Exemple #1
0
void MemoryTracer::traceDataMemoryAccess(S2EExecutionState *state,
                               klee::ref<klee::Expr> &address,
                               klee::ref<klee::Expr> &hostAddress,
                               klee::ref<klee::Expr> &value,
                               bool isWrite, bool isIO)
{
    if (m_catchAbove || m_catchBelow) {
        if (m_catchAbove && (m_catchAbove >= state->getPc())) {
            return;
        }
        if (m_catchBelow && (m_catchBelow < state->getPc())) {
            return;
        }
    }

    bool isAddrCste = isa<klee::ConstantExpr>(address);
    bool isValCste = isa<klee::ConstantExpr>(value);
    bool isHostAddrCste = isa<klee::ConstantExpr>(hostAddress);

    //Output to the trace entry here
    ExecutionTraceMemory e;
    e.flags = 0;
    e.pc = state->getPc();

    uint64_t concreteAddress = 0xdeadbeef;
    uint64_t concreteValue = 0xdeadbeef;
    if (ConcolicMode) {
        klee::ref<klee::ConstantExpr> ce = dyn_cast<klee::ConstantExpr>(state->concolics.evaluate(address));
        concreteAddress = ce->getZExtValue();

        ce = dyn_cast<klee::ConstantExpr>(state->concolics.evaluate(value));
        concreteValue = ce->getZExtValue();
    }

    e.address = isAddrCste ? cast<klee::ConstantExpr>(address)->getZExtValue(64) : concreteAddress;
    e.value = isValCste ? cast<klee::ConstantExpr>(value)->getZExtValue(64) : concreteValue;
    e.size = klee::Expr::getMinBytesForWidth(value->getWidth());
    e.flags = isWrite*EXECTRACE_MEM_WRITE |
                 isIO*EXECTRACE_MEM_IO;

    e.hostAddress = isHostAddrCste ? cast<klee::ConstantExpr>(hostAddress)->getZExtValue(64) : 0xDEADBEEF;

    if (m_traceHostAddresses) {
        e.flags |= EXECTRACE_MEM_HASHOSTADDR;
        e.flags |= EXECTRACE_MEM_OBJECTSTATE;

        klee::ObjectPair op = state->addressSpace.findObject(e.hostAddress & S2E_RAM_OBJECT_MASK);
        e.concreteBuffer = 0;
        if (op.first && op.second) {
            e.concreteBuffer = (uint64_t) op.second->getConcreteStore();
            if (isWrite && m_debugObjectStates) {
                assert(state->addressSpace.isOwnedByUs(op.second));
            }
        }
    }

    if (!isAddrCste) {
       e.flags |= EXECTRACE_MEM_SYMBADDR;
    }

    if (!isValCste) {
       e.flags |= EXECTRACE_MEM_SYMBVAL;
    }

    if (!isHostAddrCste) {
       e.flags |= EXECTRACE_MEM_SYMBHOSTADDR;
    }

    unsigned strucSize = sizeof(e);
    if (!(e.flags & EXECTRACE_MEM_HASHOSTADDR) && !(e.flags & EXECTRACE_MEM_OBJECTSTATE)) {
        strucSize -= (sizeof(e.hostAddress) + sizeof(e.concreteBuffer));
    }

    m_tracer->writeData(state, &e, sizeof(e), TRACE_MEMORY);
}
Exemple #2
0
bool MemoryManager::check___kmalloc_size(klee::ref<klee::Expr> size, S2EExecutionState *state)
{
	bool isok = true;
	//size具体值
	if (isa<klee::ConstantExpr>(size))
	{
		int value = cast<klee::ConstantExpr>(size)->getZExtValue();
		if (value <= 0 || value >= 0xf0000)
		{
			s2e()->getWarningsStream() << "============================================================" << '\n';
			s2e()->getWarningsStream() << "BUG: __kmalloc [Size <= 0||Size >= 0xf0000] Size: " << value << '\n';
			state->dumpStack(5);  //print the 5 stackframe addbyxqx
			s2e()->getWarningsStream() << "============================================================" << '\n';
			//打印完整路径约束
			printConstraintExpr(state);
			if(m_terminateOnBugs)
			{
				s2e()->getExecutor()->terminateStateEarly(*state, "Killed by MemoryManager: __kmalloc size is not valid\n");
			}
			isok = false;
			
