diff options
| -rw-r--r-- | miasm/jitter/JitCore.c | 11 | ||||
| -rw-r--r-- | miasm/jitter/JitCore.h | 41 | ||||
| -rw-r--r-- | miasm/jitter/vm_mngr.c | 90 | ||||
| -rw-r--r-- | miasm/jitter/vm_mngr.h | 6 | ||||
| -rw-r--r-- | miasm/jitter/vm_mngr_py.c | 31 |
5 files changed, 141 insertions, 38 deletions
diff --git a/miasm/jitter/JitCore.c b/miasm/jitter/JitCore.c index ae5af293..0c36c15f 100644 --- a/miasm/jitter/JitCore.c +++ b/miasm/jitter/JitCore.c @@ -1,6 +1,7 @@ #include <Python.h> #include "structmember.h" #include <stdint.h> +#include <limits.h> #include <inttypes.h> #include "compat_py23.h" #include "queue.h" @@ -235,6 +236,7 @@ PyObject* vm_get_mem(JitCpu *self, PyObject* args) uint64_t addr; uint64_t size; + size_t size_st; PyObject *obj_out; char * buf_out; int ret; @@ -245,13 +247,20 @@ PyObject* vm_get_mem(JitCpu *self, PyObject* args) PyGetInt(py_addr, addr); PyGetInt(py_len, size); + + if (size > SSIZE_MAX) { + fprintf(stderr, "Read size wider than supported system\n"); + exit(EXIT_FAILURE); + } + size_st = (size_t)size; + ret = vm_read_mem(&(((VmMngr*)self->pyvm)->vm_mngr), addr, &buf_out, size); if (ret < 0) { PyErr_SetString(PyExc_RuntimeError, "cannot find address"); return NULL; } - obj_out = PyBytes_FromStringAndSize(buf_out, size); + obj_out = PyBytes_FromStringAndSize(buf_out, (Py_ssize_t)size_st); free(buf_out); return obj_out; } diff --git a/miasm/jitter/JitCore.h b/miasm/jitter/JitCore.h index 15efc7d2..a492086a 100644 --- a/miasm/jitter/JitCore.h +++ b/miasm/jitter/JitCore.h @@ -3,6 +3,15 @@ #if _WIN32 #define _MIASM_EXPORT __declspec(dllexport) + +#ifndef SSIZE_MAX +#ifdef _WIN64 +#define SSIZE_MAX _I64_MAX +#else +#define SSIZE_MAX INT_MAX +#endif +#endif + #else #define _MIASM_EXPORT #endif @@ -28,7 +37,7 @@ bn = bignum_mask(bn, (size)); \ for (j = BN_BYTE_SIZE - 4; j >= 0 ; j -= 4) { \ tmp = bignum_to_uint64(bignum_mask(bignum_rshift(bn, 8 * j), 32)); \ - py_tmp = PyLong_FromUnsignedLong(tmp); \ + py_tmp = PyLong_FromUnsignedLong((unsigned long)tmp); \ py_long_new = PyObject_CallMethod(py_long, "__lshift__", "O", cst_32); \ Py_DECREF(py_long); \ py_long = PyObject_CallMethod(py_long_new, "__add__", "O", py_tmp); \ @@ -39,7 +48,7 @@ return py_long; \ } \ \ - static int JitCpu_set_ ## regname (JitCpu *self, PyObject *value, void *closure) \ + static PyObject *JitCpu_set_ ## regname (JitCpu *self, PyObject *value, void *closure) \ { \ bn_t bn; \ int j; \ @@ -94,7 +103,7 @@ bn = bignum_mask(bn, (size)); \ for (j = BN_BYTE_SIZE - 4; j >= 0 ; j -= 4) { \ tmp = bignum_to_uint64(bignum_mask(bignum_rshift(bn, 8 * j), 32)); \ - py_tmp = PyLong_FromUnsignedLong(tmp); \ + py_tmp = PyLong_FromUnsignedLong((unsigned long)tmp); \ py_long_new = PyObject_CallMethod(py_long, "__lshift__", "O", cst_32); \ Py_DECREF(py_long); \ py_long = PyObject_CallMethod(py_long_new, "__add__", "O", py_tmp); \ @@ -105,7 +114,7 @@ return py_long; \ } \ \ - static int JitCpu_set_ ## regname (JitCpu *self, PyObject *value, void *closure) \ + static PyObject *JitCpu_set_ ## regname (JitCpu *self, PyObject *value, void *closure) \ { \ bn_t bn; \ int j; \ @@ -178,9 +187,9 @@ } \ static int JitCpu_set_ ## regname (JitCpu *self, PyObject *value, void *closure) \ { \ - uint32_t val; \ + uint64_t val; \ PyGetInt_retneg(value, val); \ - ((vm_cpu_t*)(self->cpu))-> regname = val; \ + ((vm_cpu_t*)(self->cpu))-> regname = (uint32_t)val; \ return 0; \ } @@ -192,9 +201,23 @@ } \ static int JitCpu_set_ ## regname (JitCpu *self, PyObject *value, void *closure) \ { \ - uint16_t val; \ + uint64_t val; \ PyGetInt_retneg(value, val); \ - ((vm_cpu_t*)(self->cpu))-> regname = val; \ + ((vm_cpu_t*)(self->cpu))-> regname = (uint16_t)val; \ + return 0; \ + } + + +#define getset_reg_u8(regname) \ + static PyObject *JitCpu_get_ ## regname (JitCpu *self, void *closure) \ + { \ + return PyLong_FromUnsignedLongLong((uint8_t)(((vm_cpu_t*)(self->cpu))-> regname )); \ + } \ + static int JitCpu_set_ ## regname (JitCpu *self, PyObject *value, void *closure) \ + { \ + uint64_t val; \ + PyGetInt_retneg(value, val); \ + ((vm_cpu_t*)(self->cpu))-> regname = (uint8_t)val; \ return 0; \ } @@ -220,7 +243,7 @@ bn = bignum_mask(bn, size); \ for (j = BN_BYTE_SIZE - 4; j >= 0 ; j -= 4) { \ tmp = bignum_to_uint64(bignum_mask(bignum_rshift(bn, 8 * j), 32)); \ - py_tmp = PyLong_FromUnsignedLong(tmp); \ + py_tmp = PyLong_FromUnsignedLong((unsigned long)tmp); \ py_long_new = PyObject_CallMethod(py_long, "__lshift__", "O", cst_32); \ Py_DECREF(py_long); \ py_long = PyObject_CallMethod(py_long_new, "__add__", "O", py_tmp); \ diff --git a/miasm/jitter/vm_mngr.c b/miasm/jitter/vm_mngr.c index bd1de2f4..66f182f5 100644 --- a/miasm/jitter/vm_mngr.c +++ b/miasm/jitter/vm_mngr.c @@ -21,6 +21,7 @@ #include <stdio.h> #include <stdlib.h> +#include <stdint.h> #include "queue.h" @@ -58,8 +59,13 @@ void memory_access_list_add(struct memory_access_list * access, uint64_t start, if (access->num >= access->allocated) { if (access->allocated == 0) access->allocated = 1; - else + else { + if (access->allocated >= SIZE_MAX / 2) { + fprintf(stderr, "Cannot alloc more pages\n"); + exit(EXIT_FAILURE); + } access->allocated *= 2; + } access->array = realloc(access->array, access->allocated * sizeof(struct memory_access)); if (access->array == NULL) { fprintf(stderr, "cannot realloc struct memory_access access->array\n"); @@ -370,7 +376,7 @@ void add_mem_write(vm_mngr_t* vm_mngr, uint64_t addr, uint64_t size) void check_invalid_code_blocs(vm_mngr_t* vm_mngr) { - int i; + size_t i; struct code_bloc_node * cbp; for (i=0;i<vm_mngr->memory_w.num; i++) { if (vm_mngr->exception_flags & EXCEPT_CODE_AUTOMOD) @@ -399,7 +405,7 @@ void check_invalid_code_blocs(vm_mngr_t* vm_mngr) void check_memory_breakpoint(vm_mngr_t* vm_mngr) { - int i; + size_t i; struct memory_breakpoint_info * memory_bp; /* Check memory breakpoints */ @@ -430,9 +436,10 @@ void check_memory_breakpoint(vm_mngr_t* vm_mngr) PyObject* get_memory_pylist(vm_mngr_t* vm_mngr, struct memory_access_list* memory_list) { - int i; + size_t i; PyObject *pylist; PyObject *range; + pylist = PyList_New(memory_list->num); for (i=0;i<memory_list->num;i++) { range = PyTuple_New(2); @@ -509,18 +516,27 @@ uint64_t vm_MEM_LOOKUP_64(vm_mngr_t* vm_mngr, uint64_t addr) int vm_read_mem(vm_mngr_t* vm_mngr, uint64_t addr, char** buffer_ptr, uint64_t size) { char* buffer; - uint64_t len; + size_t len; + size_t size_st; + uint64_t addr_diff; + size_t