Merge branch 'master' into memleak2

2016-02-15 15:52:10 +08:00
parent b6897e2015 0190d359c6
commit b69feb8d0b
26 changed files with 1117 additions and 91 deletions
--- a/tests/regress/Makefile
+++ b/tests/regress/Makefile
@@ -37,6 +37,7 @@ TESTS += mips_branch_likely_issue
 TESTS += hook_extrainvoke
 TESTS += sysenter_hook_x86
 TESTS += emu_clear_errors
+TESTS += mem_fuzz

 TESTS += memleak_x86
 TESTS += memleak_arm
--- a/tests/regress/arm_init_input_crash.py
+++ b/tests/regress/arm_init_input_crash.py
@@ -0,0 +1,109 @@
+#!/usr/bin/env python
+# Sample code for ARM of Unicorn. Nguyen Anh Quynh <aquynh@gmail.com>
+# Python sample ported by Loi Anh Tuan <loianhtuan@gmail.com>
+#
+
+
+from __future__ import print_function
+from unicorn import *
+from unicorn.arm_const import *
+
+
+# code to be emulated
+ARM_CODE   = "\x37\x00\xa0\xe3\x03\x10\x42\xe0" # mov r0, #0x37; sub r1, r2, r3
+THUMB_CODE = "\x83\xb0" # sub    sp, #0xc
+# memory address where emulation starts
+ADDRESS    = 0xF0000000
+
+
+# callback for tracing basic blocks
+def hook_block(uc, address, size, user_data):
+    print(">>> Tracing basic block at 0x%x, block size = 0x%x" %(address, size))
+
+
+# callback for tracing instructions
+def hook_code(uc, address, size, user_data):
+    print(">>> Tracing instruction at 0x%x, instruction size = %u" %(address, size))
+
+
+# Test ARM
+def test_arm():
+    print("Emulate ARM code")
+    try:
+        # Initialize emulator in ARM mode
+        mu = Uc(UC_ARCH_ARM, UC_MODE_ARM)
+        
+        mem_size = 2 * (1024 * 1024)
+        mu.mem_map(ADDRESS, mem_size)
+        
+        stack_address = ADDRESS + mem_size
+        stack_size =  stack_address         # >>> here huge memory size
+        mu.mem_map(stack_address, stack_size)
+
+        # write machine code to be emulated to memory
+        mu.mem_write(ADDRESS, ARM_CODE)
+
+        # initialize machine registers
+        mu.reg_write(UC_ARM_REG_R0, 0x1234)
+        mu.reg_write(UC_ARM_REG_R2, 0x6789)
+        mu.reg_write(UC_ARM_REG_R3, 0x3333)
+
+        # tracing all basic blocks with customized callback
+        mu.hook_add(UC_HOOK_BLOCK, hook_block)
+
+        # tracing all instructions with customized callback
+        mu.hook_add(UC_HOOK_CODE, hook_code)
+
+        # emulate machine code in infinite time
+        mu.emu_start(ADDRESS, ADDRESS + len(ARM_CODE))
+
+        # now print out some registers
+        print(">>> Emulation done. Below is the CPU context")
+
+        r0 = mu.reg_read(UC_ARM_REG_R0)
+        r1 = mu.reg_read(UC_ARM_REG_R1)
+        print(">>> R0 = 0x%x" %r0)
+        print(">>> R1 = 0x%x" %r1)
+
+    except UcError as e:
+        print("ERROR: %s" % e)
+
+
+def test_thumb():
+    print("Emulate THUMB code")
+    try:
+        # Initialize emulator in thumb mode
+        mu = Uc(UC_ARCH_ARM, UC_MODE_THUMB)
+
+        # map 2MB memory for this emulation
+        mu.mem_map(ADDRESS, 2 * 1024 * 1024)
+
+        # write machine code to be emulated to memory
+        mu.mem_write(ADDRESS, THUMB_CODE)
+
+        # initialize machine registers
+        mu.reg_write(UC_ARM_REG_SP, 0x1234)
+
+        # tracing all basic blocks with customized callback
+        mu.hook_add(UC_HOOK_BLOCK, hook_block)
+
+        # tracing all instructions with customized callback
+        mu.hook_add(UC_HOOK_CODE, hook_code)
+
+        # emulate machine code in infinite time
+        mu.emu_start(ADDRESS, ADDRESS + len(THUMB_CODE))
+
+        # now print out some registers
+        print(">>> Emulation done. Below is the CPU context")
+
+        sp = mu.reg_read(UC_ARM_REG_SP)
+        print(">>> SP = 0x%x" %sp)
+
+    except UcError as e:
+        print("ERROR: %s" % e)
+
+
+if __name__ == '__main__':
+    test_arm()
+    print("=" * 20)
+    test_thumb() 
