func packAddrs(u models.Usercorn, addrs []uint64) ([]byte, error) {
buf := make([]byte, int(u.Bits())/8*(len(addrs)+1))
pos := buf
for _, v := range addrs {
x, err := u.PackAddr(pos, v)
if err != nil {
return nil, err
}
pos = pos[len(x):]
}
return buf, nil
}
func StackInit(u models.Usercorn, args, env []string, auxv []byte) error {
if _, err := u.Push(0); err != nil {
return err
}
if len(args) > 0 {
if _, err := u.PushBytes([]byte(args[0] + "\x00")); err != nil {
return err
}
}
// push argv and envp strings
envp, err := pushStrings(u, env...)
if err != nil {
return err
}
argv, err := pushStrings(u, args...)
if err != nil {
return err
}
// precalc envp -> argc for stack alignment
envpb, err := packAddrs(u, envp)
if err != nil {
return err
}
argvb, err := packAddrs(u, argv)
if err != nil {
return err
}
var tmp [8]byte
argcb, err := u.PackAddr(tmp[:], uint64(len(argv)))
init := append(argcb, argvb...)
init = append(init, envpb...)
// align stack pointer
sp, _ := u.RegRead(u.Arch().SP)
sp &= ^uint64(15)
off := len(init) & 15
if off > 0 {
sp -= uint64(16 - off)
}
u.RegWrite(u.Arch().SP, sp)
// auxv
if len(auxv) > 0 {
if _, err := u.PushBytes(auxv); err != nil {
return err
}
}
// write envp -> argc
u.PushBytes(init)
return err
}
func StackInit(u models.Usercorn, args, env []string) error {
exe := u.Exe()
addr, err := u.PushBytes([]byte(exe + "\x00"))
if err != nil {
return err
}
var tmp [8]byte
auxv, err := u.PackAddr(tmp[:], addr)
if err != nil {
return err
}
err = posix.StackInit(u, args, env, auxv)
if err != nil {
return err
}
// offset to mach_header at exe[0:] in guest memory
textOffset, _, _ := u.Loader().Header()
offset := u.Base() + textOffset
_, err = u.Push(offset)
return err
}
func writeAddr(u models.Usercorn, addr, val uint64) {
var buf [4]byte
u.PackAddr(buf[:], val)
u.MemWrite(addr, buf[:])
}
func setupTraps(u models.Usercorn, kernel *ArmLinuxKernel) error {
// handle arm kernel traps
// https://www.kernel.org/doc/Documentation/arm/kernel_user_helpers.txt
if err := u.MemMap(0xffff0000, 0x10000); err != nil {
return err
}
for addr := 0; addr < 0x10000; addr += 4 {
// write "bx lr" to all kernel trap addresses so they will return
bxlr := []byte{0x1e, 0xff, 0x2f, 0xe1}
if err := u.MemWrite(0xffff0000+uint64(addr), bxlr); err != nil {
return err
}
}
_, err := u.HookAdd(uc.HOOK_CODE, func(_ uc.Unicorn, addr uint64, size uint32) {
switch addr {
case 0xffff0fa0:
// __kuser_memory_barrier
// *shrug*
case 0xffff0f60:
// __kuser_cmpxchg64
// TODO: DRY possible here?
oldval, _ := u.RegRead(uc.ARM_REG_R0)
newval, _ := u.RegRead(uc.ARM_REG_R1)
ptr, _ := u.RegRead(uc.ARM_REG_R2)
var tmp [8]byte
var status uint64
if err := u.MemReadInto(tmp[:], ptr); err != nil {
// error
} else if u.ByteOrder().Uint64(tmp[:]) == oldval {
u.ByteOrder().PutUint64(tmp[:], newval)
u.MemWrite(ptr, tmp[:])
status = 1
}
u.RegWrite(uc.ARM_REG_R0, status)
case 0xffff0fc0:
// __kuser_cmpxchg
// TODO: would this throw a segfault?
// TODO: flags are not set
oldval, _ := u.RegRead(uc.ARM_REG_R0)
newval, _ := u.RegRead(uc.ARM_REG_R1)
ptr, _ := u.RegRead(uc.ARM_REG_R2)
var tmp [4]byte
var status uint64
if err := u.MemReadInto(tmp[:], ptr); err != nil {
// error
} else if u.UnpackAddr(tmp[:]) == oldval {
u.PackAddr(tmp[:], newval)
u.MemWrite(ptr, tmp[:])
status = 1
}
u.RegWrite(uc.ARM_REG_R0, status)
case 0xffff0fe0:
// __kuser_get_tls
u.RegWrite(uc.ARM_REG_R0, kernel.tls)
case 0xffff0ffc:
// __kuser_helper_version
u.RegWrite(uc.ARM_REG_R0, 2)
default:
panic(fmt.Sprintf("unsupported kernel trap: 0x%x\n", addr))
}
}, 0xffff0000, 0xffffffff)
if err != nil {
return err
}
return nil
}