-gnu/libLLVM-18.so.18.1+0xd94716)
 #1 0x00007879d53926d0 llvm::sys::RunSignalHandlers() (/lib/x86_64-linux-gnu/libLLVM-18.so.18.1+0xd926d0)
 #2 0x00007879d5394ddb (/lib/x86_64-linux-gnu/libLLVM-18.so.18.1+0xd94ddb)
 #3 0x00007879d3e42520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
 #4 0x00007879d416326c llvm::Value::getValueID() const (./lib/libpasses-17.so+0x6026c)
 #5 0x00007879d4163255 llvm::Instruction::getOpcode() const (./lib/libpasses-17.so+0x60255)
 #6 0x00007879d4163015 llvm::Instruction::isTerminator() const (./lib/libpasses-17.so+0x60015)
 #7 0x00007879d4162f7a llvm::BasicBlock::getTerminator() const (./lib/libpasses-17.so+0x5ff7a)
 #8 0x00007879d4162b65 llvm::BasicBlock::getTerminator() (./lib/libpasses-17.so+0x5fb65)
 #9 0x00007879d4161a55 Pluto::BogusControlFlowPass::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (./lib/libpasses-17.so+0x5ea55)
#10 0x00007879d418d764 llvm::detail::PassModel<llvm::Function, Pluto::BogusControlFlowPass, llvm::PreservedAnalyses, llvm::AnalysisManager<llvm::Function> >::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (./lib/libpasses-17.so+0x8a764)
#11 0x00007879d5510514 llvm::PassManager<llvm::Function, llvm::AnalysisManager<llvm::Function> >::run(llvm::Function&, llvm::AnalysisManager<llvm::Function>&) (/lib/x86_64-linux-gnu/libLLVM-18.so.18.1+0xf10514)
#12 0x00007879d73f5fdd (/lib/x86_64-linux-gnu/libLLVM-18.so.18.1+0x2df5fdd)
#13 0x00007879d5513b81 llvm::ModuleToFunctionPassAdaptor::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/lib/x86_64-linux-gnu/libLLVM-18.so.18.1+0x8a764)
#14 0x00007879d73f5dfd (/lib/x86_64-linux-gnu/libLLVM-18.so.18.1+0x2df5dfd)
#15 0x00007879d550f2f4 llvm::PassManager<llvm::Module, llvm::AnalysisManager<llvm::Module> >::run(llvm::Module&, llvm::AnalysisManager<llvm::Module>&) (/lib/x86_64-linux-gnu/libLLVM-18.so.18.1+0xf0f2f4)
#16 0x000063dffc700e49 llvm::runPassPipeline(llvm::StringRef, llvm::Module&, llvm::TargetMachine*, llvm::TargetLibraryInfoImpl*, llvm::ToolOutputFile*, llvm::ToolOutputFile*, llvm::ToolOutputFile*, llvm::StringRef, llvm::ArrayRef<llvm::PassPlugin>, llvm::opt_tool::OutputKind, llvm::opt_tool::VerifierKind, bool, bool, bool, bool, bool, bool, bool) (/usr/lib/llvm-18/bin/opt+0x1de49)
#17 0x000063dffc70d96a main (/usr/lib/llvm-18/bin/opt+0x2a96a)
#18 0x00007879d3e29d90 __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#19 0x00007879d3e29e40 call_init ./csu/../csu/libc-start.c:128:20
#20 0x00007879d3e29e40 __libc_start_main ./csu/../csu/libc-start.c:379:5
#21 0x000063dffc6fab25 _start (/usr/lib/llvm-18/bin/opt+0x17b25)
Segmentation fault (core dumped)

Steps to reproduce

  1. Compile the C source-code into llvm IR
clang -c -S -emit-llvm -O1 main.c -o main.ll
  1. Load and apply the Pluto::BogusControlFlowPass with the following command:
opt -load-pass-plugin=./lib/libpasses-18.so -passes "pluto-bogus-control-flow" main.ll -S -o bogus.ll -debug-pass-manager

Original C code

The code in main.c is simple as never

#include <stdio.h>
#include <stdint.h>
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>

char* good_string = (char*)"Phacomochere\0";
int size_good_string = 0;

uint64_t good_value = 0x6964654A654C6F59;

static bool RootFunction(char* string, uint64_t value)
{
    if (string == NULL)
        return false;

    size_good_string = strlen(good_string) + 1;
 
    for (int i = 0; i < size_good_string; ++i)
    {
        if (string[i] != good_string[i])
            return false;
    }

    if (value != good_value)
        return false;

    return true;
}

int main(int argc, char *argv[])
{
    size_good_string = strlen(good_string) + 1;

    if (argc != 3) {
        fprintf(stderr, "Usage: %s <string> <hex_value>\n", argv[0]);
        return 1;
    }

    uint64_t value = strtoull(argv[2], NULL, 16);

    if (RootFunction(argv[1], value)) {
        printf("RootFunction returned true.\n");
    } else {
        printf("RootFunction returned false.\n");
    }

    return 0;
}

Environment:

  • LLVM version: 18.1 (via llvm-config --version)
  • Operating System: Ubuntu 22.04.5 LTS 64Bits
  • GNOME Version: 42.9
@mitsuakki
Copy link
Author

Seems to work with LLVM 16.0.6, ima stick to it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mitsuakki