Skip to content

Commit

Permalink
Use shared ptr on Modes to prevent use-after-free
Browse files Browse the repository at this point in the history
  • Loading branch information
@JonathanSalwan
JonathanSalwan committed Mar 7, 2019
1 parent bbda4ae commit 3f95e54
Show file tree
Hide file tree
Showing 31 changed files with 78 additions and 72 deletions.
2 changes: 1 addition & 1 deletion src/libtriton/CMakeLists.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ if(CMAKE_COMPILER_IS_GNUCXX OR ${CMAKE_CXX_COMPILER_ID} MATCHES "Clang")
endif()
if(${CMAKE_CXX_COMPILER_ID} MATCHES "Clang" AND ASAN)
MESSAGE("-- Compiling with ASAN")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -g -fsanitize=address -shared-libasan")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -g3 -ggdb3 -fsanitize=address -shared-libasan")
set(LIBTRITON_KIND_LINK SHARED)
endif()
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-stack-protector -fomit-frame-pointer -fno-strict-aliasing")
Expand Down
10 changes: 6 additions & 4 deletions src/libtriton/api/api.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -225,7 +225,8 @@ Note that only the version `71313` of Pin is supported.

namespace triton {

API::API() : callbacks(*this), arch(&this->callbacks), modes() {
API::API() : callbacks(*this), arch(&this->callbacks) {
this->modes = std::make_shared<triton::modes::Modes>();
this->astCtxt = std::make_shared<triton::ast::AstContext>(this->modes);
}

Expand Down Expand Up @@ -462,13 +463,14 @@ namespace triton {

this->astCtxt = nullptr;
this->irBuilder = nullptr;
this->modes = nullptr;
this->solver = nullptr;
this->symbolic = nullptr;
this->taint = nullptr;
}

// Use default modes.
this->modes = triton::modes::Modes();
this->modes = std::make_shared<triton::modes::Modes>();

// Clean up the ast context
this->astCtxt = std::make_shared<triton::ast::AstContext>(this->modes);
Expand Down Expand Up @@ -609,12 +611,12 @@ namespace triton {
/* Modes API======================================================================================= */

void API::enableMode(triton::modes::mode_e mode, bool flag) {
this->modes.enableMode(mode, flag);
this->modes->enableMode(mode, flag);
}


bool API::isModeEnabled(triton::modes::mode_e mode) const {
return this->modes.isModeEnabled(mode);
return this->modes->isModeEnabled(mode);
}


Expand Down
2 changes: 1 addition & 1 deletion src/libtriton/arch/aarch64/aarch64Cpu.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -325,7 +325,7 @@ namespace triton {
break;
}

case triton::extlibs::capstone::X86_OP_REG: {
case triton::extlibs::capstone::ARM64_OP_REG: {
triton::arch::Register reg(*this, this->capstoneRegisterToTritonRegister(op->reg));

/* Set Shift type and value */
Expand Down
6 changes: 3 additions & 3 deletions src/libtriton/arch/irBuilder.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ namespace triton {
namespace arch {

IrBuilder::IrBuilder(triton::arch::Architecture* architecture,
triton::modes::Modes& modes,
const triton::modes::SharedModes& modes,
const triton::ast::SharedAstContext& astCtxt,
triton::engines::symbolic::SymbolicEngine* symbolicEngine,
triton::engines::taint::TaintEngine* taintEngine)
Expand Down Expand Up @@ -161,7 +161,7 @@ namespace triton {
* execution only on symbolized expressions, we delete all
* concrete expressions and their AST nodes.
*/
if (this->symbolicEngine->isEnabled() && this->modes.isModeEnabled(triton::modes::ONLY_ON_SYMBOLIZED)) {
if (this->symbolicEngine->isEnabled() && this->modes->isModeEnabled(triton::modes::ONLY_ON_SYMBOLIZED)) {
/* Clear memory operands */
this->collectUnsymbolizedNodes(inst.operands);

Expand Down Expand Up @@ -198,7 +198,7 @@ namespace triton {
* execution only on tainted instructions, we delete all
* expressions untainted and their AST nodes.
*/
else if (this->modes.isModeEnabled(triton::modes::ONLY_ON_TAINTED) && !inst.isTainted()) {
else if (this->modes->isModeEnabled(triton::modes::ONLY_ON_TAINTED) && !inst.isTainted()) {
/* Memory operands */
this->collectNodes(inst.operands);

