def test_segv_stack_failure(self):
'''Handles walking off the stack'''
# Triggered via "push"
reg = regs + 'esp 0xbfc56ff0 0xbfc56ff0'
disasm = '0x08083547 <main+7>: push %eax'
segv = parse_segv.ParseSegv(reg, disasm, maps)
understood, reason, details = segv.report()
self.assertTrue(understood, details)
self.assertTrue(
'destination "(%esp)" (0xbfc56ff0) not located in a known VMA region (needed writable region)!'
in details, details)
# Triggered via "call"
reg = regs + 'esp 0xbfc56fff 0xbfc56fff'
disasm = '0x08083547 <main+7>: callq 0x08083540'
segv = parse_segv.ParseSegv(reg, disasm, maps)
understood, reason, details = segv.report()
self.assertTrue(understood, details)
self.assertTrue(
'destination "(%esp)" (0xbfc56fff) not located in a known VMA region (needed writable region)!'
in details, details)
self.assertTrue('Stack memory exhausted' in details, details)
# Triggered via unknown reason
reg = regs + 'esp 0xdfc56000 0xdfc56000'
disasm = '''0x08083540 <main+0>: mov $1,%rcx'''
segv = parse_segv.ParseSegv(reg, disasm, maps)
understood, reason, details = segv.report()
self.assertTrue(understood, details)
self.assertTrue(
'SP (0xdfc56000) not located in a known VMA region (needed readable region)!'
in details, details)
self.assertTrue('Stack pointer not within stack segment' in details,
details)
def test_segv_crackful_disasm(self):
'''Rejects insane disassemblies'''
disasm = '0x08083547 <main+7>: pushl -0x4(blah)'
segv = parse_segv.ParseSegv(regs, disasm, maps)
self.assertRaises(ValueError, segv.report)
disasm = '0x08083547 <main+7>: pushl -04(%ecx)'
segv = parse_segv.ParseSegv(regs, disasm, maps)
self.assertRaises(ValueError, segv.report)
def test_invalid_02_maps(self):
'''Require valid maps'''
regs = 'a 0x10'
disasm = 'Dump ...\n0x08083540 <main+0>: lea 0x4(%esp),%ecx\n'
maps = 'asdlkfjaadf'
self.assertRaises(ValueError, parse_segv.ParseSegv, regs, disasm, maps)
maps = '''005a3000-005a4000 rw-p 00035000 08:06 65575 /lib/libncurses.so.5.7
00b67000-00b68000 r-xp 00000000 00:00 0 [vdso]
00c67000-00c68000 r--p 00000000 00:00 0 '''
segv = parse_segv.ParseSegv(regs, disasm, maps)
self.assertEqual(segv.maps[0]['start'], 0x005a3000, segv)
self.assertEqual(segv.maps[0]['end'], 0x005a4000, segv)
self.assertEqual(segv.maps[0]['perms'], 'rw-p', segv)
self.assertEqual(segv.maps[0]['name'], '/lib/libncurses.so.5.7', segv)
self.assertEqual(segv.maps[1]['start'], 0x00b67000, segv)
self.assertEqual(segv.maps[1]['end'], 0x00b68000, segv)
self.assertEqual(segv.maps[1]['perms'], 'r-xp', segv)
self.assertEqual(segv.maps[1]['name'], '[vdso]', segv)
self.assertEqual(segv.maps[2]['start'], 0x00c67000, segv)
self.assertEqual(segv.maps[2]['end'], 0x00c68000, segv)
self.assertEqual(segv.maps[2]['perms'], 'r--p', segv)
self.assertEqual(segv.maps[2]['name'], None, segv)
def test_invalid_00_registers(self):
'''Require valid registers'''
regs = 'a 0x10\nb !!!\n'