		}
	}
	//如果size是符号值
	else
	{
		bool isTrue;
		//求解出size=0的时候外界的输入是多少,也就是外界传入什么值的时候可以造成size会为=0
		isTrue = false;
		//klee::ref<klee::Expr> cond = klee::SleExpr::create(size, 
		klee::ref<klee::Expr> cond = klee::EqExpr::create(size, 
									 klee::ConstantExpr::create( 0, size.get()->getWidth()));
		if (!(s2e()->getExecutor()->getSolver()->mayBeTrue(klee::Query(state->constraints, cond), isTrue))) { 
			s2e()->getWarningsStream() << "failed to assert the condition" << '\n';
			return false;
		}

		ConcreteInputs inputs;
		ConcreteInputs::iterator it; 
		
		if (isTrue) {
			//ConcreteInputs inputs;
			//ConcreteInputs::iterator it; 
			
			//把state的正确约束保存到constraints_before
			klee::ConstraintManager constraints_before(state->constraints);
			klee::ConstraintManager *tmp_constraints;
			tmp_constraints = &state->constraints;
			
			//*****************************************输入值求解***********************************************
			s2e()->getExecutor()->addConstraint(*state, cond);
			s2e()->getExecutor()->getSymbolicSolution(*state, inputs);
			
			s2e()->getWarningsStream() << "======================================================" << '\n';
			//s2e()->getWarningsStream() << "BUG:on this condition __kmalloc size will <= 0" << '\n';
			s2e()->getWarningsStream() << "BUG:on this condition __kmalloc size will = 0" << '\n';
			s2e()->getWarningsStream() << "Condition: " << '\n';
			
			for (it = inputs.begin(); it != inputs.end(); ++it) {
				const VarValuePair &vp = *it;
				s2e()->getWarningsStream() << vp.first << " : ";
				for (unsigned i=0; i<vp.second.size(); ++i) {
					s2e()->getWarningsStream() << hexval((unsigned char) vp.second[i]) << " ";
				}
				s2e()->getWarningsStream() << '\n';
			}
			
			///added by xyj 05.23
			/*
			for (int i = 0; i < int((state->symbolics).size()); i++)
			{
			  
			 if((state->addressSpace).findObject((state->symbolics[i]).first) == NULL)
			 {
			  s2e()->getMessagesStream() << "没有找到memoryObject对应的objectState"<<'\n';
			  continue;
			 }
			  
			 const klee::ObjectState *ob = (state->addressSpace).findObject((state->symbolics[i]).first);
			  
			 uint64_t address_par = state->symbolics[i].first->address;
			 unsigned size_par = state->symbolics[i].first->size;
			  
			 for (int j = 0; j < size_par; j++)
			 {
			  klee::ref<klee::Expr> para = state->readMemory(address_par+j,1);
			  cond = klee::NeExpr::create(para, 
				  klee::ConstantExpr::create(uint64_t(inputs[i].second[j]), para.get()->getWidth()));	
			  if (!(s2e()->getExecutor()->getSolver()->mayBeTrue(klee::Query(state->constraints, cond), isTrue))) 
			  { 
			   s2e()->getMessagesStream() << "failed to assert the condition" << '\n';
			   return false;
			  }
			  //s2e()->getExecutor()->addConstraint(*state, cond);
			 }
			}
			inputs.clear();
			s2e()->getExecutor()->getSymbolicSolution(*state, inputs);
			for (it = inputs.begin(); it != inputs.end(); ++it) {
			 const VarValuePair &vp = *it;
			 s2e()->getMessagesStream() << vp.first << " : ";
			 for (unsigned i=0; i<vp.second.size(); ++i) {
			  s2e()->getMessagesStream() << hexval((unsigned char) vp.second[i]) << " ";
			 }
			 s2e()->getMessagesStream() << '\n';
			}
			*/
			s2e()->getWarningsStream() << "======================================================" << '\n';
			//*********************************************************************************************
			
			//删除修改过的约束;恢复原来的正确约束
			tmp_constraints->empty();
			state->constraints = constraints_before;
			