Expand Down
4 changes: 2 additions & 2 deletions src/libtriton/arch/x86/x86Semantics.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -328,7 +328,7 @@ namespace triton {
x86Semantics::x86Semantics(triton::arch::Architecture* architecture,
triton::engines::symbolic::SymbolicEngine* symbolicEngine,
triton::engines::taint::TaintEngine* taintEngine,
triton::modes::Modes& modes,
const triton::modes::SharedModes& modes,
const triton::ast::SharedAstContext& astCtxt) : modes(modes), astCtxt(astCtxt) {

this->architecture = architecture;
Expand Down Expand Up @@ -710,7 +710,7 @@ namespace triton {


void x86Semantics::undefined_s(triton::arch::Instruction& inst, const triton::arch::Register& reg) {
if (this->modes.isModeEnabled(triton::modes::CONCRETIZE_UNDEFINED_REGISTERS)) {
if (this->modes->isModeEnabled(triton::modes::CONCRETIZE_UNDEFINED_REGISTERS)) {
this->symbolicEngine->concretizeRegister(reg);
}
/* Tell that the instruction defines a register as undefined and untaint */
Expand Down
28 changes: 14 additions & 14 deletions src/libtriton/ast/astContext.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
namespace triton {
namespace ast {

AstContext::AstContext(triton::modes::Modes& modes)
AstContext::AstContext(const triton::modes::SharedModes& modes)
: modes(modes) {
}

Expand Down Expand Up @@ -64,7 +64,7 @@ namespace triton {


SharedAbstractNode AstContext::bvadd(const SharedAbstractNode& expr1, const SharedAbstractNode& expr2) {
if (this->modes.isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
if (this->modes->isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
/* Optimization: 0 + A = A */
if (!expr1->isSymbolized() && expr1->evaluate() == 0)
return expr2;
Expand All @@ -84,7 +84,7 @@ namespace triton {


SharedAbstractNode AstContext::bvand(const SharedAbstractNode& expr1, const SharedAbstractNode& expr2) {
if (this->modes.isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
if (this->modes->isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
/* Optimization: 0 & A = 0 */
if (!expr1->isSymbolized() && expr1->evaluate() == 0)
return this->bv(0, expr1->getBitvectorSize());
Expand Down Expand Up @@ -116,7 +116,7 @@ namespace triton {


SharedAbstractNode AstContext::bvashr(const SharedAbstractNode& expr1, const SharedAbstractNode& expr2) {
if (this->modes.isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
if (this->modes->isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
/* Optimization: 0 >> A = 0 */
if (!expr1->isSymbolized() && expr1->evaluate() == 0)
return this->bv(0, expr1->getBitvectorSize());
Expand Down Expand Up @@ -145,7 +145,7 @@ namespace triton {


SharedAbstractNode AstContext::bvlshr(const SharedAbstractNode& expr1, const SharedAbstractNode& expr2) {
if (this->modes.isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
if (this->modes->isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
/* Optimization: 0 >> A = 0 */
if (!expr1->isSymbolized() && expr1->evaluate() == 0)
return this->bv(0, expr1->getBitvectorSize());
Expand All @@ -169,7 +169,7 @@ namespace triton {


SharedAbstractNode AstContext::bvmul(const SharedAbstractNode& expr1, const SharedAbstractNode& expr2) {
if (this->modes.isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
if (this->modes->isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
/* Optimization: 0 * A = 0 */
if (!expr1->isSymbolized() && expr1->evaluate() == 0)
return this->bv(0, expr1->getBitvectorSize());
Expand Down Expand Up @@ -225,7 +225,7 @@ namespace triton {


SharedAbstractNode AstContext::bvor(const SharedAbstractNode& expr1, const SharedAbstractNode& expr2) {
if (this->modes.isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
if (this->modes->isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
/* Optimization: 0 | A = A */
if (!expr1->isSymbolized() && expr1->evaluate() == 0)
return expr2;
Expand Down Expand Up @@ -273,7 +273,7 @@ namespace triton {
*
* bvrol(rot, expr) = ((expr << (rot % size)) | (expr >> (size - (rot % size))))
**/
if (this->modes.isModeEnabled(triton::modes::SYMBOLIZE_INDEX_ROTATION)) {
if (this->modes->isModeEnabled(triton::modes::SYMBOLIZE_INDEX_ROTATION)) {
auto size = expr->getBitvectorSize();
auto bvsize = this->bv(size, size);
auto node = this->bvor(
Expand Down Expand Up @@ -310,7 +310,7 @@ namespace triton {
*
* bvror(rot, expr) = ((value >> (rot % size)) | (value << (size - (rot % size))))
**/
if (this->modes.isModeEnabled(triton::modes::SYMBOLIZE_INDEX_ROTATION)) {
if (this->modes->isModeEnabled(triton::modes::SYMBOLIZE_INDEX_ROTATION)) {
auto size = expr->getBitvectorSize();
auto bvsize = this->bv(size, size);
auto node = this->bvor(
Expand All @@ -331,7 +331,7 @@ namespace triton {


