func LinuxSyscall(u models.Usercorn) {
// TODO: handle errors or something
eax, _ := u.RegRead(uc.X86_REG_EAX)
name, _ := num.Linux_x86[int(eax)]
ret, _ := u.Syscall(int(eax), name, co.RegArgs(u, LinuxRegs))
u.RegWrite(uc.X86_REG_EAX, ret)
}
func StackInit(u models.Usercorn, args, env []string, auxv []byte) error {
// push argv and envp strings
envp, err := pushStrings(u, env...)
if err != nil {
return err
}
argv, err := pushStrings(u, args...)
if err != nil {
return err
}
// align stack pointer
sp, _ := u.RegRead(u.Arch().SP)
u.RegWrite(u.Arch().SP, (sp & ^uint64(15)))
// end marker
if _, err := u.Push(0); err != nil {
return err
}
// auxv
if len(auxv) > 0 {
if _, err := u.PushBytes(auxv); err != nil {
return err
}
}
// envp
if err := pushAddrs(u, envp); err != nil {
return err
}
// argv
if err := pushAddrs(u, argv); err != nil {
return err
}
// argc
_, err = u.Push(uint64(len(args)))
return err
}
func LinuxSyscall(u models.Usercorn) {
// TODO: handle errors or something
num, _ := u.RegRead(uc.MIPS_REG_V0)
name, _ := sysnum.Linux_mips[int(num)]
ret, _ := u.Syscall(int(num), name, common.RegArgs(u, LinuxRegs))
u.RegWrite(uc.MIPS_REG_V0, ret)
}
func LinuxSyscall(u models.Usercorn) {
// TODO: handle errors or something
g1, _ := u.RegRead(uc.SPARC_REG_G1)
// TODO: add sparc x86 syscall numbers to ghostrace
name, _ := num.Linux_x86[int(g1)]
ret, _ := u.Syscall(int(g1), name, co.RegArgs(u, LinuxRegs))
u.RegWrite(uc.SPARC_REG_O0, ret)
}
func DarwinSyscall(u models.Usercorn, class int) {
getArgs := common.StackArgs(u)
eax, _ := u.RegRead(uc.X86_REG_EAX)
nr := class<<24 | int(eax)
name, _ := num.Darwin_x86_mach[nr]
ret, _ := u.Syscall(nr, name, getArgs)
u.RegWrite(uc.X86_REG_EAX, ret)
}
func LinuxSyscall(u models.Usercorn, num int) {
// TODO: EABI has a different syscall base (OABI is 0x900000)
// TODO: does the generator handle this? it needs to.
if num > 0x900000 {
num -= 0x900000
}
name, _ := sysnum.Linux_arm[int(num)]
ret, _ := u.Syscall(int(num), name, common.RegArgs(u, LinuxRegs))
u.RegWrite(uc.ARM_REG_R0, ret)
}
func DarwinSyscall(u models.Usercorn, class int) {
// TODO: read args from stack without modifying reg so we don't need to restore esp
esp, _ := u.RegRead(uc.X86_REG_ESP)
getArgs := common.StackArgs(u)
eax, _ := u.RegRead(uc.X86_REG_EAX)
nr := class<<24 | int(eax)
name, _ := num.Darwin_x86_mach[nr]
ret, _ := u.Syscall(nr, name, getArgs)
u.RegWrite(uc.X86_REG_EAX, ret)
u.RegWrite(uc.X86_REG_ESP, esp)
}
func Rdmsr(u models.Usercorn, msr uint64) uint64 {
rcx, _ := u.RegRead(uc.X86_REG_RCX)
rdx, _ := u.RegRead(uc.X86_REG_RDX)
rdmsr := []byte{0x0F, 0x30}
regs := map[int]uint64{uc.X86_REG_RAX: msr}
u.RunShellcode(0, rdmsr, regs, nil)
ecx, _ := u.RegRead(uc.X86_REG_ECX)
edx, _ := u.RegRead(uc.X86_REG_EDX)
u.RegWrite(uc.X86_REG_RCX, rcx)
u.RegWrite(uc.X86_REG_RDX, rdx)
return (edx << 32) | (ecx & 0xFFFFFFFF)
}
func CgcSyscall(u models.Usercorn) {
// TODO: handle errors or something
args, _ := u.ReadRegs(LinuxRegs)
eax, _ := u.RegRead(uc.X86_REG_EAX)
var ret uint64
switch eax {
case 1: // _terminate
syscall.Exit(int(args[0]))
case 2: // transmit
mem, _ := u.MemRead(args[1], args[2])
n, _ := syscall.Write(int(args[0]), mem)
writeAddr(u, args[3], uint64(n))
case 3: // receive
tmp := make([]byte, args[2])
n, _ := syscall.Read(int(args[0]), tmp)
u.MemWrite(args[1], tmp[:n])
writeAddr(u, args[3], uint64(n))
case 5: // allocate
addr, _ := u.Mmap(0, args[0])
// args[1] == is executable
writeAddr(u, args[2], addr)
case 6: // fdwait
nfds := int(args[0])
var readSet, writeSet *fdset32
var timeout posix.Timespec
u.StrucAt(args[1]).Unpack(&readSet)
u.StrucAt(args[2]).Unpack(&writeSet)
u.StrucAt(args[3]).Unpack(&timeout)
readyFds := args[4]
readNative := readSet.Native()
writeNative := writeSet.Native()
n, err := cgcNativeSelect(nfds, readNative, writeNative, &timeout)
if err != nil {
ret = UINT32_MAX // FIXME?