			//打印完整路径约束
			printConstraintExpr(state);
			
			isok = false;
			if(m_terminateOnBugs)
			{
				//s2e()->getExecutor()->terminateStateEarly(*state, "Killed by MemoryManager: __kmalloc size is not valid[size<=0]\n");
				s2e()->getExecutor()->terminateStateEarly(*state, "Killed by MemoryManager: __kmalloc size is not valid[size=0]\n");
			}
		}
		
		if(m_terminateOnBugs)
		{

			s2e()->getExecutor()->getSymbolicSolution(*state, inputs);

			s2e()->getWarningsStream() << "======================================================" << '\n';
			//s2e()->getWarningsStream() << "BUG:on this condition __kmalloc size will <= 0" << '\n';
			s2e()->getWarningsStream() << "MaybeBUG:on this condition __kmalloc size could be impact" << '\n';
			s2e()->getWarningsStream() << "Condition: " << '\n';

			for (it = inputs.begin(); it != inputs.end(); ++it) {
				const VarValuePair &vp = *it;
				s2e()->getWarningsStream() << vp.first << " : ";
				for (unsigned i=0; i<vp.second.size(); ++i) {
					s2e()->getWarningsStream() << hexval((unsigned char) vp.second[i]) << " ";
				}
				s2e()->getWarningsStream() << '\n';
			}

			s2e()->getWarningsStream() << "=================dumpStack=====================================" << '\n';
			state->dumpStack(5);  //print the 5 stackframe addbyxqx
			s2e()->getWarningsStream() << "======================dumpStack-end================================" << '\n';
			//s2e()->getExecutor()->terminateStateEarly(*state, "Killed by MemoryManager: __kmalloc size is not valid[size<=0]\n");
			s2e()->getExecutor()->terminateStateEarly(*state, "Killed by MemoryManager: __kmalloc size is not valid[size=0]\n");
		}
	}
	return isok;
}
Exemple #3
0
void MemoryTracer::traceDataMemoryAccess(S2EExecutionState *state,
                               klee::ref<klee::Expr> &address,
                               klee::ref<klee::Expr> &hostAddress,
                               klee::ref<klee::Expr> &value,
                               bool isWrite, bool isIO)
{
    if (m_catchAbove || m_catchBelow) {
        if (m_catchAbove && (m_catchAbove >= state->getPc())) {
            return;
        }
        if (m_catchBelow && (m_catchBelow < state->getPc())) {
            return;
        }
    }

    bool isAddrCste = isa<klee::ConstantExpr>(address);
    bool isValCste = isa<klee::ConstantExpr>(value);
    bool isHostAddrCste = isa<klee::ConstantExpr>(hostAddress);

    //Output to the trace entry here
    ExecutionTraceMemory e;
    e.flags = 0;
    e.pc = state->getPc();

    uint64_t concreteAddress = 0xdeadbeef;
    uint64_t concreteValue = 0xdeadbeef;
    if (ConcolicMode) {
        klee::ref<klee::ConstantExpr> ce = dyn_cast<klee::ConstantExpr>(state->concolics.evaluate(address));
        concreteAddress = ce->getZExtValue();

        ce = dyn_cast<klee::ConstantExpr>(state->concolics.evaluate(value));
        concreteValue = ce->getZExtValue();
    }

    e.address = isAddrCste ? cast<klee::ConstantExpr>(address)->getZExtValue(64) : concreteAddress;
    e.value = isValCste ? cast<klee::ConstantExpr>(value)->getZExtValue(64) : concreteValue;
    e.size = klee::Expr::getMinBytesForWidth(value->getWidth());
    e.flags = isWrite*EXECTRACE_MEM_WRITE |
                 isIO*EXECTRACE_MEM_IO;

    e.hostAddress = isHostAddrCste ? cast<klee::ConstantExpr>(hostAddress)->getZExtValue(64) : 0xDEADBEEF;

    if (m_traceHostAddresses) {
        e.flags |= EXECTRACE_MEM_HASHOSTADDR;
    }

    if (!isAddrCste) {
       e.flags |= EXECTRACE_MEM_SYMBADDR;
    }

    if (!isValCste) {
       e.flags |= EXECTRACE_MEM_SYMBVAL;
    }

    if (!isHostAddrCste) {
       e.flags |= EXECTRACE_MEM_SYMBHOSTADDR;
    }

    unsigned strucSize = sizeof(e);
    if (!(e.flags & EXECTRACE_MEM_HASHOSTADDR)) {
       strucSize -= sizeof(e.hostAddress);
    }

    m_tracer->writeData(state, &e, sizeof(e), TRACE_MEMORY);
}