def solve_for_memory_access(self, expr_mem, access_type, additional_constraints=set()):
# Check that input has effect on memory referenced
if get_expr_ids(expr_mem.ptr) & self.symbolized_mem_ids:
for possibility in possible_values(expr_mem.ptr):
address_expr = possibility.value
access_len = int(expr_mem.size/8)
# 5 sec timeout
#self.dse.cur_solver.set('timeout', 5000)
# Save solver state
self.dse.cur_solver.push()
# Add constraints from the expr itself
for cons in possibility.constraints.union(additional_constraints):
eaff = cons.to_constraint()
#print '\tADDING CONSTRAINT: ' + str(eaff)
self.dse.cur_solver.add(self.dse.z3_trans.from_expr(eaff))
# Add memory constraints
for mem_range in self.dse.valid_ranges:
# Add range constraint
rc = z3.Not(z3.And(z3.UGE(self.dse.z3_trans.from_expr(address_expr), self.dse.z3_trans.from_expr(mem_range[0])),
z3.ULE(self.dse.z3_trans.from_expr(address_expr), self.dse.z3_trans.from_expr(mem_range[1]-ExprInt(access_len-1, 64)))
)
)
self.dse.cur_solver.add(rc)
#print solver
#import pdb; pdb.set_trace()
if self.dse.cur_solver.check()==z3.sat:
model = self.dse.cur_solver.model()
#import pdb; pdb.set_trace()
log.debug('SYMB 0x{:08X}: {:s} -> {}AV[{:s}] '.format(self.dse.jitter.pc, \
str(model), access_type, \
str(self.dse.symb.eval_expr(address_expr, eval_cache={})))
)
# Evaluate the buffer that would cause the crash
crashbuf = self.derive_crashbuf(model)
# Evaluate the AV adress
values = self.get_values_from_model(model)
self.dse.crashes.append(crash( self.dse.jitter.pc, \
self.dse.symb.eval_expr(address_expr, eval_cache=values), \
access_type, \
crashbuf, \
int(self.dse.callsite)
)
)
# Reset the solver
self.dse.cur_solver.pop()
return
def mem_read(self, expr_mem):
#print expr_mem
if not self.dse._state_check_in_progress:
# Check for ReadAV
self.solve_for_memory_access(expr_mem, 'READAV')
val = super(ESETrackMemory, self).mem_read(expr_mem)
# Check for uninitialized memory access
if not self.dse._state_check_in_progress:
# TODO: Something with better perf
for uninit in [i for i in get_expr_ids(val) if i.name.startswith('UNINIT')]:
log.debug(f'LIVE 0x{self.dse.jitter.pc:08X}: UNINIT on "{str(uninit):s}"')
self.dse.crashes.append(crash( self.dse.jitter.pc, \
uninit, \
'UNINIT', \
self.dse.current.buf, \
int(self.dse.callsite)
)
)
return val
def get_regs(self, expr):
return get_expr_ids(expr)
print(k, v)
reqs.append((k, v))
all_info.append((addr, reqs))
all_cases = set()
symbexec = SymbolicExecutionEngine(lifter)
for addr, reqs_cond in all_info:
out = ['(set-logic QF_ABV)',
'(set-info :smt-lib-version 2.0)']
conditions = []
all_ids = set()
for expr, value in reqs_cond:
all_ids.update(get_expr_ids(expr))
expr_test = ExprCond(expr,
ExprInt(1, value.size),
ExprInt(0, value.size))
cond = translator_smt2.from_expr(ExprAssign(expr_test, value))
conditions.append(cond)
for name in all_ids:
out.append("(declare-fun %s () (_ BitVec %d))" % (name, name.size))
if not out:
continue
out += conditions
out.append('(check-sat)')
open('out.dot', 'w').write('\n'.join(out))
try:
print(k, v)
reqs.append((k, v))
all_info.append((addr, reqs))
all_cases = set()
symbexec = SymbolicExecutionEngine(ir_arch)
for addr, reqs_cond in all_info:
out = ['(set-logic QF_ABV)',
'(set-info :smt-lib-version 2.0)']
conditions = []
all_ids = set()
for expr, value in reqs_cond:
all_ids.update(get_expr_ids(expr))
expr_test = ExprCond(expr,
ExprInt(1, value.size),
ExprInt(0, value.size))
cond = translator_smt2.from_expr(ExprAssign(expr_test, value))
conditions.append(cond)
for name in all_ids:
out.append("(declare-fun %s () (_ BitVec %d))" % (name, name.size))
if not out:
continue
out += conditions
out.append('(check-sat)')
open('out.dot', 'w').write('\n'.join(out))
try:
def get_virtids_addresses(self, expr):
addresses = set()
mems = get_expr_mem(expr)
for mem in mems:
addresses |= set([{self.symb.dse_memory_to_expr(b):b for r in self.symb.dse_memory_range for b in range(r[0], r[1]+1)}[exprid] for exprid in get_expr_ids(mem.ptr)])
return addresses