} else {
numReady := int32(n)
if readyFds != 0 {
u.StrucAt(readyFds).Pack(numReady)
}
}
case 7: // random
tmp := make([]byte, args[1])
rand.Read(tmp)
u.MemWrite(args[0], tmp)
writeAddr(u, args[2], args[1])
}
u.RegWrite(uc.X86_REG_EAX, ret)
}
func StackInit(u models.Usercorn, args, env []string, auxv []byte) error {
if _, err := u.Push(0); err != nil {
return err
}
if len(args) > 0 {
if _, err := u.PushBytes([]byte(args[0] + "\x00")); err != nil {
return err
}
}
// push argv and envp strings
envp, err := pushStrings(u, env...)
if err != nil {
return err
}
argv, err := pushStrings(u, args...)
if err != nil {
return err
}
// precalc envp -> argc for stack alignment
envpb, err := packAddrs(u, envp)
if err != nil {
return err
}
argvb, err := packAddrs(u, argv)
if err != nil {
return err
}
var tmp [8]byte
argcb, err := u.PackAddr(tmp[:], uint64(len(argv)))
init := append(argcb, argvb...)
init = append(init, envpb...)
// align stack pointer
sp, _ := u.RegRead(u.Arch().SP)
sp &= ^uint64(15)
off := len(init) & 15
if off > 0 {
sp -= uint64(16 - off)
}
u.RegWrite(u.Arch().SP, sp)
// auxv
if len(auxv) > 0 {
if _, err := u.PushBytes(auxv); err != nil {
return err
}
}
// write envp -> argc
u.PushBytes(init)
return err
}
func DarwinSyscall(u models.Usercorn) {
rax, _ := u.RegRead(uc.X86_REG_RAX)
name, _ := num.Darwin_x86_mach[int(rax)]
ret, _ := u.Syscall(int(rax), name, common.RegArgs(u, AbiRegs))
u.RegWrite(uc.X86_REG_RAX, ret)
}
func LinuxSyscall(u models.Usercorn, num int) {
name, _ := sysnum.Linux_arm[int(num)]
ret, _ := u.Syscall(int(num), name, common.RegArgs(u, LinuxRegs))
u.RegWrite(uc.ARM64_REG_X0, ret)
}
func LinuxSyscall(u models.Usercorn) {
rax, _ := u.RegRead(uc.X86_REG_RAX)
name, _ := num.Linux_x86_64[int(rax)]
ret, _ := u.Syscall(int(rax), name, common.RegArgs(u, AbiRegs))
u.RegWrite(uc.X86_REG_RAX, ret)
}
func CgcSyscall(u models.Usercorn) {
eax, _ := u.RegRead(uc.X86_REG_EAX)
name, _ := cgcSysNum[int(eax)]
ret, _ := u.Syscall(int(eax), name, co.RegArgs(u, LinuxRegs))
u.RegWrite(uc.X86_REG_EAX, ret)
}
func setupTraps(u models.Usercorn, kernel *ArmLinuxKernel) error {
// handle arm kernel traps
// https://www.kernel.org/doc/Documentation/arm/kernel_user_helpers.txt
if err := u.MemMap(0xffff0000, 0x10000); err != nil {
return err
}
for addr := 0; addr < 0x10000; addr += 4 {
// write "bx lr" to all kernel trap addresses so they will return
bxlr := []byte{0x1e, 0xff, 0x2f, 0xe1}
if err := u.MemWrite(0xffff0000+uint64(addr), bxlr); err != nil {
return err
}
}
_, err := u.HookAdd(uc.HOOK_CODE, func(_ uc.Unicorn, addr uint64, size uint32) {
switch addr {
case 0xffff0fa0:
// __kuser_memory_barrier
// *shrug*
case 0xffff0f60:
// __kuser_cmpxchg64
// TODO: DRY possible here?
oldval, _ := u.RegRead(uc.ARM_REG_R0)
newval, _ := u.RegRead(uc.ARM_REG_R1)
ptr, _ := u.RegRead(uc.ARM_REG_R2)
var tmp [8]byte
var status uint64
if err := u.MemReadInto(tmp[:], ptr); err != nil {
// error
} else if u.ByteOrder().Uint64(tmp[:]) == oldval {
u.ByteOrder().PutUint64(tmp[:], newval)
u.MemWrite(ptr, tmp[:])
status = 1
}
u.RegWrite(uc.ARM_REG_R0, status)
case 0xffff0fc0:
// __kuser_cmpxchg
// TODO: would this throw a segfault?
// TODO: flags are not set
oldval, _ := u.RegRead(uc.ARM_REG_R0)
newval, _ := u.RegRead(uc.ARM_REG_R1)
ptr, _ := u.RegRead(uc.ARM_REG_R2)
var tmp [4]byte
var status uint64
if err := u.MemReadInto(tmp[:], ptr); err != nil {
// error
} else if u.UnpackAddr(tmp[:]) == oldval {
u.PackAddr(tmp[:], newval)
u.MemWrite(ptr, tmp[:])
status = 1
}
u.RegWrite(uc.ARM_REG_R0, status)
case 0xffff0fe0:
// __kuser_get_tls
u.RegWrite(uc.ARM_REG_R0, kernel.tls)
case 0xffff0ffc:
// __kuser_helper_version
u.RegWrite(uc.ARM_REG_R0, 2)
default:
panic(fmt.Sprintf("unsupported kernel trap: 0x%x\n", addr))
}
}, 0xffff0000, 0xffffffff)
if err != nil {
return err
}
return nil
}