angr 9.2.142__py3-none-manylinux2014_x86_64.whl → 9.2.144__py3-none-manylinux2014_x86_64.whl

angr/analyses/cfg/indirect_jump_resolvers/jumptable.py

@@ -1,11 +1,12 @@
 # pylint:disable=wrong-import-position,wrong-import-order
 from __future__ import annotations
 import enum
-from typing import TYPE_CHECKING, Any, Literal, cast
+from typing import TYPE_CHECKING, Literal, cast
 from collections.abc import Sequence
 from collections import defaultdict, OrderedDict
 import logging
 import functools
+import contextlib
 
 import pyvex
 import claripy
@@ -15,7 +16,6 @@ from claripy.annotation import UninitializedAnnotation
 from angr import sim_options as o
 from angr import BP, BP_BEFORE, BP_AFTER
 from angr.misc.ux import once
-from angr.code_location import CodeLocation
 from angr.concretization_strategies import SimConcretizationStrategyAny
 from angr.knowledge_plugins.cfg import IndirectJump, IndirectJumpType
 from angr.engines.vex.claripy import ccall
@@ -26,13 +26,11 @@ from angr.annocfg import AnnotatedCFG
 from angr.exploration_techniques.slicecutor import Slicecutor
 from angr.exploration_techniques.local_loop_seer import LocalLoopSeer
 from angr.exploration_techniques.explorer import Explorer
-from angr.project import Project
 from angr.utils.constants import DEFAULT_STATEMENT
-from angr.analyses.propagator.vex_vars import VEXReg
 from angr.analyses.propagator.top_checker_mixin import ClaripyDataVEXEngineMixin
 from angr.engines.vex.claripy.datalayer import value
 from .resolver import IndirectJumpResolver
-from .propagator_utils import PropagatorLoadCallback
+from .constant_value_manager import ConstantValueManager
 
 try:
     from angr.engines import pcode
@@ -40,7 +38,6 @@ except ImportError:
     pcode = None
 
 if TYPE_CHECKING:
-    from angr import SimState
     from angr.knowledge_plugins import Function
 
 l = logging.getLogger(name=__name__)
@@ -133,101 +130,6 @@ class JumpTargetBaseAddr:
         return self.base_addr is not None
 
