unicorn icon indicating copy to clipboard operation
unicorn copied to clipboard

Published 20 hours ago verified publisher icon unicorn-engine

Handle pathological cases more consistently

Open rhelmot opened this issue 1 year ago • 9 comments

These are two changes I've needed to make to make angr work with unicorn 2.

First commit: presently, if we try to execute a non-executable region, the lifting code never checks to see if reads succeed, it just blindly trusts the result. As a consequence, we may execute some non-executable guest code or hooks before checking cpu->exit_request and breaking out of the loop. This fixes that.

Second commit: If you respond to an unmapped memory fault during instruction fetch by mapping the related memory in a callback, qemu will only attempt to lift a single instruction for the current block. This is incredibly annoying (and breaks angr's tests, which are sensitive to block counts and boundaries), so I fixed it.

rhelmot avatar Jul 13 '22 16:07 rhelmot

I have added a third commit which should address my concerns on #1627. This uses the uc->size_recur_mem field, which from what I can tell was completely unused prior to this, to detect whether we are in an unaligned write (which is implementing by a recursive call into the write helper).

rhelmot avatar Jul 13 '22 23:07 rhelmot

I have added a third commit which should address my concerns on #1627. This uses the uc->size_recur_mem field, which from what I can tell was completely unused prior to this, to detect whether we are in an unaligned write (which is implementing by a recursive call into the write helper).

Regarding #1627, could you add a unit test? I assume it should be easy to reproduce?

wtdcode avatar Jul 14 '22 06:07 wtdcode

Pushed!

rhelmot avatar Jul 14 '22 15:07 rhelmot

Idk what's up with the failing test - it passed on my previous commit and I only changed an unrelated testcase. Is it flaky?

rhelmot avatar Jul 14 '22 15:07 rhelmot

Idk what's up with the failing test - it passed on my previous commit and I only changed an unrelated testcase. Is it flaky?

mingw32 runner has some bugs for a while… I really should disable it. Anyway let me rerun and it will be fine.

wtdcode avatar Jul 14 '22 16:07 wtdcode

thanks @wtdcode for directing to this. I try this patch for issue #1041, this patch fixes the write hook, but not for the read hook.

firodj avatar Jul 18 '22 13:07 firodj

@firodj please try the commit that I just pushed!

@wtdcode I believe this is ready to merge.

rhelmot avatar Aug 02 '22 20:08 rhelmot

It seems that CI is failing on aarch64 and ppc64le platforms. I don't have either of those machines to debug this. How can I proceed?

rhelmot avatar Aug 02 '22 21:08 rhelmot

It seems that CI is failing on aarch64 and ppc64le platforms. I don't have either of those machines to debug this. How can I proceed?

Weird, I can't come up with why your code will fail on these platforms. Maybe any undefined behaviors? Let me re-run it firstly.

wtdcode avatar Aug 07 '22 12:08 wtdcode

Merged and fixed in dev branch. Thanks!

wtdcode avatar Aug 14 '22 11:08 wtdcode

When performing memory read operation on aarch64 and ppc64, no load_helper is generated...

wtdcode avatar Aug 14 '22 13:08 wtdcode