-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ability to mark memory area read only. Add new API uc_mem_map_ex t… #60
Conversation
…o allow permissions to be passed. Change MemoryBlock to track created MemoryRegions. Add regress/ro_mem_test.c
you do not setup the stack in the sample |
-----BEGIN PGP SIGNED MESSAGE----- Good point. Magic I guess. I will investigate. On 8/26/2015 9:06 PM, Nguyen Anh Quynh wrote:
iEYEARECAAYFAlXejhcACgkQ9zL2pkgLDWmlYgCdG5Q6oRMXPN44Fzzf5BdxVvAA |
few more things:
thanks. |
Will you paste the warnings please? It would help me figure out what compiler options you may henabled that I do not. |
sure, there are the warnings generated by Clang on OSX: https://gist.github.com/aquynh/58f83e579f6d32695e58 |
Note that you will need to decide what to do with the uc_struct.ram field as seems to no longer be needed, but I do not know what your design goal for that field was. |
a question: we can intercept invalid memory access events via hooking, like in thanks. |
Yes, you still receive the hook_mem_invalid callbacks for regions that are not mapped. I will change ro_mem_test to demonstrate by omitting the stack, then mapping it in in the callback. |
no, i mean that if you do not write protect the memory, the emulated code (with MOV instruction) works without any issue. now because you write protect it, MOV will fail. i am asking if you now can intercept this failure with |
Ah ok, let me test |
The answer is that no error condition is recognized in uc_emu_start. So, while the memory is in fact read only, no signal is propagating out of uc_emu_start, so it will need its own detection and error code |
This should probably be detected at the same places memory writes are detected in the softmmu. The big question is whether you want to overload the meaning of UC_ERR_MEM_WRITE which currently means that a write outside a mapped region occurred, or do you want to introduce a new error type or new uc_mem_type value. I think a new uc_mem_type such as UC_MEM_WRITE_RO might work. |
yes adding that new error code sounds OK. |
why use uc_mem_map_ex? what’s the meaning of that “ex” suffix suposed to be? imho _prot or _perm sounds better to me for that purpose.
|
i think "ex" here means "extended". this is the typical way to name API in Windows platform, when they want to extend the existing API to add more features/functionalities. since we do not need to worry backward compatibility, we can think about extending the original |
+1 for adding one parameter for it, but then we will need another function to change those permissions after the map is allocated.
|
The general idea is that uc_mem_map_ex would supersede uc_mem_map, hence the nearly identical name. I need to get it all working cleanly first. Once that happens, I have every intention of adding a uc_mprotect and a uc_munmap. |
why not follow the standard naming as uc_mem_protect() and uc_mem_unmap() ?
|
…lity on write to read only. Add new error type UC_ERR_MEM_WRITE_RO and new access type UC_MEM_WRITE_RO for use in callback
That is fine with me I will use those names when I get over the basic read only memory implementation |
we also need to put thanks. |
another issue with btw, it would be nice if you open another branch, and issue another PR for thanks. |
Regarding uc_mem_protect, it needs more research to figure out how to split MemoryRegions with the qemu api, until then, it would be necessary to force changing permissions on entire blocks only to at least stub out an API that people can work on |
two functions another thing: so far we can deal with the case of writing to read-only memory. do we need to also handle the case of reading from memory with no permission? is there such a case, when we map memory with 0 permission - no RWX at all? thanks. |
I have no idea what happens when a region of memory is mapped with no
read permission. I could code up a test to see how linux behaves, but
this case makes no sense to me. it might make sense in the case of a
memory mapped file that is write only, but the unicorn API does not deal
with mapped files. How is mapped memory useful if it can't be read?
|
@cseagle Well normally I would say it is useful to trigger a trap when that memory is accessed, so you can do different things. However in this case, we already have the memory read hook, so allowing non-readable memory might not be useful in unicorn. |
this is just a question to make sure we handle all the corner cases. it is trivial to implement, anyway. if you do not want this situation, then |
Ok now it rejects reads from non-readable regions |
i merged this with some minor fixes into a new branch "mem_map_ex". will look closer before merging it to the "master" branch. thanks. |
i feel that how about these names instead: thanks. |
If we add an execute but in the future then the memory is not nessarily RO
|
Why not follow the
|
I followed those conventions exactly. This is in respect to what to name
the error values that are used to indicate that execution terminated due
to, for example, a read from a read only location. I elected
UC_ERR_MEM_WRITE_NR for now, but the suggestion is to change that to
UC_ERR_MEM_WRITE_WO which I countered earlier. The permissions
themselves are UC_PROT_READ, UC_PROT_WRITE, and soon hopefully UC_PROT_EXEC.
|
printf("BEGIN execution - 2\n"); | ||
uint32_t eax = 0x40002C; | ||
uc_reg_write(handle, UC_X86_REG_EAX, &eax); | ||
err = uc_emu_start(handle, 0x400015, 0x400000 + sizeof(PROGRAM), 0, 2); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why is this 0x400015 here? do you really mean 0x400000 ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it seems you want to start from mov dword ptr [eax], 0x87654321
. some more comments in the source should be helpful here.
To amplify, when UC_PROT_EXEC becomes possible, there will be 8 possible
combinations of permissions. Exactly 1 of those 8 will be RO, 1 will be
WO and one will be XO, yet 4 will be NX, 4 will be NR, and 4 will be NW.
Since you tend to be pedantic, NX, NR, and NW are the correct ways to
refer to missing X, R, or W permissions.
|
these error code are starting to get ugly. perhaps we should keep them simple to be just UC_ERR_MEM_WRITE & UC_ERR_MEM_READ ? |
@cseagle I missed the |
I have no problem with that either. It does make it harder for the
|
merged this into master branch, thanks! now lets rename |
now lets rename |uc_mem_map_ex()| to |uc_mem_map| to support memory
permission at mapping time?
Happy to do that, but I would socialize the change as it will break
everyone's code the minute we do it.
|
please go ahead doing that as soon as you can. i can fix the Python binding right after this change. |
Add ability to mark memory area read only. Add new API uc_mem_map_ex to allow permissions to be passed. Change MemoryBlock to track created MemoryRegions. Add regress/ro_mem_test.c
This also solves the memory leak issue on uc->ram because now all MemoryRegion allocations are tracked in the uc->mapped_blocks array.