addr_diff_st; struct memory_page_node * mpn; - buffer = malloc(size); + if (size > SIZE_MAX) { + fprintf(stderr, "Size too big\n"); + exit(EXIT_FAILURE); + } + + buffer = malloc((size_t)size); *buffer_ptr = buffer; if (!buffer){ fprintf(stderr, "Error: cannot alloc read\n"); exit(EXIT_FAILURE); } + size_st = (size_t)size; /* read is multiple page wide */ - while (size){ + while (size_st){ mpn = get_memory_page_from_address(vm_mngr, addr, 1); if (!mpn){ free(*buffer_ptr); @@ -528,11 +544,17 @@ int vm_read_mem(vm_mngr_t* vm_mngr, uint64_t addr, char** buffer_ptr, uint64_t s return -1; } - len = MIN(size, mpn->size - (addr - mpn->ad)); - memcpy(buffer, (char*)mpn->ad_hp + (addr - mpn->ad), len); + addr_diff = addr - mpn->ad; + if (addr_diff > SIZE_MAX) { + fprintf(stderr, "Size too big\n"); + exit(EXIT_FAILURE); + } + addr_diff_st = (size_t) addr_diff; + len = MIN(size_st, mpn->size - addr_diff_st); + memcpy(buffer, (char*)mpn->ad_hp + (addr_diff_st), len); buffer += len; addr += len; - size -= len; + size_st -= len; } return 0; @@ -540,22 +562,37 @@ int vm_read_mem(vm_mngr_t* vm_mngr, uint64_t addr, char** buffer_ptr, uint64_t s int vm_write_mem(vm_mngr_t* vm_mngr, uint64_t addr, char *buffer, uint64_t size) { - uint64_t len; + size_t len; + size_t size_st; + uint64_t addr_diff; + size_t addr_diff_st; struct memory_page_node * mpn; + if (size > SIZE_MAX) { + fprintf(stderr, "Write size wider than supported system\n"); + exit(EXIT_FAILURE); + } + size_st = (size_t)size; + /* write is multiple page wide */ - while (size){ + while (size_st){ mpn = get_memory_page_from_address(vm_mngr, addr, 1); if (!mpn){ PyErr_SetString(PyExc_RuntimeError, "Error: cannot find address"); return -1; } - len = MIN(size, mpn->size - (addr - mpn->ad)); - memcpy((char*)mpn->ad_hp + (addr-mpn->ad), buffer, len); + addr_diff = addr - mpn->ad; + if (addr_diff > SIZE_MAX) { + fprintf(stderr, "Size too big\n"); + exit(EXIT_FAILURE); + } + addr_diff_st = (size_t) addr_diff; + len = MIN(size_st, mpn->size - addr_diff_st); + memcpy((char*)mpn->ad_hp + addr_diff_st, buffer, len); buffer += len; addr += len; - size -= len; + size_st -= len; } return 0; @@ -565,18 +602,33 @@ int vm_write_mem(vm_mngr_t* vm_mngr, uint64_t addr, char *buffer, uint64_t size) int is_mapped(vm_mngr_t* vm_mngr, uint64_t addr, uint64_t size) { - uint64_t len; + size_t len; + size_t size_st; + uint64_t addr_diff; + size_t addr_diff_st; struct memory_page_node * mpn; + if (size > SIZE_MAX) { + fprintf(stderr, "Test size wider than supported system\n"); + exit(EXIT_FAILURE); + } + size_st = (size_t)size; + /* test multiple page wide */ - while (size){ + while (size_st){ mpn = get_memory_page_from_address(vm_mngr, addr, 0); if (!mpn) return 0; - len = MIN(size, mpn->size - (addr - mpn->ad)); + addr_diff = addr - mpn->ad; + if (addr_diff > SIZE_MAX) { + fprintf(stderr, "Size too big\n"); + exit(EXIT_FAILURE); + } + addr_diff_st = (size_t) addr_diff; + len = MIN(size_st, mpn->size - addr_diff_st); addr += len; - size -= len; + size_st -= len; } return 1; diff --git a/miasm/jitter/vm_mngr.h b/miasm/jitter/vm_mngr.h index 660e6998..6ea7f250 100644 --- a/miasm/jitter/vm_mngr.h +++ b/miasm/jitter/vm_mngr.h @@ -85,7 +85,7 @@ LIST_HEAD(memory_breakpoint_info_head, memory_breakpoint_info); struct memory_page_node { uint64_t ad; - uint64_t size; + size_t size; uint64_t access; void* ad_hp; char* name; @@ -98,8 +98,8 @@ struct memory_access { struct memory_access_list { struct memory_access *array; - uint64_t allocated; - uint64_t num; + size_t allocated; + size_t num; }; typedef struct { diff --git a/miasm/jitter/vm_mngr_py.c b/miasm/jitter/vm_mngr_py.c index d8223d72..c51719a0 100644 --- a/miasm/jitter/vm_mngr_py.c +++ b/miasm/jitter/vm_mngr_py.c @@ -79,6 +79,7 @@ PyObject* vm_add_memory_page(VmMngr* self, PyObject* args) PyObject *item_str; PyObject *name=NULL; uint64_t buf_size; + size_t buf_size_st; char* buf_data; Py_ssize_t length; uint64_t page_addr; @@ -113,7 +114,13 @@ PyObject* vm_add_memory_page(VmMngr* self, PyObject* args) RAISE(PyExc_TypeError,"known page in memory"); } - memcpy(mpn->ad_hp, buf_data, buf_size); + if (buf_size > SIZE_MAX) { + fprintf(stderr, "Size too big\n"); + exit(EXIT_FAILURE); + } + buf_size_st = (size_t) buf_size; + + memcpy(mpn->ad_hp, buf_data, buf_size_st); add_memory_page(&self->vm_mngr, mpn); Py_INCREF(Py_None); @@ -210,6 +217,7 @@ PyObject* vm_get_mem(VmMngr* self, PyObject* args) uint64_t addr; uint64_t size; + size_t size_st; PyObject *obj_out; char * buf_out; int ret; @@ -220,12 +228,18 @@ PyObject* vm_get_mem(VmMngr* self, PyObject* args) PyGetInt(py_addr, addr); PyGetInt(py_len, size); - ret = vm_read_mem(&self->vm_mngr, addr, &buf_out, size); + if (size > SIZE_MAX) { + fprintf(stderr, "Size too big\n"); + exit(EXIT_FAILURE); + } + size_st = (size_t) size; + + ret = vm_read_mem(&self->vm_mngr, addr, &buf_out, size_st); if (ret < 0) { RAISE(PyExc_RuntimeError,"Cannot find address"); } - obj_out = PyBytes_FromStringAndSize(buf_out, size); + obj_out = PyBytes_FromStringAndSize(buf_out, size_st); free(buf_out); return obj_out; } @@ -359,7 +373,7 @@ PyObject* vm_set_u8(VmMngr* self, PyObject* args) fprintf(stderr, "Warning: int to big\n"); } - final_value = value; + final_value = (uint8_t)value; ret = vm_write_mem(&self->vm_mngr, addr, (char*)&final_value, 1); if (ret < 0) @@ -377,6 +391,8 @@ PyObject* vm_set_u16(VmMngr* self, PyObject* args) PyObject *py_addr; PyObject *py_val; uint64_t value; + uint16_t value_u16; + uint64_t addr; uint16_t final_value; int ret; @@ -391,8 +407,9 @@ PyObject* vm_set_u16(VmMngr* self, PyObject* args) fprintf(stderr, "Warning: int to big\n"); } - final_value = set_endian16(&self->vm_mngr, value); + value_u16 = (uint16_t) value; + final_value = set_endian16(&self->vm_mngr, value_u16); ret = vm_write_mem(&self->vm_mngr, addr, (char*)&final_value, 2); if (ret < 0) RAISE(PyExc_TypeError, "Error in set_mem"); @@ -409,6 +426,7 @@ PyObject* vm_set_u32(VmMngr* self, PyObject* args) PyObject *py_addr; PyObject *py_val; uint64_t value; + uint32_t value_u32; uint64_t addr; uint32_t final_value; int ret; @@ -423,7 +441,8 @@ PyObject* vm_set_u32(VmMngr* self, PyObject* args) fprintf(stderr, "Warning: int to big\n"); } - final_value = set_endian32(&self->vm_mngr, value); + value_u32 = (uint32_t) value; + final_value = set_endian32(&self->vm_mngr, value_u32); ret = vm_write_mem(&self->vm_mngr, addr, (char*)&final_value, 4); if (ret < 0) |