SharedAbstractNode AstContext::bvsdiv(const SharedAbstractNode& expr1, const SharedAbstractNode& expr2) {
if (this->modes.isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
if (this->modes->isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
/* Optimization: A / 1 = A */
if (!expr2->isSymbolized() && expr2->evaluate() == 1)
return expr1;
Expand Down Expand Up @@ -365,7 +365,7 @@ namespace triton {


SharedAbstractNode AstContext::bvshl(const SharedAbstractNode& expr1, const SharedAbstractNode& expr2) {
if (this->modes.isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
if (this->modes->isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
/* Optimization: 0 << A = 0 */
if (!expr1->isSymbolized() && expr1->evaluate() == 0)
return this->bv(0, expr1->getBitvectorSize());
Expand Down Expand Up @@ -425,7 +425,7 @@ namespace triton {


SharedAbstractNode AstContext::bvsub(const SharedAbstractNode& expr1, const SharedAbstractNode& expr2) {
if (this->modes.isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
if (this->modes->isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
/* Optimization: A - 0 = A */
if (!expr2->isSymbolized() && expr2->evaluate() == 0)
return expr1;
Expand Down Expand Up @@ -458,7 +458,7 @@ namespace triton {


SharedAbstractNode AstContext::bvudiv(const SharedAbstractNode& expr1, const SharedAbstractNode& expr2) {
if (this->modes.isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
if (this->modes->isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
/* Optimization: A / 1 = A */
if (!expr2->isSymbolized() && expr2->evaluate() == 1)
return expr1;
Expand Down Expand Up @@ -528,7 +528,7 @@ namespace triton {


SharedAbstractNode AstContext::bvxor(const SharedAbstractNode& expr1, const SharedAbstractNode& expr2) {
if (this->modes.isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
if (this->modes->isModeEnabled(triton::modes::AST_OPTIMIZATIONS)) {
/* Optimization: A ^ 0 = A */
if (!expr2->isSymbolized() && expr2->evaluate() == 0)
return expr1;
Expand Down
4 changes: 2 additions & 2 deletions src/libtriton/ast/z3/z3ToTritonAst.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@
namespace triton {
namespace ast {

Z3ToTritonAst::Z3ToTritonAst(const SharedAstContext& astCtxt) {
this->astCtxt = astCtxt;
Z3ToTritonAst::Z3ToTritonAst(const SharedAstContext& astCtxt)
: astCtxt(astCtxt) {
}


