Failure: Concretized 2 values (must be exactly 1) in eval_exact

[andyhhp]

With #6 fixed, I see a new error, with 24 instances:

---------------- [ SCANNER ERROR ] ----------------
in basic block: 0xffff82d040342588     started at:0xffff82d040201790
Concretized 2 values (must be exactly 1) in eval_exact
Traceback (most recent call last):
  File "/local/inspectre-gadget.git/analyzer/scanner/scanner.py", line 567, in run
    next_states = self.cur_state.step()
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/sim_state.py", line 607, in step
    return self.project.factory.successors(self, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/factory.py", line 77, in successors
    return self.default_engine.process(*args, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/slicing.py", line 20, in process
    return super().process(*args, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/engine.py", line 163, in process
    self.process_successors(self.successors, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/failure.py", line 24, in process_successors
    return super().process_successors(successors, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/syscall.py", line 26, in process_successors
    return super().process_successors(successors, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/hook.py", line 56, in process_successors
    return super().process_successors(successors, procedure=procedure, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/unicorn.py", line 389, in process_successors
    return super().process_successors(successors, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/soot/engine.py", line 68, in process_successors
    return super().process_successors(successors, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/heavy.py", line 174, in process_successors
    self.handle_vex_block(irsb)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/super_fastpath.py", line 25, in handle_vex_block
    super().handle_vex_block(irsb)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/slicing.py", line 26, in handle_vex_block
    super().handle_vex_block(irsb)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/actions.py", line 31, in handle_vex_block
    super().handle_vex_block(irsb)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/inspect.py", line 49, in handle_vex_block
    super().handle_vex_block(irsb)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/light.py", line 550, in handle_vex_block
    self._handle_vex_defaultexit(irsb.next, irsb.jumpkind)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/slicing.py", line 36, in _handle_vex_defaultexit
    super()._handle_vex_defaultexit(expr, jumpkind)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/light/light.py", line 553, in _handle_vex_defaultexit
    self._perform_vex_defaultexit(self._analyze_vex_defaultexit(expr) if expr is not None else None, jumpkind)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/actions.py", line 237, in _perform_vex_defaultexit
    super()._perform_vex_defaultexit(target, jumpkind)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/vex/heavy/heavy.py", line 360, in _perform_vex_defaultexit
    self.successors.add_successor(
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/successors.py", line 131, in add_successor
    self._preprocess_successor(state, add_guard=add_guard)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/successors.py", line 173, in _preprocess_successor
    self._manage_callstack(state)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/engines/successors.py", line 195, in _manage_callstack
    ret_addr = state.mem[state.regs._sp].long.concrete
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/state_plugins/view.py", line 276, in concrete
    return self._type.extract(self.state, self._addr, True)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/sim_type.py", line 406, in extract
    out = state.memory.load(addr, self.size // state.arch.byte_width, endness=state.arch.memory_endness)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/storage/memory_mixins/unwrapper_mixin.py", line 15, in load
    return super().load(
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/storage/memory_mixins/name_resolution_mixin.py", line 67, in load
    return super().load(addr, size=size, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/storage/memory_mixins/bvv_conversion_mixin.py", line 30, in load
    return super().load(addr, size=size, fallback=fallback_bv, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/storage/memory_mixins/clouseau_mixin.py", line 98, in load
    self.state._inspect(
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/sim_state.py", line 400, in _inspect
    self.inspect.action(*args, **kwargs)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/state_plugins/inspect.py", line 275, in action
    bp.fire(self.state)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/state_plugins/inspect.py", line 215, in fire
    self.action(state)
  File "/local/inspectre-gadget.git/analyzer/scanner/scanner.py", line 293, in load_hook_after
    l.info(f"Load@{hex(state.addr)}: {load_addr}")
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/sim_state.py", line 381, in addr
    return self.solver.eval_one(self.regs._ip)
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/state_plugins/solver.py", line 942, in eval_one
    return self.eval_exact(e, 1, cast_to, **{k: v for (k, v) in kwargs.items() if k != "default"})[0]
  File "/local/inspectre-gadget.git/.venv/lib/python3.9/site-packages/angr/state_plugins/solver.py", line 1070, in eval_exact
    raise SimValueError("Concretized %d values (must be exactly %d) in eval_exact" % (len(r), n))
angr.errors.SimValueError: Concretized 2 values (must be exactly 1) in eval_exact

Unfortunately, I'm at a complete loss as to what it's trying to tell me. The basic block identified is:

ffff82d040342588:       49 8b 44 24 08          mov    0x8(%r12),%rax
ffff82d04034258d:       4c 89 e7                mov    %r12,%rdi
ffff82d040342590:       ff 50 28                callq  *0x28(%rax)
ffff82d040342593:       41 8b 14 24             mov    (%r12),%edx
ffff82d040342597:       f6 c2 10                test   $0x10,%dl
ffff82d04034259a:       0f 84 10 03 00 00       je     ffff82d0403428b0 <do_IRQ+0x3c0>

Files:
xen-syms.gz
addr-list.csv
and --base 0xffff82d040200000

[SanWieb]

For the Linux kernel we used the indirect thunk arrays as indirect branch sink. I just added support for fully symbolic branches, so they should now be detected as a dispatch gadgets (i.e., tainted function pointer (TFP)).

Note that in the doc the TFP CSV file argument was missing, you can add it with the flag --tfp-output. Although most TFPs are exploitable, we will make a simple reasoner for it also #10.