self.assertRaises(ValueError, parse_segv.ParseSegv, regs, '', '')
try:
segv = parse_segv.ParseSegv(regs, '', '')
except ValueError as e:
self.assertTrue('invalid literal for int()' in str(e), str(e))
regs = 'a 0x10'
disasm = '0x08083540 <main+0>: lea 0x4(%esp),%ecx\n'
segv = parse_segv.ParseSegv(regs, disasm, '')
self.assertEqual(segv.regs['a'], 0x10, segv)
segv.regs = None
self.assertRaises(ValueError, segv.parse_disassembly, '')
def test_segv_pc_null(self):
'''Handles PC in NULL VMA'''
disasm = '''0x00000540 <main+0>: lea 0x4(%esp),%ecx'''
segv = parse_segv.ParseSegv(regs, disasm, maps)
understood, reason, details = segv.report()
self.assertTrue(understood, details)
self.assertTrue(
'PC (0x00000540) not located in a known VMA region' in details,
details)
self.assertTrue('executing NULL VMA' in reason, reason)
def test_debug(self):
'''Debug mode works'''
regs = 'a 0x10'
disasm = 'Dump ...\n0x08083540 <main+0>: lea 0x4(%esp),%ecx\n'
maps = '''005a3000-005a4000 rw-p 00035000 08:06 65575 /lib/libncurses.so.5.7
00b67000-00b68000 r-xp 00000000 00:00 0 [vdso]
00c67000-00c68000 r--p 00000000 00:00 0 '''
sys.stderr = tempfile.NamedTemporaryFile(prefix='parse_segv-stderr-')
segv = parse_segv.ParseSegv(regs, disasm, maps, debug=True)
self.assertTrue(segv is not None, segv)
def test_segv_pc_nx_writable(self):
'''Handles PC in writable NX VMA'''
disasm = '''0x005a3000 <main+0>: lea 0x4(%esp),%ecx'''
segv = parse_segv.ParseSegv(regs, disasm, maps)
understood, reason, details = segv.report()
self.assertTrue(understood, details)
self.assertTrue(
'PC (0x005a3000) in non-executable VMA region:' in details,
details)
self.assertTrue(
'executing writable VMA /lib/libncurses.so.5.7' in reason, reason)
def test_segv_dest_not_writable(self):
'''Handles destination not in writable VMA'''
reg = regs + 'esp 0x08048080 0xbfc6af24'
disasm = '0x08083547 <main+7>: pushl -0x4(%ecx)'
segv = parse_segv.ParseSegv(reg, disasm, maps)
understood, reason, details = segv.report()
self.assertTrue(understood, details)
self.assertTrue(
'destination "(%esp)" (0x08048080) in non-writable VMA region:'
in details, details)
self.assertTrue('writing VMA /usr/bin/gdb' in reason, reason)
def test_segv_stack_kernel_segfault(self):
'''Handles unknown segfaults in kernel'''
# Crash in valid code path
disasm = '''0x0056e010: ret'''
segv = parse_segv.ParseSegv(regs, disasm, maps)
understood, reason, details = segv.report()
self.assertFalse(understood, details)
self.assertTrue(
'Reason could not be automatically determined.' in details,
details)
self.assertFalse('(Unhandled exception in kernel code?)' in details,
details)
# Crash from kernel code path
disasm = '''0x00b67422 <__kernel_vsyscall+2>: ret'''
segv = parse_segv.ParseSegv(regs, disasm, maps)
understood, reason, details = segv.report()
self.assertFalse(understood, details)
self.assertTrue(
'Reason could not be automatically determined. (Unhandled exception in kernel code?)'
