Ejemplo n.º 1
0
def detect_with_new_cons(state):
    print '\n\n>>>>>>>>> Step, Add cons and Detect errors >>>>>>>>>'
    global path_uninit_var, block_cons

    state_ip = state.se.any_int(state.ip)
    print 'state_ip:', hex(state_ip), state
    son_father_process.set_state(state)
    p = proj2.factory.path(state)
    p.step()
    if p.next_run is None:
        print 'Something wrong happen! Fail to step!'
        return []
    succ_states = p.next_run.successors
    if not succ_states:
        succ_states = p.next_run.unconstrained_successors
    if succ_states:
        succ = succ_states[0]
    else:
        succ = None
    path_uninit_var = get_path_uninit_var(path_uninit_var, state_ip, succ,
                                          binary2)
    trace = get_trace(state)
    print 'trace:', [hex(i) for i in trace]
    uninit_var_list = reduce(lambda x, y: x + y,
                             [path_uninit_var[i] for i in trace])
    #print_uninit_var(uninit_var_list)

    new_cons = cons_transfer(block_cons[str(state)], uninit_var_list)
    satisfy_succ = []
    for s in succ_states:
        succ = s.copy()
        son_father = son_father_process.get_son_father()
        while son_father.has_key(str(succ)):
            succ = succ.copy()
        succ_ip = succ.se.any_int(succ.ip)
        son_father_process.set_son_father(str(succ), (succ_ip, str(state)))
        block_cons[str(succ)] = new_cons
        for con in new_cons:
            succ.add_constraints(con)
        if not succ.se.symbolic(succ.ip) and succ.satisfiable():
            satisfy_succ.append(succ)
    return satisfy_succ
Ejemplo n.º 2
0
def run_patched_function():
    print '\n########  Run Patched Function  ########'
    global mem_addr, pointer_list, changed_mem_name
    global path_uninit_var, block_cons

    mem_addr = get_mem2addr(old_uninit_var_list)
    #print '\nmem_addr:'
    #for m in mem_addr:
    #    print m,mem_addr[m][1]
    args_regs = argument_registers
    args_stacks = {}
    for i in argument_stacks:
        args_stacks[argument_stacks[i][0]] = argument_stacks[i][1]
    all_args = {}
    for i in args_regs:
        all_args[i] = args_regs[i]
    for i in args_stacks:
        all_args[i] = args_stacks[i]
    #print 'all_args:',all_args
    pointer_list = []
    for arg_name in all_args:
        arg_ast = all_args[arg_name]
        pointer_info = check_pointer(arg_ast, arg_ast, mem_addr, init_state1)
        if pointer_info:
            pointer_list.insert(0, (arg_name, arg_ast, pointer_info))
    #print 'pointer_list:',pointer_list
    changed_mem_name = []

    path_uninit_var = {}
    s = format_string_patch_core.initialize(proj2, func_addr2,
                                            init_state2.copy())
    block_cons = {str(s): old_constraints}
    son_father_process.set_son_father(str(s), (func_addr2, None))
    q = [s]
    while q:
        state = q.pop()
        succ_states = detect_with_new_cons(state)
        for succ in succ_states:
            q.insert(0, succ)
Ejemplo n.º 3
0
def detect_with_new_cons(state):
    print '\n\n>>>>>>>>> Step, Add cons and Detect errors >>>>>>>>>'
    global path_uninit_var, block_cons

    state_ip = state.se.any_int(state.ip)
    print 'state_ip:', hex(state_ip), state
    son_father_process.set_state(state)
    p = proj2.factory.path(state)
    p.step()
    if p.next_run is None:
        print 'Something wrong happen! Fail to step!'
        return []
    succ_states = p.next_run.successors
    if not succ_states:
        succ_states = p.next_run.unconstrained_successors
    if succ_states:
        succ = succ_states[0]
    else:
        succ = None
    path_uninit_var = get_path_uninit_var(path_uninit_var, state_ip, succ,
                                          binary2)
    trace = get_trace(state)
    print 'trace:', [hex(i) for i in trace]
    uninit_var_list = reduce(lambda x, y: x + y,
                             [path_uninit_var[i] for i in trace])
    print_uninit_var(uninit_var_list)

    new_cons = cons_transfer(block_cons[str(state)], uninit_var_list)
    satisfy_succ = []
    for s in succ_states:
        succ = s.copy()
        #print 'succ ip:',succ.ip
        son_father = son_father_process.get_son_father()
        while son_father.has_key(str(succ)):
            succ = succ.copy()
        succ_ip = succ.se.any_int(succ.ip)
        son_father_process.set_son_father(str(succ), (succ_ip, str(state)))
        block_cons[str(succ)] = new_cons
        #update name in constraints (to remove 'taint')
        new_succ_state = succ.copy()
        succ_cons = new_succ_state.se.constraints
        #print 'succ cons:',succ_cons
        rename_cons = []
        for con in succ_cons:
            rename_con = con
            for ast in rename_con.recursive_leaf_asts:
                if ast.symbolic:
                    ast_name = list(ast.variables)[0]
                    if 'taint' in ast_name:
                        i = ast_name.index('taint')
                        new_ast = claripy.BVS(ast_name[:i - 1],
                                              ast.length,
                                              explicit_name=True)
                        rename_con = rename_con.replace(ast, new_ast)
            rename_cons.append(rename_con)
        #print 'succ rename cons:',rename_cons
        all_cons = new_cons + rename_cons
        #print 'all_cons:',all_cons
        if not succ.se.symbolic(
                succ.ip) and new_succ_state.se.satisfiable(all_cons):
            #print 'satisfy succ:',succ.ip
            satisfy_succ.append(succ)
    return satisfy_succ