Beispiel #1
0
func SetupElfAuxv(u models.Usercorn) ([]byte, error) {
	var buf bytes.Buffer
	auxv, err := setupElfAuxv(u)
	if err != nil {
		return nil, err
	}
	options := &struc.Options{
		PtrSize: int(u.Bits()),
		Order:   u.ByteOrder(),
	}
	for _, a := range auxv {
		if err := struc.PackWithOptions(&buf, &a, options); err != nil {
			return nil, err
		}
	}
	return buf.Bytes(), err
}
Beispiel #2
0
func SetupElfAuxv(u models.Usercorn) ([]byte, error) {
	var buf bytes.Buffer
	auxv, err := setupElfAuxv(u)
	if err != nil {
		return nil, err
	}
	if u.Bits() == 32 {
		var auxv32 Elf32Auxv
		for _, a := range auxv {
			auxv32.Type = uint32(a.Type)
			auxv32.Val = uint32(a.Val)
			if err := struc.PackWithOrder(&buf, &auxv32, u.ByteOrder()); err != nil {
				return nil, err
			}
		}
	} else {
		for _, a := range auxv {
			if err := struc.PackWithOrder(&buf, &a, u.ByteOrder()); err != nil {
				return nil, err
			}
		}
	}
	return buf.Bytes(), err
}
Beispiel #3
0
func setupTraps(u models.Usercorn, kernel *ArmLinuxKernel) error {
	// handle arm kernel traps
	// https://www.kernel.org/doc/Documentation/arm/kernel_user_helpers.txt
	if err := u.MemMap(0xffff0000, 0x10000); err != nil {
		return err
	}
	for addr := 0; addr < 0x10000; addr += 4 {
		// write "bx lr" to all kernel trap addresses so they will return
		bxlr := []byte{0x1e, 0xff, 0x2f, 0xe1}
		if err := u.MemWrite(0xffff0000+uint64(addr), bxlr); err != nil {
			return err
		}
	}
	_, err := u.HookAdd(uc.HOOK_CODE, func(_ uc.Unicorn, addr uint64, size uint32) {
		switch addr {
		case 0xffff0fa0:
			// __kuser_memory_barrier
			// *shrug*
		case 0xffff0f60:
			// __kuser_cmpxchg64
			// TODO: DRY possible here?
			oldval, _ := u.RegRead(uc.ARM_REG_R0)
			newval, _ := u.RegRead(uc.ARM_REG_R1)
			ptr, _ := u.RegRead(uc.ARM_REG_R2)
			var tmp [8]byte
			var status uint64
			if err := u.MemReadInto(tmp[:], ptr); err != nil {
				// error
			} else if u.ByteOrder().Uint64(tmp[:]) == oldval {
				u.ByteOrder().PutUint64(tmp[:], newval)
				u.MemWrite(ptr, tmp[:])
				status = 1
			}
			u.RegWrite(uc.ARM_REG_R0, status)
		case 0xffff0fc0:
			// __kuser_cmpxchg
			// TODO: would this throw a segfault?
			// TODO: flags are not set
			oldval, _ := u.RegRead(uc.ARM_REG_R0)
			newval, _ := u.RegRead(uc.ARM_REG_R1)
			ptr, _ := u.RegRead(uc.ARM_REG_R2)
			var tmp [4]byte
			var status uint64
			if err := u.MemReadInto(tmp[:], ptr); err != nil {
				// error
			} else if u.UnpackAddr(tmp[:]) == oldval {
				u.PackAddr(tmp[:], newval)
				u.MemWrite(ptr, tmp[:])
				status = 1
			}
			u.RegWrite(uc.ARM_REG_R0, status)
		case 0xffff0fe0:
			// __kuser_get_tls
			u.RegWrite(uc.ARM_REG_R0, kernel.tls)
		case 0xffff0ffc:
			// __kuser_helper_version
			u.RegWrite(uc.ARM_REG_R0, 2)
		default:
			panic(fmt.Sprintf("unsupported kernel trap: 0x%x\n", addr))
		}
	}, 0xffff0000, 0xffffffff)
	if err != nil {
		return err
	}
	return nil
}