trailofbits · ekilmer · Dec 9, 2022 · Dec 9, 2022 · Nov 16, 2022 · Dec 22, 2022
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -11,6 +11,7 @@ on:
 
 env:
   LIEF_VERSION: 0.12.3
+  SLEIGH_VERSION: 10.2.3
 
 jobs:
   coverage:
@@ -28,7 +29,7 @@ jobs:
       run: |
         sudo apt-get install libgmp-dev python3-dev libz3-dev
         wget -O - -c https://github.com/lief-project/LIEF/releases/download/$LIEF_VERSION/LIEF-$LIEF_VERSION-Linux-x86_64.tar.gz | sudo tar xz -C /usr/local --strip-components=1
-        wget -O - -c https://github.com/lifting-bits/sleigh/releases/download/v10.1.2-2/Linux-sleigh-10.1.2-2.x86_64.tar.gz | sudo tar xz -C /usr/local --strip-components=1
+        wget -O - -c https://github.com/lifting-bits/sleigh/releases/download/v$SLEIGH_VERSION/Linux-sleigh-$SLEIGH_VERSION-1.x86_64.tar.gz | sudo tar xz -C /usr/local --strip-components=1
 
     - name: Install LCov
       run: sudo apt-get update -q
@@ -69,7 +70,7 @@ jobs:
         # LIEF
         wget -O- https://github.com/lief-project/LIEF/releases/download/$LIEF_VERSION/LIEF-$LIEF_VERSION-Linux-x86_64.tar.gz | sudo tar xz -C /usr/local --strip-components=1
         # Sleigh
-        wget -O- https://github.com/lifting-bits/sleigh/releases/download/v10.1.2-2/Linux-sleigh-10.1.2-2.x86_64.tar.gz | sudo tar xz -C /usr/local --strip-components=1
+        wget -O- https://github.com/lifting-bits/sleigh/releases/download/v$SLEIGH_VERSION/Linux-sleigh-$SLEIGH_VERSION-1.x86_64.tar.gz | sudo tar xz -C /usr/local --strip-components=1
         # Z3 Ubuntu 20.04 package doesn't play nice with sanitizers
         # (also remove top-level directory from zip)
         wget -O z3.zip https://github.com/Z3Prover/z3/releases/download/z3-4.8.14/z3-4.8.14-x64-glibc-2.31.zip
@@ -79,7 +80,7 @@ jobs:
             f=("${dest}"/*) && sudo mv "${dest}"/*/* "$dest" && sudo rmdir "${f[@]}"
 
     - name: Configure
-      env: { CC: clang-11, CXX: clang++-11 }
+      env: { CC: clang-14, CXX: clang++-14 }
       run: cmake --preset=ci-sanitize -DZ3_ROOT=/opt/z3
 
     - name: Build
@@ -99,6 +100,7 @@ jobs:
 
   test:
     strategy:
+      fail-fast: false
       matrix:
         os: [
           # TODO: windows,
@@ -131,15 +133,15 @@ jobs:
         sudo apt-get install libgmp-dev python3-dev libz3-dev
         python3 -m pip install pytest
         wget -O - -c https://github.com/lief-project/LIEF/releases/download/$LIEF_VERSION/LIEF-$LIEF_VERSION-Linux-x86_64.tar.gz | sudo tar xz -C /usr/local --strip-components=1
-        wget -O - -c https://github.com/lifting-bits/sleigh/releases/download/v10.1.2-2/Linux-sleigh-10.1.2-2.x86_64.tar.gz | sudo tar xz -C /usr/local --strip-components=1
+        wget -O - -c https://github.com/lifting-bits/sleigh/releases/download/v$SLEIGH_VERSION/Linux-sleigh-$SLEIGH_VERSION-1.x86_64.tar.gz | sudo tar xz -C /usr/local --strip-components=1
 
     - name: Install Dependencies
       if: matrix.os == 'macos'
       run: |
-        brew install gmp python3 z3
-        python3 -m pip install pytest
+        brew install gmp z3
+        python3 -m pip install --user pytest
         wget -O - -c https://github.com/lief-project/LIEF/releases/download/$LIEF_VERSION/LIEF-$LIEF_VERSION-Darwin-x86_64.tar.gz | sudo tar xz -C /usr/local --strip-components=1
-        wget -O - -c https://github.com/lifting-bits/sleigh/releases/download/v10.1.2-2/macOS-sleigh-10.1.2-2.x86_64.tar.gz | sudo tar xz -C /usr/local --strip-components=1
+        wget -O - -c https://github.com/lifting-bits/sleigh/releases/download/v$SLEIGH_VERSION/macOS-sleigh-$SLEIGH_VERSION-1.x86_64.tar.gz | sudo tar xz -C /usr/local --strip-components=1
 