in details, details)
def test_segv_dest_null(self):
'''Handles destintation in NULL VMA'''
reg = regs + 'esp 0x00000024 0xbfc6af24'
disasm = '0x08083547 <main+7>: pushl -0x4(%ecx)'
segv = parse_segv.ParseSegv(reg, disasm, maps)
understood, reason, details = segv.report()
self.assertTrue(understood, details)
self.assertTrue(
'destination "(%esp)" (0x00000024) not located in a known VMA region'
in details, details)
self.assertTrue('writing NULL VMA' in reason, reason)
def test_segv_src_null(self):
'''Handles source in NULL VMA'''
reg = regs + 'ecx 0x00000024 0xbfc6af24'
disasm = '0x08083547 <main+7>: pushl -0x4(%ecx)'
segv = parse_segv.ParseSegv(reg, disasm, maps)
understood, reason, details = segv.report()
self.assertTrue(understood, details)
self.assertTrue(
'source "-0x4(%ecx)" (0x00000020) not located in a known VMA region'
in details, details)
self.assertTrue('reading NULL VMA' in reason, reason)
def test_register_values(self):
'''Sub-register parsing'''
disasm = '''0x08083540 <main+0>: mov $1,%ecx'''
segv = parse_segv.ParseSegv(regs64, disasm, '')
val = segv.register_value('%rdx')
self.assertEqual(val, 0xffffffffff600180, hex(val))
val = segv.register_value('%edx')
self.assertEqual(val, 0xff600180, hex(val))
val = segv.register_value('%dx')
self.assertEqual(val, 0x0180, hex(val))
val = segv.register_value('%dl')
self.assertEqual(val, 0x80, hex(val))
def test_segv_src_missing(self):
'''Handles source in missing VMA'''
reg = regs + 'ecx 0x0006af24 0xbfc6af24'
disasm = '0x08083547 <main+7>: pushl -0x4(%ecx)'
# Valid crash
segv = parse_segv.ParseSegv(reg, disasm, maps)
understood, reason, details = segv.report()
self.assertTrue(understood, details)
self.assertTrue(
'source "-0x4(%ecx)" (0x0006af20) not located in a known VMA region'
in details, details)
self.assertTrue('reading unknown VMA' in reason, reason)
# Valid crash
disasm = '0x08083547 <main+7>: callq *%ecx'
segv = parse_segv.ParseSegv(reg, disasm, maps)
understood, reason, details = segv.report()
self.assertTrue(understood, details)
self.assertTrue(
'source "*%ecx" (0x0006af24) not located in a known VMA region'
in details, details)
self.assertTrue('reading unknown VMA' in reason, reason)
def test_segv_unknown(self):
'''Handles unknown segfaults'''
disasm = '''0x08083540 <main+0>: mov $1,%ecx'''
segv = parse_segv.ParseSegv(regs, disasm, maps)
understood, reason, details = segv.report()
self.assertFalse(understood, details)
# Verify calculations
self.assertEqual(segv.calculate_arg('(%ecx)'), 0xbfc6af40,
segv.regs['ecx'])
self.assertEqual(segv.calculate_arg('0x10(%ecx)'), 0xbfc6af50,
segv.regs['ecx'])
self.assertEqual(segv.calculate_arg('-0x20(%ecx)'), 0xbfc6af20,
segv.regs['ecx'])
self.assertEqual(segv.calculate_arg('%fs:(%ecx)'), 0xbfc6af44,
segv.regs['ecx'])
self.assertEqual(segv.calculate_arg('0x3404403'), 0x3404403,
'0x3404403')
self.assertEqual(segv.calculate_arg('*0x40(%edi)'), 0x80834c0,
segv.regs['edi'])
self.assertEqual(segv.calculate_arg('(%edx,%ebx,1)'), 0x26eff5,
segv.regs['ebx'])
