lazymio/unicorn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove hack to copy function body

Browse Source
This commit is contained in:
mio
2025-03-05 16:49:25 +08:00
parent 4dc5f1e60f
commit 088c066c59
1 changed files with 5 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
tests/unit/test_ctl.c
View File

@@ -262,8 +262,6 @@ static void test_uc_ctl_arm_cpu(void)
static void test_uc_hook_cached_cb(uc_engine *uc, uint64_t addr, size_t size, static void test_uc_hook_cached_cb(uc_engine *uc, uint64_t addr, size_t size,
void *user_data) void *user_data)
{ {
// Don't add any TEST_CHECK here since we can't refer to the global variable
// here.
uint64_t *p = (uint64_t *)user_data; uint64_t *p = (uint64_t *)user_data;
(*p)++; (*p)++;
return; return;
@@ -276,26 +274,10 @@ static void test_uc_hook_cached_uaf(void)
char code[] = "\x41\x4a\xeb\x00\x90"; char code[] = "\x41\x4a\xeb\x00\x90";
uc_hook h; uc_hook h;
uint64_t count = 0; uint64_t count = 0;
#ifndef _WIN32
// Apple Silicon does not allow RWX pages.
void *callback = mmap(NULL, 4096, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
TEST_CHECK(callback != (void *)-1);
#else
void *callback = VirtualAlloc(NULL, 4096, MEM_RESERVE | MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
TEST_CHECK(callback != NULL);
#endif
memcpy(callback, (void *)test_uc_hook_cached_cb, 4096);
#ifndef _WIN32
TEST_CHECK(mprotect(callback, 4096, PROT_READ | PROT_EXEC) == 0);
#endif
uc_common_setup(&uc, UC_ARCH_X86, UC_MODE_32, code, sizeof(code) - 1); uc_common_setup(&uc, UC_ARCH_X86, UC_MODE_32, code, sizeof(code) - 1);
OK(uc_hook_add(uc, &h, UC_HOOK_CODE, (void *)callback, (void *)&count, 1, OK(uc_hook_add(uc, &h, UC_HOOK_CODE, (void *)test_uc_hook_cached_cb, (void *)&count, 1,
0)); 0));
OK(uc_emu_start(uc, code_start, code_start + sizeof(code) - 1, 0, 0)); OK(uc_emu_start(uc, code_start, code_start + sizeof(code) - 1, 0, 0));
@@ -306,28 +288,15 @@ static void test_uc_hook_cached_uaf(void)
// This will clear deleted hooks and SHOULD clear cache. // This will clear deleted hooks and SHOULD clear cache.
OK(uc_emu_start(uc, code_start, code_start + sizeof(code) - 1, 0, 0)); OK(uc_emu_start(uc, code_start, code_start + sizeof(code) - 1, 0, 0));
#ifndef _WIN32 // Now hooks are deleted and thus this _should not_ call test_uc_hook_cached_cb anymore.
TEST_CHECK(mprotect(callback, 4096, PROT_READ | PROT_WRITE) == 0); // If the hook is allocated like from malloc, and the code region is free-ed, this call _shall not_
#endif // call the hook anymore to avoid UAF.
memset(callback, 0, 4096);
#ifndef _WIN32
TEST_CHECK(mprotect(callback, 4096, PROT_READ | PROT_EXEC) == 0);
#endif
// Now hooks are deleted and thus this will trigger a UAF
OK(uc_emu_start(uc, code_start, code_start + sizeof(code) - 1, 0, 0)); OK(uc_emu_start(uc, code_start, code_start + sizeof(code) - 1, 0, 0));
// Only 4 calls
TEST_CHECK(count == 4); TEST_CHECK(count == 4);
OK(uc_close(uc)); OK(uc_close(uc));
#ifndef _WIN32
munmap(callback, 4096);
#else
VirtualFree(callback, 0, MEM_RELEASE);
#endif
} }
static void test_uc_emu_stop_set_ip_callback(uc_engine *uc, uint64_t address, static void test_uc_emu_stop_set_ip_callback(uc_engine *uc, uint64_t address,