|
From: Frank N. <fn1...@in...> - 2007-03-29 08:22:23
|
Hello,
I've another little problem in Valgrind 3.2.0
I try to trace the data flow to and from SysCalls.
Afaik only store is allowed to store to memory.
I have a SysCall triggered by printf in my guest application.
(e.g. int i,j,k; j=4; k=5; i=j+k; printf("1: %d",i); )
The SysCall looks like this:
PreSysCall( Thread ID: 1, SysCallNo: 4 )
Loading untainted Addr(401E000)
Loading untainted Addr(401E001)
Loading untainted Addr(401E002)
Loading untainted Addr(401E003)
taPreMemRead( CorePart 3, ThreadId 1, Char: write(buf), Addr [401E000],
size: 4, Val [1: 9], tainted [0])
The address 401E000 seems to be non-guest memory.
Okay I tried to figure out how the value 9 propagates to this point.
(I am interested in the value 9 because its data
derived from a variable in the high level source code)
IMark
PUT(60) = 67735475:U32
Loading tainted Addr(BEA04F59)[0]
(t11) = LOAD(BEA04F59) {9}
(t104) = UnOP( 8Uto32; t11)
(t96) = Tmp(t104)
PUT(0) = t96
IMark
(t12) = BinOP( Add32; t9, 1:U32)
(t14) = GET(32)
(t15) = GET(36)
(t16) = GET(40)
(t17) = GET(44)
(t105) = CCall
(t97) = Tmp(t105)
PUT(28) = t12
IMark
PUT(60) = 67735479:U32
(t19) = Tmp(t7)
Setting tainted Addr(BEA04974)[0]
Setting tainted Addr(BEA04975)[0]
Setting tainted Addr(BEA04976)[0]
Setting tainted Addr(BEA04977)[0]
STORE(BEA04974) = t12
IMark
PUT(60) = 67735482:U32
(t4) = GET(4)
(t22) = GET(0)
Setting tainted Addr(401E003)[0]
STORE(401E003) = t22
Okay, 401E003 -> t22 -> Arch(0) -> t96 -> t104 -> t11 -> BEA04F59 (value 9
thats correct).
So I trace back for the last time when BEA04F59 was stored....
IMark
PUT(60) = 67581775:U32
(t51) = BinOP( Add32; t18, t28)
Loading untainted Addr(4146929)
(t56) = LOAD(4146929) {9}
(t66) = UnOP( 8Uto32; t56)
(t55) = Tmp(t66)
PUT(0) = t55
IMark
PUT(4) = t11
IMark
PUT(60) = 67581781:U32
(t58) = GET(0)
Setting tainted Addr(BEA04F59)[0]
STORE(BEA04F59) = t58
IMark
Okay, BEA04F59 -> t58 -> Arch(0) -> t55 -> t66 -> t56 -> 4146929 (value 9
thats correct)
Now when I try to search the point where 0x4146929 was stored, I cannot
find it.
The value "9" is not hardcoded in the printf command, so it should not be
e.g. read
directly out of the guest application binary. (at least I think so)
So my conclusion is, there is something that writes to the memory at
0x4146929 and overrides
the instrumentation. Since I really need to somehow trace this value back
to originating
variables (their addresses) (j,k).
Any input is most welcome (thank you very much).
|