self.assertEqual(segv.calculate_arg('(%eax,%ebx,1)'), 0x26eff3,
segv.regs['ebx'])
self.assertEqual(segv.calculate_arg('0x10(,%ebx,1)'), 0x26f004,
segv.regs['ebx'])
# Again, but 64bit
disasm = '''0x08083540 <main+0>: mov $1,%rcx'''
segv = parse_segv.ParseSegv(regs64, disasm, maps)
understood, reason, details = segv.report()
self.assertFalse(understood, details)
self.assertEqual(segv.calculate_arg('(%rax,%rbx,1)'), 0x26eff3,
segv.regs['rbx'])
def test_segv_src_not_readable(self):
'''Handles source not in readable VMA'''
reg = regs + 'ecx 0x0026c080 0xbfc6af24'
disasm = '0x08083547 <main+7>: pushl -0x4(%ecx)'
segv = parse_segv.ParseSegv(reg, disasm, maps)
understood, reason, details = segv.report()
self.assertTrue(understood, details)
self.assertTrue(
'source "-0x4(%ecx)" (0x0026c07c) in non-readable VMA region:'
in details, details)
self.assertTrue('reading VMA /lib/tls/i686/cmov/libc-2.9.so' in reason,
reason)
self.assertFalse('Stack memory exhausted' in details, details)
self.assertFalse('Stack pointer not within stack segment' in details,
details)
def test_ioport_operation(self):
'''I/O port violations'''
regs = 'rax 0x3 3'
disasm = '''0x4087f1 <snd_pcm_hw_params_set_channels_near@plt+19345>:
out %al,$0xb3
'''
maps = '''00400000-00412000 r-xp 00000000 08:04 10371157 /usr/sbin/pommed
00611000-00614000 rw-p 00011000 08:04 10371157 /usr/sbin/pommed
00614000-00635000 rw-p 00614000 00:00 0 [heap]
'''
segv = parse_segv.ParseSegv(regs, disasm, maps)
self.assertEqual(segv.pc, 0x4087f1, segv.pc)
self.assertEqual(segv.insn, 'out', segv.insn)
self.assertEqual(segv.src, '%al', segv.src)
self.assertEqual(segv.dest, '$0xb3', segv.dest)
understood, reason, details = segv.report()
self.assertTrue(understood, details)
self.assertTrue('disallowed I/O port operation on port 3' in reason,
reason)
def test_invalid_01_disassembly(self):
'''Require valid disassembly'''
regs = 'a 0x10'
disasm = ''
self.assertRaises(ValueError, parse_segv.ParseSegv, regs, disasm, '')
disasm = 'Dump ...'
self.assertRaises(ValueError, parse_segv.ParseSegv, regs, disasm, '')
disasm = 'Dump ...\nmonkey'
self.assertRaises(ValueError, parse_segv.ParseSegv, regs, disasm, '')
disasm = 'monkey'
self.assertRaises(ValueError, parse_segv.ParseSegv, regs, disasm, '')
disasm = '0x1111111111: Cannot access memory at address 0x1111111111\n'
segv = parse_segv.ParseSegv(regs, disasm, '')
self.assertEqual(segv.pc, 0x1111111111, segv.pc)
self.assertEqual(segv.insn, None, segv.insn)
self.assertEqual(segv.src, None, segv.src)
self.assertEqual(segv.dest, None, segv.dest)
disasm = '0x2111111111: \n'
segv = parse_segv.ParseSegv(regs, disasm, '')
self.assertEqual(segv.pc, 0x2111111111, segv.pc)
self.assertEqual(segv.insn, None, segv.insn)
self.assertEqual(segv.src, None, segv.src)
self.assertEqual(segv.dest, None, segv.dest)
disasm = '0x8069ff0 <fopen@plt+132220>: cmpb $0x0,(%eax,%ebx,1)\n'
segv = parse_segv.ParseSegv(regs, disasm, '')
self.assertEqual(segv.pc, 0x8069ff0, segv.pc)
self.assertEqual(segv.insn, 'cmpb', segv.insn)
self.assertEqual(segv.src, '$0x0', segv.src)