--- a/tests/regress/mem_fuzz.c
+++ b/tests/regress/mem_fuzz.c
@@ -0,0 +1,119 @@
+#define __STDC_FORMAT_MACROS
+#include <inttypes.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+#include <unicorn/unicorn.h>
+
+
+uint64_t baseranges[] = {0,0,0,0};
+int step =0;
+
+uint64_t urnd(){
+  uint64_t rnd = rand();
+  rnd = rnd << 32;
+  rnd += rand();
+  return rnd;
+}
+uint64_t get_addr(){
+  uint64_t base = ((uint64_t)urnd())%4;
+  uint64_t addr= baseranges[base] + urnd()%(4096*10);
+  return addr;
+}
+
+uint64_t get_aligned_addr(){
+  uint64_t addr = get_addr();
+  return addr - (addr % 4096);
+}
+
+uint64_t get_len(){
+  uint64_t len = (urnd() % (4096*5))+1;
+  return len;
+}
+
+uint64_t get_aligned_len(){
+  uint64_t len = get_len();
+  len = len - (len %4096);
+  len = ((len == 0) ? 4096 : len);
+  return len;
+}
+
+void perform_map_step(uc_engine *uc){
+    uint64_t addr = get_aligned_addr();
+    uint64_t len = get_aligned_len();
+    printf("map(uc,0x%"PRIx64",0x%"PRIx64"); //%d\n", addr, len, step);
+    uc_mem_map(uc, addr, len, UC_PROT_READ | UC_PROT_WRITE);
+}
+
+void perform_unmap_step(uc_engine *uc){
+    uint64_t addr = get_aligned_addr();
+    uint64_t len = get_aligned_len();
+    printf("unmap(uc,0x%"PRIx64",0x%"PRIx64"); //%d\n", addr, len, step);
+    uc_mem_unmap(uc, addr, len);
+}
+
+void perform_write_step(uc_engine *uc){
+    char* buff[4096*4];
+    memset(buff, 0, 4096*4);
+    uint64_t addr = get_addr();
+    uint64_t len = get_len()%(4096*3);
+    printf("write(uc,0x%"PRIx64",0x%"PRIx64"); //%d\n", addr, len, step);
+    uc_mem_write(uc, addr, buff, len);
+}
+
+void perform_read_step(uc_engine *uc){
+    char* buff[4096*4];
+    uint64_t addr = get_addr();
+    uint64_t len = get_len()%(4096*3);
+    printf("read(uc,0x%"PRIx64",0x%"PRIx64"); //%d\n", addr, len, step);
+    uc_mem_read(uc, addr, buff, len);
+}
+
+void perform_fuzz_step(uc_engine *uc){
+  switch( ((uint32_t)rand())%4 ){
+    case 0: perform_map_step(uc); break;
+    case 1: perform_unmap_step(uc); break;
+    case 2: perform_read_step(uc); break;
+    case 3: perform_write_step(uc); break;
+  }
+}
+
+int main(int argc, char **argv, char **envp)
+{
+    uc_engine *uc;
+    uc_hook trace1, trace2;
+    uc_err err;
+    if(argc<2){
+      printf("usage: mem_fuzz $seed\n");
+      return 1;
+    }
+    int seed = atoi(argv[1]); 
+    int i = 0;
+
+    //don't really care about quality of randomness
+    srand(seed);
+    printf("running with seed %d\n",seed);
+
+    // Initialize emulator in X86-32bit mode
+    err = uc_open(UC_ARCH_X86, UC_MODE_64, &uc);
+    if (err) {
+        printf("Failed on uc_open() with error returned: %u\n", err);
+        return 1;
+    } 
+
+    for(i = 0; i < 2048; i++){
+      step++;
+      perform_fuzz_step(uc);
+    }
+    // fill in sections that shouldn't get touched
+
+    if (uc_close(uc) != UC_ERR_OK) {
+        printf("Failed on uc_close\n");
+        return 1;
+    }
+
+    return 0;
+}
--- a/tests/regress/mov_gs_eax.py
+++ b/tests/regress/mov_gs_eax.py
@@ -0,0 +1,27 @@
+#!/usr/bin/python
+
+from unicorn import *
+from unicorn.x86_const import *
+
+import regress
+
+class VldrPcInsn(regress.RegressTest):
+
+    def runTest(self):
+        uc = Uc(UC_ARCH_X86, UC_MODE_32)
+        uc.mem_map(0x1000, 0x1000)
+        # mov gs, eax; mov eax, 1
+        code = '8ee8b801000000'.decode('hex')
+        uc.mem_write(0x1000, code)
+
+        uc.reg_write(UC_X86_REG_EAX, 0xFFFFFFFF)
+        # this should throw an error
+        # the eax test is just to prove the second instruction doesn't execute
+        try:
+            uc.emu_start(0x1000, len(code))
+        except UcError:
+            return
+        self.assertEqual(uc.reg_read(UC_X86_REG_EAX), 1)
+
+if __name__ == '__main__':
+    regress.main()