     - name: Configure
       run: cmake --preset=ci-${{ matrix.os }}

diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
@@ -10,6 +10,7 @@ on:
 
 env:
   LIEF_VERSION: 0.12.3
+  SLEIGH_VERSION: 10.2.3
 
 jobs:
 
@@ -125,7 +126,7 @@ jobs:
           cmake --build z3/build "-j$(sysctl -n hw.logicalcpu)" && cmake --install z3/build --prefix "${{ github.workspace }}/arm64-cross"
 
           # Native sleigh for running the sleigh compiler
-          wget -O - -c https://github.com/lifting-bits/sleigh/releases/download/v10.1.2-2/macOS-sleigh-10.1.2-2.x86_64.tar.gz | sudo tar xz -C /usr/local --strip-components=1
+          wget -O - -c https://github.com/lifting-bits/sleigh/releases/download/v$SLEIGH_VERSION/macOS-sleigh-$SLEIGH_VERSION-1.x86_64.tar.gz | sudo tar xz -C /usr/local --strip-components=1
 
 
       - name: Build wheels

diff --git a/.gitignore b/.gitignore
@@ -7,3 +7,4 @@ cmake-build-*/
 prefix/
 CMakeLists.txt.user
 CMakeUserPresets.json
+maat_state_*
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -115,7 +115,9 @@ if(maat_USE_EXTERNAL_SLEIGH)
   find_package(sleigh REQUIRED)
 else()
   set(sleigh_ENABLE_TESTS OFF CACHE BOOL "")
+  set(sleigh_BUILD_TOOLS ON CACHE BOOL "")
   add_subdirectory(src/third-party/sleigh/sleigh-cmake sleigh EXCLUDE_FROM_ALL)
+  include("${sleigh_SOURCE_DIR}/cmake/modules/sleighCompile.cmake")
 endif()
 
 target_link_libraries(
@@ -155,15 +157,13 @@ add_custom_command(
 
 # Allow user to override sleigh compiler to support cross-compilation. Default
 # location is the one imported when we found the sleigh package
-if(CMAKE_CROSSCOMPILING)
-  find_program(maat_SLEIGH_COMPILER "sleigh_opt"
-    DOC "Sleigh compiler executable"
-  )
+if(TARGET sleigh::sleigh AND NOT CMAKE_CROSSCOMPILING)
+  set(maat_SLEIGH_COMPILER "$<TARGET_FILE:sleigh::sleigh>" CACHE PATH "Sleigh compiler executable")
+else()
+  find_program(maat_SLEIGH_COMPILER "sleigh" DOC "Sleigh compiler executable")
   if(NOT maat_SLEIGH_COMPILER)
     message(FATAL_ERROR "Maat needs a sleigh compiler. Specify path manually by setting 'maat_SLEIGH_COMPILER'")
   endif()
-else()
-  set(maat_SLEIGH_COMPILER "$<TARGET_FILE:sleigh::sleigh_opt>" CACHE PATH "Sleigh compiler executable")
 endif()
 
 macro(maat_sleigh_compile ARCH_DIR ARCH)

diff --git a/CMakePresets.json b/CMakePresets.json
@@ -50,7 +50,8 @@
       "cacheVariables": {
         "CMAKE_CXX_EXTENSIONS": "OFF",
         "CMAKE_CXX_STANDARD": "17",
-        "CMAKE_CXX_STANDARD_REQUIRED": "ON"
+        "CMAKE_CXX_STANDARD_REQUIRED": "ON",
+        "CMAKE_POSITION_INDEPENDENT_CODE": "ON"
       }
     },
     {

diff --git a/HACKING.md b/HACKING.md
@@ -74,8 +74,8 @@ the project. The following is a real example of a contributor's user preset (ins
       "inherits": ["dev-common", "ci-sanitize"],
       "binaryDir": "${sourceDir}/build/sanitize",
       "cacheVariables": {
-        "CMAKE_CXX_COMPILER": "/usr/local/opt/llvm@13/bin/clang++",
-        "CMAKE_C_COMPILER": "/usr/local/opt/llvm@13/bin/clang"
+        "CMAKE_CXX_COMPILER": "/usr/local/opt/llvm/bin/clang++",
+        "CMAKE_C_COMPILER": "/usr/local/opt/llvm/bin/clang"
       }
     }
   ],