self.assertEqual(segv.dest, '(%eax,%ebx,1)', segv.dest)
disasm = '0xb765bb48 <_XSend+440>: call *0x40(%edi)\n'
segv = parse_segv.ParseSegv(regs, disasm, '')
self.assertEqual(segv.pc, 0xb765bb48, segv.pc)
self.assertEqual(segv.insn, 'call', segv.insn)
self.assertEqual(segv.src, '*0x40(%edi)', segv.src)
self.assertEqual(segv.dest, None, segv.dest)
disasm = '0xb7aae5a0: call 0xb7a805af <_Unwind_Find_FDE@plt+111>\n'
segv = parse_segv.ParseSegv(regs, disasm, '')
self.assertEqual(segv.pc, 0xb7aae5a0, segv.pc)
self.assertEqual(segv.insn, 'call', segv.insn)
self.assertEqual(segv.src, '0xb7a805af', segv.src)
self.assertEqual(segv.dest, None, segv.dest)
disasm = '0x09083540: mov 0x4(%esp),%es:%ecx\n'
segv = parse_segv.ParseSegv(regs, disasm, '')
self.assertEqual(segv.pc, 0x09083540, segv.pc)
self.assertEqual(segv.insn, 'mov', segv.insn)
self.assertEqual(segv.src, '0x4(%esp)', segv.src)
self.assertEqual(segv.dest, '%es:%ecx', segv.dest)
disasm = '0x08083540 <main+0>: lea 0x4(%esp),%ecx\n'
segv = parse_segv.ParseSegv(regs, disasm, '')
self.assertEqual(segv.pc, 0x08083540, segv.pc)
self.assertEqual(segv.insn, 'lea', segv.insn)
self.assertEqual(segv.src, '0x4(%esp)', segv.src)
self.assertEqual(segv.dest, '%ecx', segv.dest)
disasm = '''0x404127 <exo_mount_hal_device_mount+167>:
repz cmpsb %es:(%rdi),%ds:(%rsi)\n'''
segv = parse_segv.ParseSegv(regs, disasm, '')
self.assertEqual(segv.pc, 0x0404127, segv.pc)
self.assertEqual(segv.insn, 'repz cmpsb', segv.insn)
self.assertEqual(segv.src, '%es:(%rdi)', segv.src)
self.assertEqual(segv.dest, '%ds:(%rsi)', segv.dest)
disasm = '0xb031765a <hufftab16+570>: add 0x3430433,%eax'
segv = parse_segv.ParseSegv(regs, disasm, '')
self.assertEqual(segv.pc, 0xb031765a, segv.pc)
self.assertEqual(segv.insn, 'add', segv.insn)
self.assertEqual(segv.src, '0x3430433', segv.src)
self.assertEqual(segv.dest, '%eax', segv.dest)
disasm = 'Dump ...\n0x08083540 <main+0>: lea 0x4(%esp),%ecx\n'
segv = parse_segv.ParseSegv(regs, disasm, '')
self.assertEqual(segv.pc, 0x08083540, segv.pc)
self.assertEqual(segv.insn, 'lea', segv.insn)
self.assertEqual(segv.src, '0x4(%esp)', segv.src)
self.assertEqual(segv.dest, '%ecx', segv.dest)
disasm = '0x08083550 <main+0>: nop\n'
segv = parse_segv.ParseSegv(regs, disasm, '')
self.assertEqual(segv.pc, 0x08083550, segv.pc)
self.assertEqual(segv.insn, 'nop', segv.insn)
self.assertEqual(segv.src, None, segv.src)
self.assertEqual(segv.dest, None, segv.dest)
regs = 'esp 0x444'
disasm = '0x08083560 <main+0>: push %ecx\n'
segv = parse_segv.ParseSegv(regs, disasm, '')
self.assertEqual(segv.pc, 0x08083560, segv.pc)
self.assertEqual(segv.insn, 'push', segv.insn)
self.assertEqual(segv.src, '%ecx', segv.src)
self.assertEqual(segv.dest, '(%esp)', segv.dest)
# GDB 7.1
regs = 'esp 0x444'
disasm = '=> 0x08083560 <main+0>: push %ecx\n'
segv = parse_segv.ParseSegv(regs, disasm, '')
self.assertEqual(segv.pc, 0x08083560, segv.pc)
self.assertEqual(segv.insn, 'push', segv.insn)
self.assertEqual(segv.src, '%ecx', segv.src)
self.assertEqual(segv.dest, '(%esp)', segv.dest)