 
-#
-# Constant register resolving support
-#
-
-
-class ConstantValueManager:
-    """
-    Manages the loading of registers who hold constant values.
-    """
-
-    __slots__ = (
-        "func",
-        "indirect_jump_addr",
-        "kb",
-        "mapping",
-        "project",
-    )
-
-    def __init__(self, project: Project, kb, func: Function, ij_addr: int):
-        self.project = project
-        self.kb = kb
-        self.func = func
-        self.indirect_jump_addr = ij_addr
-
-        self.mapping: dict[Any, dict[Any, claripy.ast.Base]] | None = None
-
-    def reg_read_callback(self, state: SimState):
-        if self.mapping is None:
-            self._build_mapping()
-            assert self.mapping is not None
-
-        codeloc = CodeLocation(state.scratch.bbl_addr, state.scratch.stmt_idx, ins_addr=state.scratch.ins_addr)
-        if codeloc in self.mapping:
-            reg_read_offset = state.inspect.reg_read_offset
-            if isinstance(reg_read_offset, claripy.ast.BV) and reg_read_offset.op == "BVV":
-                reg_read_offset = reg_read_offset.args[0]
-            variable = VEXReg(reg_read_offset, state.inspect.reg_read_length)
-            if variable in self.mapping[codeloc]:
-                v = self.mapping[codeloc][variable]
-                if isinstance(v, int):
-                    v = claripy.BVV(v, state.inspect.reg_read_length * state.arch.byte_width)
-                state.inspect.reg_read_expr = v
-
-    def _build_mapping(self):
-        # constant propagation
-        l.debug("JumpTable: Propagating for %r at %#x.", self.func, self.indirect_jump_addr)
-
-        # determine blocks to run FCP on
-
-        # - include at most three levels of superblock successors from the entrypoint
-        self.mapping = {}
-        startpoint = self.func.startpoint
-        if startpoint is None:
-            return
-
-        blocks = set()
-        succ_and_levels = [(startpoint, 0)]
-        while succ_and_levels:
-            new_succs = []
-            for node, level in succ_and_levels:
-                if node in blocks:
-                    continue
-                blocks.add(node)
-                if node.addr == self.indirect_jump_addr:
-                    # stop at the indirect jump block
-                    continue
-                for _, succ, data in self.func.graph.out_edges(node, data=True):
-                    new_level = level if data.get("type") == "fake_return" else level + 1
-                    if new_level <= 3:
-                        new_succs.append((succ, new_level))
-            succ_and_levels = new_succs
-
-        # - include at most six levels of predecessors from the indirect jump block
-        ij_block = self.func.get_node(self.indirect_jump_addr)
-        preds = [ij_block]
-        for _ in range(6):
-            new_preds = []
-            for node in preds:
-                if node in blocks:
-                    continue
-                blocks.add(node)
-                new_preds += list(self.func.graph.predecessors(node))
-            preds = new_preds
-            if not preds:
-                break
-
-        prop = self.project.analyses.FastConstantPropagation(
-            self.func,
-            blocks=blocks,
-            vex_cross_insn_opt=True,
-            load_callback=PropagatorLoadCallback(self.project).propagator_load_callback,
-        )
-        self.mapping = prop.replacements
-
-
 #
 # Jump table pre-check
 #
@@ -1798,7 +1700,9 @@ class JumpTableResolver(IndirectJumpResolver):
                         # swap the two tmps
                         jump_base_addr.tmp, jump_base_addr.tmp_1 = jump_base_addr.tmp_1, jump_base_addr.tmp
                     # Load the concrete base address
-                    jump_base_addr.base_addr = state.solver.eval(state.scratch.temps[jump_base_addr.tmp_1])
+                    with contextlib.suppress(SimError):
+                        # silently eat the claripy exception
+                        jump_base_addr.base_addr = state.solver.eval(state.scratch.temps[jump_base_addr.tmp_1])
             else:
                 # We do not support the cases where the base address involves more than one addition.
                 # One such case exists in libc-2.27.so shipped with Ubuntu x86 where esi is used as the address of the

angr/analyses/cfg/indirect_jump_resolvers/syscall_resolver.py

@@ -0,0 +1,92 @@
+from __future__ import annotations
+import contextlib
+from typing import TYPE_CHECKING
+import logging
+
+from angr import sim_options as o
+from angr import BP, BP_AFTER
+from angr.errors import (
+    AngrUnsupportedSyscallError,
+    SimOperationError,
+    SimError,
+)
+
+from .resolver import IndirectJumpResolver
+from .constant_value_manager import ConstantValueManager
+
+if TYPE_CHECKING:
+    from angr import Block
+    from angr.engines import SimSuccessors
+    from angr.sim_state import SimState
+    from angr.sim_procedure import SimProcedure
+
+
+_l = logging.getLogger(name=__name__)
+
+
+class SyscallResolver(IndirectJumpResolver):
+    """
+    Resolve syscalls to SimProcedures.
+    """
+
+    def __init__(self, project):
+        super().__init__(project, timeless=True)
+
+    def filter(self, cfg, addr, func_addr, block, jumpkind):
+        return jumpkind.startswith("Ijk_Sys")
+
+    def resolve(  # pylint:disable=unused-argument
+        self, cfg, addr: int, func_addr: int, block: Block, jumpkind: str, func_graph_complete: bool = True, **kwargs
+    ):
+        stub = self._resolve_syscall_to_stub(cfg, addr, func_addr, block)
+        return (True, [stub.addr]) if stub else (False, [])
+
+    def _resolve_syscall_to_stub(self, cfg, addr: int, func_addr: int, block: Block) -> SimProcedure | None:
+        if not cfg.functions.contains_addr(func_addr):
+            return None
+        func = cfg.functions.get_by_addr(func_addr)
+
+        cv_manager = ConstantValueManager(self.project, cfg.kb, func, addr)
+        constant_value_reg_read_bp = BP(when=BP_AFTER, enabled=True, action=cv_manager.reg_read_callback)
+
+        state = self.project.factory.blank_state(
+            mode="fastpath",
+            addr=block.addr,
+            add_options={o.SYMBOL_FILL_UNCONSTRAINED_MEMORY, o.SYMBOL_FILL_UNCONSTRAINED_REGISTERS},
+        )
+        state.inspect.add_breakpoint("reg_read", constant_value_reg_read_bp)
+
+        successors = self._simulate_block_with_resilience(state)
+        if successors:
+            state = self._get_syscall_state_from_successors(successors)
+            if state:
+                with contextlib.suppress(AngrUnsupportedSyscallError):
+                    return self.project.simos.syscall(state)
+        return None
+
+    def _simulate_block_with_resilience(self, state: SimState) -> SimSuccessors | None:
+        """
+        Execute a basic block with "On Error Resume Next". Give up when there is no way moving forward.
+        """
+
+        stmt_idx = 0
+        successors = None  # make PyCharm's linting happy
+
+        while True:
+            try:
+                successors = self.project.factory.successors(state, skip_stmts=stmt_idx)
+                break
+            except SimOperationError:
+                stmt_idx += 1
+                continue
+            except SimError:
+                return None
+
+        return successors
+
+    @staticmethod
+    def _get_syscall_state_from_successors(successors: SimSuccessors) -> SimState | None:
+        for state in successors.flat_successors:
+            if state.history.jumpkind and state.history.jumpkind.startswith("Ijk_Sys"):
+                return state
+        return None