diff --git a/cmake/install-rules.cmake b/cmake/install-rules.cmake
@@ -25,7 +25,7 @@ set(other_maat_targets)
 # Needed only if using vendored library and not building as shared library
 # because sleigh is always a static library
 if(NOT maat_USE_EXTERNAL_SLEIGH AND NOT BUILD_SHARED_LIBS)
-  list(APPEND other_maat_targets sla sleigh_settings)
+  list(APPEND other_maat_targets sleigh_sla)
 endif()
 
 install(

diff --git a/src/expression/expression.cpp b/src/expression/expression.cpp
@@ -2090,7 +2090,10 @@ cst_t cst_mask(size_t size)
     if( size == sizeof(cst_t)*8 )
         return -1;
     else
-        return ((ucst_t)1<<size)-1; 
+        if (size > sizeof(cst_t)*8) {
+            printf("Break here\n");
+        }
+        return ((ucst_t)1<<size)-1;
 }
 
 cst_t cst_sign_extend(size_t size, cst_t c)

diff --git a/src/expression/number.cpp b/src/expression/number.cpp
@@ -228,7 +228,7 @@ void Number::set_add(const Number& n1, const Number& n2)
 {
     size = n1.size;
     if (size <= 64)
-        set_cst(n1.cst_ + n2.cst_);
+        set_cst((ucst_t)n1.cst_ + (ucst_t)n2.cst_);
     else
     {
         mpz_ = n1.mpz_ + n2.mpz_;
@@ -400,7 +400,7 @@ void Number::set_sar(const Number& n1, const Number& n2)
         cst_t tmp;
         if (n2.cst_ >= n1.size)
         {
-            if( n1.cst_ & (0x1 << (n1.size-1)))
+            if( n1.cst_ & ((ucst_t)0x1 << (n1.size-1)))
                 tmp = 0xffffffffffffffff;
             else
                 tmp = 0;

diff --git a/src/memory/memory.cpp b/src/memory/memory.cpp
@@ -2708,7 +2708,7 @@ void MemEngine::write_from_concrete_snapshot(addr_t addr, cst_t val, int nb_byte
             if (_endianness == Endian::LITTLE)
             {
                 segment->write_from_concrete_snapshot(addr, val, bytes_to_write);
-                val = val >> (bytes_to_write*8);
+                val = val >> (bytes_to_write*8 - 1);
             }
             else
             {

diff --git a/src/third-party/sleigh/native/sleigh_interface.cpp b/src/third-party/sleigh/native/sleigh_interface.cpp
@@ -76,7 +76,7 @@ class SimpleLoadImage : public LoadImage
         }
     }
 
-    virtual string getArchType(void) const { return "myload"; }
+    virtual std::string getArchType(void) const { return "myload"; }
     virtual void adjustVma(long adjust) { }
 };
 
@@ -247,7 +247,7 @@ class AssemblyEmitCacher : public AssemblyEmit
 public:
     std::map<uintptr_t, std::string> cache;
 
-    void dump(const Address &addr, const string &mnem, const string &body)
+    void dump(const Address &addr, const std::string &mnem, const std::string &body)
     {
         cache[addr.getOffset()] = mnem + " " + body;
     }
@@ -282,20 +282,23 @@ class AssemblyEmitCacher : public AssemblyEmit
 class TranslationContext
 {
 public:
-    SimpleLoadImage     m_loader;
-    ContextInternal     m_context_internal;
-    DocumentStorage     m_document_storage;
-    Document           *m_document;
-    Element            *m_tags;
-    unique_ptr<Sleigh>  m_sleigh;
-    string              m_register_name_cache;
-    TmpCache            tmp_cache;
-    maat::Arch::Type    arch;
-    AssemblyEmitCacher  asm_cache;
+    SimpleLoadImage          m_loader;
+    ContextInternal          m_context_internal;
+    DocumentStorage          m_document_storage;
+    Document                *m_document;
+    Element                 *m_tags;
+    std::unique_ptr<Sleigh>  m_sleigh;
+    std::string              m_register_name_cache;
+    TmpCache                 tmp_cache;
+    maat::Arch::Type         arch;
+    AssemblyEmitCacher       asm_cache;
     std::unordered_map<uintm, maat::callother::Id> callother_mapping;
 
     TranslationContext(maat::Arch::Type a, const std::string& slafile, const std::string& pspecfile): arch(a)
     {
+        AttributeId::initialize();
+        ElementId::initialize();
+
         if (not loadSlaFile(slafile.c_str()))
         {
             throw runtime_exception(Fmt() << "Sleigh: failed to load slafile: " << slafile >> Fmt::to_str);