from..pluginimportSimStatePluginfrom...errorsimportSimMemoryErrorfrom..importsim_optionsasoptsimportloggingl=logging.getLogger("angr.state_plugins.heap.heap_base")# TODO: derive heap location from SimOS and binary info for something more realistic (and safe?)DEFAULT_HEAP_LOCATION=0xC0000000DEFAULT_HEAP_SIZE=64*4096
[docs]classSimHeapBase(SimStatePlugin):""" This is the base heap class that all heap implementations should subclass. It defines a few handlers for common heap functions (the libc memory management functions). Heap implementations are expected to override these functions regardless of whether they implement the SimHeapLibc interface. For an example, see the SimHeapBrk implementation, which is based on the original libc SimProcedure implementations. :ivar heap_base: the address of the base of the heap in memory :ivar heap_size: the total size of the main memory region managed by the heap in memory :ivar mmap_base: the address of the region from which large mmap allocations will be made """
def_conc_alloc_size(self,sim_size):""" Concretizes a size argument, if necessary, to something that makes sense when allocating space. Here we just maximize its potential size up to the maximum variable size specified in the libc plugin. TODO: Further consideration of the tradeoffs of this approach is probably warranted. SimHeapPTMalloc especially makes a lot of different concretization strategy assumptions, but this function handles one of the more important problems that any heap implementation will face: how to decide the amount of space to allocate upon request for a symbolic size. Either we do as we do here and silently constrain the amount returned to a default max value, or we could add a path constraint to the state to prevent exploration of any paths that would have legitimately occurred given a larger allocation size. The first approach (the silent maximum) has its benefit in that the explored state space will not be constrained. Sometimes this could work out, as when an allocation is returned that is smaller than requested but which the program doesn't end up making full use of anyways. Alternatively, this lack of fidelity could cause the program to overwrite other allocations made, since it should be able to assume the allocation is as large as it requested it be. The second approach (the path constraint) has its benefit in that no paths will be explored that *could* fail when an allocation is made too small. On the other hand, as stated above, some of these paths might not have failed anyways, and doing this causes us to lose the opportunity to explore those paths. Perhaps these behaviors could be parameterized in the future? """ifself.state.solver.symbolic(sim_size):size=self.state.solver.max_int(sim_size)ifsize>self.state.libc.max_variable_size:l.warning("Allocation request of %d bytes exceeded maximum of %d bytes; allocating %d bytes",size,self.state.libc.max_variable_size,self.state.libc.max_variable_size,)size=self.state.libc.max_variable_sizeelse:size=self.state.solver.eval(sim_size)returnsizedef_malloc(self,sim_size):""" Handler for any libc `malloc` SimProcedure call. If the heap has faithful support for `malloc`, it ought to be implemented in a `malloc` function (as opposed to the `_malloc` function). :param sim_size: the amount of memory (in bytes) to be allocated """raiseNotImplementedError(f"{self._malloc.__func__.__name__} not implemented for {self.__class__.__name__}")def_free(self,ptr):""" Handler for any libc `free` SimProcedure call. If the heap has faithful support for `free`, it ought to be implemented in a `free` function (as opposed to the `_free` function). :param ptr: the location in memory to be freed """raiseNotImplementedError(f"{self._free.__func__.__name__} not implemented for {self.__class__.__name__}")def_calloc(self,sim_nmemb,sim_size):""" Handler for any libc `calloc` SimProcedure call. If the heap has faithful support for `calloc`, it ought to be implemented in a `calloc` function (as opposed to the `_calloc` function). :param sim_nmemb: the number of elements to allocated :param sim_size: the size of each element (in bytes) """raiseNotImplementedError(f"{self._calloc.__func__.__name__} not implemented for {self.__class__.__name__}")def_realloc(self,ptr,size):""" Handler for any libc `realloc` SimProcedure call. If the heap has faithful support for `realloc`, it ought to be implemented in a `realloc` function (as opposed to the `_realloc` function). :param ptr: the location in memory to be reallocated :param size: the new size desired for the allocation """raiseNotImplementedError(f"{self._realloc.__func__.__name__} not implemented for {self.__class__.__name__}")
[docs]definit_state(self):ifopts.ABSTRACT_MEMORYinself.state.options:returntry:self.state.memory.permissions(self.heap_base)exceptSimMemoryError:l.debug("Mapping base heap region")self.state.memory.map_region(self.heap_base,self.heap_size,3)