angr/analyses/complete_calling_conventions.py

@@ -63,7 +63,7 @@ class CompleteCallingConventionsAnalysis(Analysis):
         max_function_size: int | None = None,
         workers: int = 0,
         cc_callback: Callable | None = None,
-        prioritize_func_addrs: Iterable[int] | None = None,
+        prioritize_func_addrs: list[int] | set[int] | None = None,
         skip_other_funcs: bool = False,
         auto_start: bool = True,
         func_graphs: dict[int, networkx.DiGraph] | None = None,
@@ -130,9 +130,20 @@ class CompleteCallingConventionsAnalysis(Analysis):
         Infer calling conventions for all functions in the current project.
         """
 
-        # get an ordering of functions based on the call graph
-        # note that the call graph is a multi-digraph. we convert it to a digraph to speed up topological sort
-        directed_callgraph = networkx.DiGraph(self.kb.functions.callgraph)
+        # special case: if both _prioritize_func_addrs and _skip_other_funcs are set, we only need to sort part of
+        # the call graph; even better, if there is only one function set, we don't need to sort the call graph at all!
+        if self._prioritize_func_addrs and self._skip_other_funcs:
+            if len(self._prioritize_func_addrs) == 1:
+                self._func_addrs = list(self._prioritize_func_addrs)
+                self._total_funcs = 1
+                return
+            directed_callgraph = networkx.DiGraph(self.kb.functions.callgraph)
+            directed_callgraph = directed_callgraph.subgraph(self._prioritize_func_addrs)
+        else:
+            # get an ordering of functions based on the call graph
+            # note that the call graph is a multi-digraph. we convert it to a digraph to speed up topological sort
+            directed_callgraph = networkx.DiGraph(self.kb.functions.callgraph)
+        assert isinstance(directed_callgraph, networkx.DiGraph)
         sorted_funcs = GraphUtils.quasi_topological_sort_nodes(directed_callgraph)
 
         total_funcs = 0
@@ -148,7 +159,7 @@ class CompleteCallingConventionsAnalysis(Analysis):
                     continue
 
                 if self._max_function_size is not None:
-                    func_size = sum(block.size for block in func.blocks)
+                    func_size = sum(block.size for block in func.blocks if block.size is not None)
                     if func_size > self._max_function_size:
                         _l.info(
                             "Skipping variable recovery for %r since its size (%d) is greater than the cutoff "
@@ -189,6 +200,7 @@ class CompleteCallingConventionsAnalysis(Analysis):
 
     def work(self):
         total_funcs = self._total_funcs
+        assert total_funcs is not None
         if self._workers == 0:
             self._update_progress(0)
             for idx, func_addr in enumerate(self._func_addrs):
@@ -211,6 +223,7 @@ class CompleteCallingConventionsAnalysis(Analysis):
             self._finish_progress()
 
         else:
+            assert self._remaining_funcs is not None and self._func_queue is not None
             self._remaining_funcs.value = len(self._func_addrs)
 
             # generate a call tree (obviously, it's acyclic)