def run(self, dst, size, file_ptr):
self.argument_types = {
2: SimTypeFd(),
0: self.ty_ptr(SimTypeArray(SimTypeChar(), size)),
1: SimTypeLength(self.state.arch)
}
self.return_type = self.argument_types[0]
# let's get the memory back for the file we're interested in and find the newline
fd_offset = io_file_data_for_arch(self.state.arch)['fd']
fd = self.state.mem[file_ptr + fd_offset:].int.resolved
simfd = self.state.posix.get_fd(fd)
if simfd is None:
return -1
data, real_size = simfd.read_data(size - 1)
for i, byte in enumerate(data.chop(8)):
self.state.solver.add(
self.state.solver.If(
i + 1 != real_size,
byte != '\n', # if not last byte returned, not newline
self.state.solver.
Or( # otherwise one of the following must be true
i + 2 == size, # we ran out of space, or
byte == '\n' # it is a newline
)))
self.state.memory.store(dst, data, size=real_size)
self.state.memory.store(dst + real_size, '\0')
return real_size
def run(self, sim_nmemb, sim_size):
self.argument_types = {
0: SimTypeLength(self.state.arch),
1: SimTypeLength(self.state.arch)
}
plugin = self.state.get_plugin('libc')
self.return_type = self.ty_ptr(
SimTypeArray(SimTypeTop(sim_size), sim_nmemb))
if self.state.solver.symbolic(sim_nmemb):
# TODO: find a better way
nmemb = self.state.solver.max_int(sim_nmemb)
else:
nmemb = self.state.solver.eval(sim_nmemb)
if self.state.solver.symbolic(sim_size):
# TODO: find a better way
size = self.state.solver.max_int(sim_size)
else:
size = self.state.solver.eval(sim_size)
final_size = size * nmemb
if final_size > plugin.max_variable_size:
final_size = plugin.max_variable_size
addr = plugin.heap_location
plugin.heap_location += final_size
v = self.state.solver.BVV(0, final_size * 8)
self.state.memory.store(addr, v)
return addr
def run(self, sim_nmemb, sim_size):
self.argument_types = {
0: SimTypeLength(self.state.arch),
1: SimTypeLength(self.state.arch)
}
self.return_type = self.ty_ptr(
SimTypeArray(SimTypeTop(sim_size), sim_nmemb))
return self.state.heap._calloc(sim_nmemb, sim_size)
def run(self, fd, dst, length):
self.argument_types = {0: SimTypeFd(),
1: self.ty_ptr(SimTypeArray(SimTypeChar(), length)),
2: SimTypeLength(self.state.arch)}
self.return_type = SimTypeLength(self.state.arch)
simfd = self.state.posix.get_fd(fd)
if simfd is None:
return -1
return simfd.read(dst, length)
def run(self, fd, dst, length):
self.argument_types = {
0: SimTypeFd(),
1: self.ty_ptr(SimTypeArray(SimTypeChar(), length)),
2: SimTypeLength(self.state.arch)
}
self.return_type = SimTypeLength(self.state.arch)
# TODO handle errors
length = self.state.posix.read(fd, dst, length)
return length
def run(self, fd, dst, length):
self.argument_types = {
0: SimTypeFd(),
1: self.ty_ptr(SimTypeArray(SimTypeChar(), length)),
2: SimTypeLength(self.state.arch)
}
self.return_type = SimTypeLength(self.state.arch)
try:
simfd = self.state.posix.get_fd(fd)
if simfd is None:
return -1
return simfd.read(dst, length)
except angr.SimUnsatError:
return self.state.se.Unconstrained('read', 32, uninitialized=False)
def run(self, fd, dst, length):
self.argument_types = {
0: SimTypeFd(),
1: self.ty_ptr(SimTypeArray(SimTypeChar(), length)),
2: SimTypeLength(self.state.arch)
}
self.return_type = SimTypeLength(self.state.arch)
# TODO handle errors
length = self.state.posix.read(fd, dst, length)
filename = self.state.posix.get_file(fd)
#filter read passwd file
if (filename.name.find('passwd') != -1 or 1):
print filename.name + ' !!!'
#print "test!!!!"
fff = open('/data/find_read.flag', 'w')
fff.close()
write_file('read file name: ' + filename.name + '\n')
return length
def run(self, dst, size, file_ptr):
self.argument_types = {
2: SimTypeFd(),
0: self.ty_ptr(SimTypeArray(SimTypeChar(), size)),
1: SimTypeLength(self.state.arch)
}
self.return_type = self.argument_types[0]
# some sensible limits for the new line search
max_symbolic_bytes = self.state.libc.buf_symbolic_bytes
max_str_len = self.state.libc.max_str_len
# let's get the memory back for the file we're interested in and find the newline
fd_offset = io_file_data_for_arch(self.state.arch)['fd']
fd = self.state.mem[file_ptr + fd_offset:].int.resolved
fp = self.state.posix.get_file(fd)
pos = fp.pos
mem = fp.content
# if there exists a limit on the file size, let's respect that, the limit cannot be symbolic
limit = max_str_len if fp.size is None else self.state.se.max_int(
fp.size - pos)
# limit will always be concrete, if it's zero we EOF'd
if limit != 0:
# XXX max_str_len is small, might not be suitable for tracing!
# measure up to the newline of size - 1
r, c, i = mem.find(pos,
self.state.se.BVV('\n'),
limit,
max_symbolic_bytes=max_symbolic_bytes)
else:
r = 0
c = []
# XXX: this is a HACK to determine if r is 0 because there is a newline at the first index or
# if r is 0 because there cannot be any newline
errored = False
if not self.state.se.satisfiable(extra_constraints=(r > 0, )):
errored = True
if self.state.se.solution(mem.load(0, 1), self.state.se.BVV('\n')):
errored = False
# make sure we only read up to size - 1
read_size = self.state.se.If(size == 0, 0, size - 1)
# if file can EOF (ie not completely symbolic)
if fp.size is not None:
read_size = self.state.se.If(limit < read_size, limit, read_size)
# now if find errored then there cannot exist a newline in the file, otherwise this logic checks out
if not errored:
newline_d = self.state.se.If(r == 0, r, r - pos + 1)
distance = self.state.se.If(read_size < newline_d, read_size,
newline_d)
else:
distance = read_size
# read in up to the newline
ret = self.inline_call(angr.SIM_PROCEDURES['posix']['read'], fd, dst,
distance).ret_expr
# in case there's no newline
c = self.state.se.Or(ret == read_size, *c)
self.state.add_constraints(c)
# otherwise we take care of the newline case
# now write the terminating null byte, should be placed after the newline which is also stored
self.state.memory.store(dst + distance, self.state.se.BVV(0, 8))
inner_case = self.state.se.If(self.state.se.And(fp.pos == 0, ret == 0),
0, dst)
return self.state.se.If(size == 0, 0, inner_case)