Expand Down
2 changes: 1 addition & 1 deletion src/libtriton/bindings/python/objects/pyAstContext.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1585,7 +1585,7 @@ namespace triton {
0, /* tp_cache */
0, /* tp_subclasses */
0, /* tp_weaklist */
(destructor)AstContext_dealloc, /* tp_del */
0, /* tp_del */
#if IS_PY3
0, /* tp_version_tag */
0, /* tp_finalize */
Expand Down
2 changes: 1 addition & 1 deletion src/libtriton/bindings/python/objects/pyAstNode.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -917,7 +917,7 @@ namespace triton {
0, /* tp_cache */
0, /* tp_subclasses */
0, /* tp_weaklist */
(destructor)AstNode_dealloc, /* tp_del */
0, /* tp_del */
#if IS_PY3
0, /* tp_version_tag */
0, /* tp_finalize */
Expand Down
2 changes: 1 addition & 1 deletion src/libtriton/bindings/python/objects/pyBitsVector.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ namespace triton {
0, /* tp_cache */
0, /* tp_subclasses */
0, /* tp_weaklist */
(destructor)BitsVector_dealloc, /* tp_del */
0, /* tp_del */
#if IS_PY3
0, /* tp_version_tag */
0, /* tp_finalize */
Expand Down
2 changes: 1 addition & 1 deletion src/libtriton/bindings/python/objects/pyImmediate.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -290,7 +290,7 @@ namespace triton {
0, /* tp_cache */
0, /* tp_subclasses */
0, /* tp_weaklist */
(destructor)Immediate_dealloc, /* tp_del */
0, /* tp_del */
#if IS_PY3
0, /* tp_version_tag */
0, /* tp_finalize */
Expand Down
2 changes: 1 addition & 1 deletion src/libtriton/bindings/python/objects/pyInstruction.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -773,7 +773,7 @@ namespace triton {
0, /* tp_cache */
0, /* tp_subclasses */
0, /* tp_weaklist */
(destructor)Instruction_dealloc, /* tp_del */
0, /* tp_del */
#if IS_PY3
0, /* tp_version_tag */
0, /* tp_finalize */
Expand Down
2 changes: 1 addition & 1 deletion src/libtriton/bindings/python/objects/pyMemoryAccess.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -473,7 +473,7 @@ namespace triton {
0, /* tp_cache */
0, /* tp_subclasses */
0, /* tp_weaklist */
(destructor)MemoryAccess_dealloc, /* tp_del */
0, /* tp_del */
#if IS_PY3
0, /* tp_version_tag */
0, /* tp_finalize */
Expand Down
2 changes: 1 addition & 1 deletion src/libtriton/bindings/python/objects/pyPathConstraint.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -215,7 +215,7 @@ namespace triton {
0, /* tp_cache */
0, /* tp_subclasses */
0, /* tp_weaklist */
(destructor)PathConstraint_dealloc, /* tp_del */
0, /* tp_del */
#if IS_PY3
0, /* tp_version_tag */
0, /* tp_finalize */
Expand Down
2 changes: 1 addition & 1 deletion src/libtriton/bindings/python/objects/pyRegister.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -397,7 +397,7 @@ namespace triton {
0, /* tp_cache */
0, /* tp_subclasses */
0, /* tp_weaklist */
(destructor)Register_dealloc, /* tp_del */
0, /* tp_del */
#if IS_PY3
0, /* tp_version_tag */
0, /* tp_finalize */
Expand Down
2 changes: 1 addition & 1 deletion src/libtriton/bindings/python/objects/pySolverModel.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,7 @@ namespace triton {
0, /* tp_cache */
0, /* tp_subclasses */
0, /* tp_weaklist */
(destructor)SolverModel_dealloc, /* tp_del */
0, /* tp_del */
#if IS_PY3
0, /* tp_version_tag */
0, /* tp_finalize */
Expand Down
2 changes: 1 addition & 1 deletion src/libtriton/bindings/python/objects/pySymbolicExpression.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -375,7 +375,7 @@ namespace triton {
0, /* tp_cache */
0, /* tp_subclasses */
0, /* tp_weaklist */
(destructor)SymbolicExpression_dealloc, /* tp_del */
0, /* tp_del */
#if IS_PY3
0, /* tp_version_tag */
0, /* tp_finalize */
Expand Down
2 changes: 1 addition & 1 deletion src/libtriton/bindings/python/objects/pySymbolicVariable.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -277,7 +277,7 @@ namespace triton {
0, /* tp_cache */
0, /* tp_subclasses */
0, /* tp_weaklist */
(destructor)SymbolicVariable_dealloc, /* tp_del */
0, /* tp_del */
#if IS_PY3
0, /* tp_version_tag */
0, /* tp_finalize */
Expand Down
2 changes: 1 addition & 1 deletion src/libtriton/bindings/python/objects/pyTritonContext.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2914,7 +2914,7 @@ namespace triton {
0, /* tp_cache */
0, /* tp_subclasses */
0, /* tp_weaklist */
(destructor)TritonContext_dealloc, /* tp_del */
0, /* tp_del */
#if IS_PY3
0, /* tp_version_tag */
0, /* tp_finalize */
Expand Down
12 changes: 5 additions & 7 deletions src/libtriton/engines/symbolic/pathManager.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,15 +16,13 @@ namespace triton {
namespace engines {
namespace symbolic {

PathManager::PathManager(triton::modes::Modes& modes, const triton::ast::SharedAstContext& astCtxt)
: modes(modes) {
this->astCtxt = astCtxt;
PathManager::PathManager(const triton::modes::SharedModes& modes, const triton::ast::SharedAstContext& astCtxt)
: modes(modes), astCtxt(astCtxt) {
}


PathManager::PathManager(const PathManager& other)
: modes(other.modes) {
this->astCtxt = other.astCtxt;
: modes(other.modes), astCtxt(other.astCtxt) {
this->pathConstraints = other.pathConstraints;
}

Expand Down Expand Up @@ -81,11 +79,11 @@ namespace triton {
throw triton::exceptions::PathManager("PathManager::addPathConstraint(): The PC node cannot be null.");

/* If PC_TRACKING_SYMBOLIC is enabled, Triton will track path constraints only if they are symbolized. */
if (this->modes.isModeEnabled(triton::modes::PC_TRACKING_SYMBOLIC) && !pc->isSymbolized())
if (this->modes->isModeEnabled(triton::modes::PC_TRACKING_SYMBOLIC) && !pc->isSymbolized())
return;

/* If ONLY_ON_TAINTED is enabled and the expression untainted, Triton will skip the storing process. */
if (this->modes.isModeEnabled(triton::modes::ONLY_ON_TAINTED) && !expr->isTainted)
if (this->modes->isModeEnabled(triton::modes::ONLY_ON_TAINTED) && !expr->isTainted)
return;

/* Basic block taken */
Expand Down
Loading

0 comments on commit 3f95e54

Please sign in to comment.