5 [State 0] HostFiles: could not open /home/fuzz/s2e/projects/sym_stdin/guest-tools64/s2eget(errno 2)

[blu3sh0rk]

This time I encountered this problem.

$ ./launch-crax.sh

Starting libs2e...
Opening /dev/kvm
Initializing qemu64-s2e cpu
Using module /home/fuzz/s2e/install/share/libs2e/op_helper.bc.x86_64
S2E: output directory = "./s2e-out-1"
Revision: 96dc4d88d7661d7a415ddcb67cd378ff15e74c40
Config date: Mon 29 Aug 2022 12:44:14 AM PDT

Current data layout: e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:128-n8:16:32:64-S128
Current target triple: x86_64-unknown-linux-gnu
KLEE: WARNING: unsupported intrinsic llvm.rint.f64
KLEE: WARNING: unsupported intrinsic llvm.fmuladd.f64
Using log level override 'info'
Setting console level to 'info'
Creating plugin CorePlugin
Creating plugin BaseInstructions
Creating plugin HostFiles
Creating plugin Vmi
Creating plugin MemUtils
Creating plugin WebServiceInterface
Creating plugin ExecutionTracer
Creating plugin ModuleTracer
Creating plugin KeyValueStore
Creating plugin TranslationBlockCoverage
Creating plugin ModuleExecutionDetector
Creating plugin ForkLimiter
Creating plugin ProcessExecutionDetector
Creating plugin ModuleMap
Creating plugin MemoryMap
Creating plugin MultiSearcher
Creating plugin CUPASearcher
Creating plugin FunctionModels
Creating plugin LinuxMonitor
Creating plugin LuaBindings
Creating plugin LuaCoreEvents
Creating plugin CRAX
Initializing LuaBindings
Initializing LuaCoreEvents
LuaCoreEvents: Registering instrumentation for core signals
Initializing MultiSearcher
Initializing ForkLimiter
Initializing KeyValueStore
Initializing ExecutionTracer
Initializing WebServiceInterface
WebServiceInterface: SeedSearcher not present, seed statistics will not be available
WebServiceInterface: Recipe plugin not present, recipe statistics will not be available
Initializing Vmi
Initializing HostFiles
Initializing BaseInstructions
Initializing LinuxMonitor
Initializing ModuleMap
Initializing ProcessExecutionDetector
Initializing MemoryMap
Initializing CRAX
CRAX: Creating module: GuestOutput
CRAX: Creating module: IOStates
CRAX: Creating module: DynamicRop
CRAX: Creating technique: Ret2csu
CRAX: Creating technique: BasicStackPivoting
CRAX: Creating technique: Ret2syscall
Initializing MemUtils
Initializing FunctionModels
Initializing ModuleExecutionDetector
Initializing CUPASearcher
CUPASearcher: CUPASearcher is now active
Initializing TranslationBlockCoverage
Initializing ModuleTracer
Initializing CorePlugin
[Z3] Initializing
1 [State 0] Created initial state
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-nopiodelay [bit 1]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvmclock [bit 3]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-asyncpf [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-steal-time [bit 5]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-pv-eoi [bit 6]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvmclock-stable-bit [bit 24]
Adding CPU (addr = 0x7fb26800a750, size = 0x36ea0)
qemu-system-x86_64: warning: hub 0 is not connected to host network
s2e-block: dirty sectors on close:0
s2e-block: dirty after restore: 336 (ro=1)
s2e-block: wasted sectors: 0
5 [State 0] HostFiles: could not open /home/fuzz/s2e/projects/sym_stdin/guest-tools64/s2eget(errno 2)
5 [State 0] BaseInstructions: Killing state 0
5 [State 0] Terminating state: State was terminated by opcode
            message: "Could not get s2eget from the host. Make sure that guest tools are installed properly."
            status: 0x0
All states were terminated
qemu-system-x86_64: terminating on signal 15 from pid 11081 (/home/fuzz/s2e/install/bin/qemu-system-x86_64)
s2e-block: dirty sectors on close:336
Terminating node id 0 (instance slot 0)

Missing s2eget in /home/fuzz/s2e/projects/sym_stdin/guest-tools64

[aesophor]

Can you show me the output of these commands:

ls -la ~/s2e/projects/sym_stdin/guest-tools64
ls -la ~/s2e/install/bin | grep guest
ls -la ~/s2e/install/bin/guest-tools64/s2eget

Here's mine:

