angr.state_plugins.heap

class angr.state_plugins.heap.PTChunk

Bases: Chunk

A chunk, inspired by the implementation of chunks in ptmalloc. Provides a representation of a chunk via a view into the memory plugin. For the chunk definitions and docs that this was loosely based off of, see glibc malloc/malloc.c, line 1033, as of commit 5a580643111ef6081be7b4c7bd1997a5447c903f. Alternatively, take the following link. https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=67cdfd0ad2f003964cd0f7dfe3bcd85ca98528a7;hb=5a580643111ef6081be7b4c7bd1997a5447c903f#l1033

Variables:

  • base – the location of the base of the chunk in memory

  • state – the program state that the chunk is resident in

  • heap – the heap plugin that the chunk is managed by

__init__(base, sim_state, heap=None)
set_size(size, is_free=None)

Use this to set the size on a chunk. When the chunk is new (such as when a free chunk is shrunk to form an allocated chunk and a remainder free chunk) it is recommended that the is_free hint be used since setting the size depends on the chunk’s freeness, and vice versa.

Parameters:

  • size – size of the chunk

  • is_free – boolean indicating the chunk’s freeness

set_prev_freeness(is_free)

Sets (or unsets) the flag controlling whether the previous chunk is free.

Parameters:

is_free – if True, sets the previous chunk to be free; if False, sets it to be allocated

is_prev_free()

Returns a concrete state of the flag indicating whether the previous chunk is free or not. Issues a warning if that flag is symbolic and has multiple solutions, and then assumes that the previous chunk is free.

Returns:

True if the previous chunk is free; False otherwise

prev_size()

Returns the size of the previous chunk, masking off what would be the flag bits if it were in the actual size field. Performs NO CHECKING to determine whether the previous chunk size is valid (for example, when the previous chunk is not free, its size cannot be determined).

next_chunk()

Returns the chunk immediately following (and adjacent to) this one, if it exists.

Returns:

The following chunk, or None if applicable

prev_chunk()

Returns the chunk immediately prior (and adjacent) to this one, if that chunk is free. If the prior chunk is not free, then its base cannot be located and this method raises an error.

Returns:

If possible, the previous chunk; otherwise, raises an error

fwd_chunk()

Returns the chunk following this chunk in the list of free chunks. If this chunk is not free, then it resides in no such list and this method raises an error.

Returns:

If possible, the forward chunk; otherwise, raises an error

bck_chunk()

Returns the chunk backward from this chunk in the list of free chunks. If this chunk is not free, then it resides in no such list and this method raises an error.

Returns:

If possible, the backward chunk; otherwise, raises an error

class angr.state_plugins.heap.PTChunkIterator

Bases: object

__init__(chunk, cond=<function PTChunkIterator.<lambda>>)
class angr.state_plugins.heap.SimHeapBase

Bases: SimStatePlugin

This is the base heap class that all heap implementations should subclass. It defines a few handlers for common heap functions (the libc memory management functions). Heap implementations are expected to override these functions regardless of whether they implement the SimHeapLibc interface. For an example, see the SimHeapBrk implementation, which is based on the original libc SimProcedure implementations.

Variables:

  • heap_base – the address of the base of the heap in memory

  • heap_size – the total size of the main memory region managed by the heap in memory

  • mmap_base – the address of the region from which large mmap allocations will be made

__init__(heap_base=None, heap_size=None)
class angr.state_plugins.heap.SimHeapBrk

Bases: SimHeapBase

SimHeapBrk represents a trivial heap implementation based on the Unix brk system call. This type of heap stores virtually no metadata, so it is up to the user to determine when it is safe to release memory. This also means that it does not properly support standard heap operations like realloc.

This heap implementation is a holdover from before any more proper implementations were modelled. At the time, various libc (or win32) SimProcedures handled the heap in the same way that this plugin does now. To make future heap implementations plug-and-playable, they should implement the necessary logic themselves, and dependent SimProcedures should invoke a method by the same name as theirs (prepended with an underscore) upon the heap plugin. Depending on the heap implementation, if the method is not supported, an error should be raised.

Out of consideration for the original way the heap was handled, this plugin implements functionality for all relevant SimProcedures (even those that would not normally be supported together in a single heap implementation).

Variables:

heap_location – the address of the top of the heap, bounding the allocations made starting from heap_base

__init__(heap_base=None, heap_size=None)
allocate(sim_size)

The actual allocation primitive for this heap implementation. Increases the position of the break to allocate space. Has no guards against the heap growing too large.

Parameters:

sim_size – a size specifying how much to increase the break pointer by

Returns:

a pointer to the previous break position, above which there is now allocated space

release(sim_size)

The memory release primitive for this heap implementation. Decreases the position of the break to deallocate space. Guards against releasing beyond the initial heap base.

Parameters:

sim_size – a size specifying how much to decrease the break pointer by (may be symbolic or not)

class angr.state_plugins.heap.SimHeapLibc

Bases: SimHeapBase

A class of heap that implements the major libc heap management functions.

malloc(sim_size)

A somewhat faithful implementation of libc malloc.

Parameters:

sim_size – the amount of memory (in bytes) to be allocated

Returns:

the address of the allocation, or a NULL pointer if the allocation failed

free(ptr)

A somewhat faithful implementation of libc free.

Parameters:

ptr – the location in memory to be freed

calloc(sim_nmemb, sim_size)

A somewhat faithful implementation of libc calloc.

Parameters:

  • sim_nmemb – the number of elements to allocated

  • sim_size – the size of each element (in bytes)

Returns:

the address of the allocation, or a NULL pointer if the allocation failed

realloc(ptr, size)

A somewhat faithful implementation of libc realloc.

Parameters:

  • ptr – the location in memory to be reallocated

  • size – the new size desired for the allocation

Returns:

the address of the allocation, or a NULL pointer if the allocation was freed or if no new allocation was made

class angr.state_plugins.heap.SimHeapPTMalloc

Bases: SimHeapFreelist

A freelist-style heap implementation inspired by ptmalloc. The chunks used by this heap contain heap metadata in addition to user data. While the real-world ptmalloc is implemented using multiple lists of free chunks (corresponding to their different sizes), this more basic model uses a single list of chunks and searches for free chunks using a first-fit algorithm.

NOTE: The plugin must be registered using register_plugin with name heap in order to function properly.

Variables:

  • heap_base – the address of the base of the heap in memory

  • heap_size – the total size of the main memory region managed by the heap in memory

  • mmap_base – the address of the region from which large mmap allocations will be made

  • free_head_chunk – the head of the linked list of free chunks in the heap

__init__(heap_base=None, heap_size=None)
chunk_from_mem(ptr)

Given a pointer to a user payload, return the base of the chunk associated with that payload (i.e. the chunk pointer). Returns None if ptr is null.

Parameters:

ptr – a pointer to the base of a user payload in the heap

Returns:

a pointer to the base of the associated heap chunk, or None if ptr is null

Submodules

heap_base

heap_brk

heap_freelist

heap_libc

heap_ptmalloc

utils