Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Angr "Cannot execute following jumpkind Ijk_SigSEGV" #15

Open
andyhhp opened this issue Dec 22, 2023 · 0 comments
Open

Angr "Cannot execute following jumpkind Ijk_SigSEGV" #15

andyhhp opened this issue Dec 22, 2023 · 0 comments
Labels
angr Bug related to angr behavior

Comments

@andyhhp
Copy link
Collaborator

andyhhp commented Dec 22, 2023
edited
Loading 

---------------- [ SCANNER ERROR ] ----------------
where: 0xffff82d0403301a0     started at: 0xffff82d040330170 
Cannot execute following jumpkind Ijk_SigSEGV
Traceback (most recent call last):
  File "/local/inspectre-gadget.git/analyzer/scanner/scanner.py", line 616, in run
    next_states = self.cur_state.step()
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/sim_state.py", line 607, in step
    return self.project.factory.successors(self, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/factory.py", line 77, in successors
    return self.default_engine.process(*args, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/slicing.py", line 20, in process
    return super().process(*args, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/engine.py", line 163, in process
    self.process_successors(self.successors, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/failure.py", line 15, in process_successors
    raise AngrExitError("Cannot execute following jumpkind %s" % jumpkind)
angr.errors.AngrExitError: Cannot execute following jumpkind Ijk_SigSEGV

File: xen-syms.gz
Args: --address ffff82d040330170 --name x86emul_read_xcr --base 0xffff82d040200000

The block is:

ffff82d040330170 <x86emul_read_xcr>:
ffff82d040330170:       f3 0f 1e fa             endbr64 
ffff82d040330174:       85 ff                   test   %edi,%edi
ffff82d040330176:       74 68                   je     ffff82d0403301e0 <x86emul_read_xcr+0x70>
ffff82d040330178:       83 ff 01                cmp    $0x1,%edi
ffff82d04033017b:       75 3b                   jne    ffff82d0403301b8 <x86emul_read_xcr+0x48>
ffff82d04033017d:       48 89 e0                mov    %rsp,%rax
ffff82d040330180:       48 0d ff 7f 00 00       or     $0x7fff,%rax
ffff82d040330186:       48 8b 40 c9             mov    -0x37(%rax),%rax
ffff82d04033018a:       48 8b 40 18             mov    0x18(%rax),%rax
ffff82d04033018e:       48 8b 80 90 08 00 00    mov    0x890(%rax),%rax
ffff82d040330195:       f6 80 a0 01 00 00 04    testb  $0x4,0x1a0(%rax)
ffff82d04033019c:       74 1a                   je     ffff82d0403301b8 <x86emul_read_xcr+0x48>
ffff82d04033019e:       89 f9                   mov    %edi,%ecx
ffff82d0403301a0:       0f 01 d0                xgetbv         // <--- here
ffff82d0403301a3:       48 c1 e2 20             shl    $0x20,%rdx
ffff82d0403301a7:       89 c0                   mov    %eax,%eax
ffff82d0403301a9:       48 09 c2                or     %rax,%rdx
ffff82d0403301ac:       31 c0                   xor    %eax,%eax
ffff82d0403301ae:       48 89 16                mov    %rdx,(%rsi)
ffff82d0403301b1:       c3                      retq   
ffff82d0403301b2:       66 0f 1f 44 00 00       nopw   0x0(%rax,%rax,1)
ffff82d0403301b8:       b8 0d 00 00 00          mov    $0xd,%eax
ffff82d0403301bd:       c6 42 3a 03             movb   $0x3,0x3a(%rdx)
ffff82d0403301c1:       66 89 42 38             mov    %ax,0x38(%rdx)
ffff82d0403301c5:       b8 02 00 00 00          mov    $0x2,%eax
ffff82d0403301ca:       c7 42 3c 00 00 00 00    movl   $0x0,0x3c(%rdx)
ffff82d0403301d1:       c6 42 31 01             movb   $0x1,0x31(%rdx)
ffff82d0403301d5:       c3                      retq   
ffff82d0403301d6:       66 2e 0f 1f 84 00 00    nopw   %cs:0x0(%rax,%rax,1)
ffff82d0403301dd:       00 00 00 
ffff82d0403301e0:       48 89 e0                mov    %rsp,%rax
ffff82d0403301e3:       48 0d ff 7f 00 00       or     $0x7fff,%rax
ffff82d0403301e9:       48 8b 40 c9             mov    -0x37(%rax),%rax
ffff82d0403301ed:       48 8b 80 38 0b 00 00    mov    0xb38(%rax),%rax
ffff82d0403301f4:       48 89 06                mov    %rax,(%rsi)
ffff82d0403301f7:       31 c0                   xor    %eax,%eax
ffff82d0403301f9:       c3                      retq

with the where referencing the xgetbv instruction. I can only assume this is an Angr issue, but no clue what Ijk_SigSEGV might be in terms of a jump type.
@AlviseDeFaveri AlviseDeFaveri added the angr Bug related to angr behavior label Feb 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
angr Bug related to angr behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andyhhp @AlviseDeFaveri