[S2E:s2e] (venv)
/home/aesophor/s2e/projects/sym_stdin [aesophor@aesophor-vm] [19:30]
> ll ~/s2e/projects/sym_stdin/guest-tools64
lrwxrwxrwx 1 aesophor aesophor 44 Jan 21  2022 /home/aesophor/s2e/projects/sym_stdin/guest-tools64 -> /home/aesophor/s2e/install/bin/guest-tools64

[S2E:s2e] (venv)
/home/aesophor/s2e/projects/sym_stdin [aesophor@aesophor-vm] [19:30]
> ll ~/s2e/install/bin | grep guest
drwxr-xr-x 3 aesophor aesophor 4.0K Aug 29 19:28 guest-tools32
drwxr-xr-x 3 aesophor aesophor 4.0K Aug 29 19:28 guest-tools64

[S2E:s2e] (venv)
/home/aesophor/s2e/projects/sym_stdin [aesophor@aesophor-vm] [19:32]
> ll ~/s2e/install/bin/guest-tools64/s2eget
-rwxr-xr-x 1 aesophor aesophor 23K May  5 05:49 /home/aesophor/s2e/install/bin/guest-tools64/s2eget

It seems that s2eget isn't there, but a symlink should be created automatically by s2e new_project. The real binary is at ~/s2e/install/bin/guest-tools64/s2eget.

It the binary itself isn't there, could you please show me the output of s2e build?

[blu3sh0rk]

[S2E:s2e] (venv) fuzz@ubuntu:~/s2e/source/CRAXplusplus$ ls -la ~/s2e/projects/sym_stdin/guest-tools64
lrwxrwxrwx 1 fuzz fuzz 40 Aug 29 02:07 /home/fuzz/s2e/projects/sym_stdin/guest-tools64 -> /home/fuzz/s2e/install/bin/guest-tools64
[S2E:s2e] (venv) fuzz@ubuntu:~/s2e/source/CRAXplusplus$ ls -la ~/s2e/install/bin | grep guest
drwxr-xr-x 3 fuzz fuzz      4096 Aug 28 20:06 guest-tools32
drwxr-xr-x 3 fuzz fuzz      4096 Aug 28 20:06 guest-tools64
[S2E:s2e] (venv) fuzz@ubuntu:~/s2e/source/CRAXplusplus$ ls -la ~/s2e/install/bin/guest-tools64/s2eget
ls: cannot access '/home/fuzz/s2e/install/bin/guest-tools64/s2eget': No such file or directory

[S2E:s2e] (venv) fuzz@ubuntu:~/s2e/source/CRAXplusplus$ cd ~/s2e/install/bin/guest-tools64/
[S2E:s2e] (venv) fuzz@ubuntu:~/s2e/install/bin/guest-tools64$ ls
cgccmd  drvctl.exe  include  launch.sh  libs2e32.dll  libs2e64.dll  s2e-bios.bin  s2ecmd  s2ecmd.exe  s2e.inf  s2e.so  s2e.sys  tickler.exe

[aesophor]

What's the output of s2e build?

[blu3sh0rk]

$ s2e build
INFO: [build] Building S2E (release) in /home/fuzz/s2e/build
make: Entering directory '/home/fuzz/s2e/build'
INFO: [sh.command] <Command '/usr/bin/make --directory=/home/fuzz/s2e/build --file=/home/fuzz/s2e/source/Makefile install', pid 11793>: process started
echo /home/fuzz/s2e/install/bin/guest-tools32/s2e.sys /home/fuzz/s2e/install/bin/guest-tools32/s2e.inf /home/fuzz/s2e/install/bin/guest-tools32/drvctl.exe /home/fuzz/s2e/install/bin/guest-tools32/libs2e32.dll /home/fuzz/s2e/install/bin/guest-tools32/tickler.exe
/home/fuzz/s2e/install/bin/guest-tools32/s2e.sys /home/fuzz/s2e/install/bin/guest-tools32/s2e.inf /home/fuzz/s2e/install/bin/guest-tools32/drvctl.exe /home/fuzz/s2e/install/bin/guest-tools32/libs2e32.dll /home/fuzz/s2e/install/bin/guest-tools32/tickler.exe
echo /home/fuzz/s2e/install/bin/guest-tools64/s2e.sys /home/fuzz/s2e/install/bin/guest-tools64/s2e.inf /home/fuzz/s2e/install/bin/guest-tools64/drvctl.exe /home/fuzz/s2e/install/bin/guest-tools64/libs2e32.dll /home/fuzz/s2e/install/bin/guest-tools64/libs2e64.dll /home/fuzz/s2e/install/bin/guest-tools64/tickler.exe
/home/fuzz/s2e/install/bin/guest-tools64/s2e.sys /home/fuzz/s2e/install/bin/guest-tools64/s2e.inf /home/fuzz/s2e/install/bin/guest-tools64/drvctl.exe /home/fuzz/s2e/install/bin/guest-tools64/libs2e32.dll /home/fuzz/s2e/install/bin/guest-tools64/libs2e64.dll /home/fuzz/s2e/install/bin/guest-tools64/tickler.exe
make -j4 -C guest-tools32 install
make[1]: Entering directory '/home/fuzz/s2e/build/guest-tools32'
make[2]: Entering directory '/home/fuzz/s2e/build/guest-tools32'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools32'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools32'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools32'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools32'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools32'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools32'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools32'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools32'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools32'
make[4]: Entering directory '/home/fuzz/s2e/build/guest-tools32/s2ebios'
make[4]: warning: jobserver unavailable: using -j1.  Add '+' to parent make rule.
[ 32%] Built target models_test
[ 28%] Built target glibc-compat-main
[ 39%] Built target s2ecmd
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools32'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools32'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools32'
make[4]: Leaving directory '/home/fuzz/s2e/build/guest-tools32/s2ebios'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools32'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools32'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools32'
[ 39%] Built target s2ebios
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools32'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools32'
[ 71%] Built target s2e
[ 78%] Built target quicksort
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools32'
[ 85%] Built target vulnerabilities
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools32'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools32'
[ 92%] Built target maze
[100%] Built target cgccmd
make[2]: Leaving directory '/home/fuzz/s2e/build/guest-tools32'
Install the project...
-- Install configuration: ""
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools32/./s2e-bios.bin
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools32/include/s2e/s2e.h
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools32/include/s2e/opcodes.h
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools32/./s2ecmd
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools32/.
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools32/./launch.sh
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools32/./cgccmd
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools32/./s2e.so
make[1]: Leaving directory '/home/fuzz/s2e/build/guest-tools32'
make -j4 -C guest-tools64 install
make[1]: Entering directory '/home/fuzz/s2e/build/guest-tools64'
make[2]: Entering directory '/home/fuzz/s2e/build/guest-tools64'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools64'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools64'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools64'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools64'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools64'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools64'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools64'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools64'
make[4]: Entering directory '/home/fuzz/s2e/build/guest-tools64/s2ebios'
make[4]: warning: jobserver unavailable: using -j1.  Add '+' to parent make rule.
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools64'
make[4]: Leaving directory '/home/fuzz/s2e/build/guest-tools64/s2ebios'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools64'
[  7%] Built target glibc-compat-main
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools64'
[ 28%] Built target s2ecmd
[ 39%] Built target models_test
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools64'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools64'
[ 39%] Built target s2ebios
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools64'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools64'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools64'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools64'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools64'
[ 71%] Built target s2e
[ 78%] Built target vulnerabilities
[ 85%] Built target quicksort
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools64'
[ 92%] Built target maze
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools64'
[100%] Built target cgccmd
make[2]: Leaving directory '/home/fuzz/s2e/build/guest-tools64'
Install the project...
-- Install configuration: ""
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools64/./s2e-bios.bin
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools64/include/s2e/s2e.h
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools64/include/s2e/opcodes.h
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools64/./s2ecmd
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools64/.
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools64/./launch.sh
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools64/./cgccmd
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools64/./s2e.so
make[1]: Leaving directory '/home/fuzz/s2e/build/guest-tools64'
make -j4 -C guest-tools32-win install
make[1]: Entering directory '/home/fuzz/s2e/build/guest-tools32-win'
make[2]: Entering directory '/home/fuzz/s2e/build/guest-tools32-win'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools32-win'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools32-win'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools32-win'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools32-win'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools32-win'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools32-win'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools32-win'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools32-win'
[ 50%] Built target quicksort
[ 50%] Built target maze
[ 83%] Built target s2ecmd
[100%] Built target vulnerabilities
make[2]: Leaving directory '/home/fuzz/s2e/build/guest-tools32-win'
Install the project...
-- Install configuration: ""
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools32/include/s2e/s2e.h
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools32/include/s2e/opcodes.h
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools32/./s2ecmd.exe
make[1]: Leaving directory '/home/fuzz/s2e/build/guest-tools32-win'
make -j4 -C guest-tools64-win install
make[1]: Entering directory '/home/fuzz/s2e/build/guest-tools64-win'
make[2]: Entering directory '/home/fuzz/s2e/build/guest-tools64-win'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools64-win'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools64-win'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools64-win'
make[3]: Entering directory '/home/fuzz/s2e/build/guest-tools64-win'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools64-win'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools64-win'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools64-win'
make[3]: Leaving directory '/home/fuzz/s2e/build/guest-tools64-win'
[ 16%] Built target quicksort
[ 66%] Built target s2ecmd
[ 83%] Built target maze
[100%] Built target vulnerabilities
make[2]: Leaving directory '/home/fuzz/s2e/build/guest-tools64-win'
Install the project...
-- Install configuration: ""
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools64/include/s2e/s2e.h
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools64/include/s2e/opcodes.h
-- Up-to-date: /home/fuzz/s2e/install/bin/guest-tools64/./s2ecmd.exe
make[1]: Leaving directory '/home/fuzz/s2e/build/guest-tools64-win'
cp /home/fuzz/s2e/build/llvm-release/lib/LLVMgold.so /home/fuzz/s2e/install/lib
make: Leaving directory '/home/fuzz/s2e/build'
SUCCESS: [build] S2E built

[aesophor]

I've identified the root cause of the problem, working on it

Edit: give me a few more seconds, i'm interrupted by other matters

[aesophor]

TL;DR

I can reproduce your situation by running

s2e new_project --image debian-9.2.1-x86_64 ~/s2e/source/CRAXplusplus/proxies/sym_stdin/sym_stdin

The above command will generate a new version of bootstrap.sh.

However, if you run my setup.sh (from CRAX++ repo), that new version of bootstrap.sh will be replaced with mine, which is an old version.

If you're using debian-9.2.1-x86_64, then edit ~/s2e/projects/sym_stdin/bootstrap.sh:

- COMMON_TOOLS="s2ecmd s2eget s2eput"
+ COMMON_TOOLS="s2ecmd" 

Run ./launch-crax.sh. I tried it and it worked.

---

Full story:

About a month ago, S2E upstream removed s2eget and s2ecmd, and replaced them with s2ecmd get|put. See: S2E/s2e@d021305.

Intuitively, I thought that we could just run s2e new_project again and edit the new version of ~/s2e/projects/sym_stdin/bootstrap.sh

However, if you're using the old s2e images (i.e. debian-9.2.1-x86_64), the gueset VM doesn't contain the new version of s2ecmd, so if you replace s2eget with s2ecmd get, it won't work.

However, the old s2e images still have s2eget and s2eput inside! So back to your question, what caused this?

5 [State 0] Terminating state: State was terminated by opcode
            message: "Could not get s2eget from the host. Make sure that guest tools are installed properly."
            status: 0x0

I traced ~/s2e/projects/sym_stdin/bootstrap.sh and found the culprit:

for TOOL in ${COMMON_TOOLS}; do
    ${OUR_S2EGET} ${TARGET_TOOLS_ROOT}/${TOOL}
    if [ ! -f ${TOOL} ]; then
        ${OUR_S2ECMD} kill 0 "Could not get ${TOOL} from the host. Make sure that guest tools are installed properly."
            exit 1
        fi
    chmod +x ${TOOL}
done

COMMON_TOOLS="s2ecmd s2eget s2eput"

This boostrap.sh will be run inside the guest, and it executes s2eget to download s2ecmd, s2eget and s2eput. If s2eget is already inside the guest filesystem, I'm not sure why it needs to run s2eget to download itself again ?_?

So I tried to edit ~/s2e/projects/sym_stdin/bootstrap.sh:

- COMMON_TOOLS="s2ecmd s2eget s2eput"
+ COMMON_TOOLS="s2ecmd" 

Then I run ./launch-crax.sh and it works again.

I'm sorry if you feel annoyed, but S2E is actually the most stable platform I've seen. It just requires a little patience to trace code and fix these slight problems.

[blu3sh0rk]

It does work now!

21 [State 0] CRAX: Switching to direct mode...
21 [State 0] CRAX: Generated exploit script: exploit_0.py
21 [State 0] Terminating state: End of exploit generation
All states were terminated
qemu-system-x86_64: terminating on signal 15 from pid 14465 (/home/fuzz/s2e/install/bin/qemu-system-x86_64)
s2e-block: dirty sectors on close:336
Terminating node id 0 (instance slot 0)

Thank you!

[aesophor]

That's great! Glad it works!