| 文件 | 最后提交记录 | 最后更新时间 |
|---|---|---|
| 4 年前 | ||
i#5786: Add precise clean call mangling identification (#5791) Adds new labels delimiting clean call sequences. Converts into a translation record flag when storing translations. Uses the new labels and flag to precisely identify clean call mangling, replacing the previous scheme which incorrectly thought mangled tool pc-relative was a clean call, resulting in incorrect translations and crashes. Adds a test case to api.detach_state by adding a client (by converting it to use static DR) which inserts a pc-relative load. This reproduces the crash on detach, and is fixed with this fix. The added instrumentation caused periodic detach failures which were solved by setting the translation and adding a restore-state event: i#4232 covers trying to improve the situation. Adds a new instr_t.offset field. Stops using instr_t.note to hold encoding offsets for pc-releative operands. Adds a new field instr_t.offset which is used for this purpose. This leaves note values in place across encodings, which is needed for new clean call marking labels and also simplifies rseq handling code. This instr_t field is a compatibility break and we bump the version and OLDEST_COMPATIBLE_VERSION here to 990. Updates dr_get_note docs. Augments logging of xl8 info with new flag info. Reduces DR_NOTE_FIRST_RESERVED to give DR more reserved labels. This is another compatibility break, while at it. Fixes several issues hit in tests that happened to trigger on the heap bucket size and other changes: + Fixes a rank order violation at loglevel 5: xref #1649 + Writes real xstate_bv into signal frame when setting the xstate context to avoid lazy AVX restore problems. + Tweaks the thread_churn test to work around non-linearities. Issue: #5786, #4232 Fixes #5786 | 3 年前 | |
i#5786: Add precise clean call mangling identification (#5791) Adds new labels delimiting clean call sequences. Converts into a translation record flag when storing translations. Uses the new labels and flag to precisely identify clean call mangling, replacing the previous scheme which incorrectly thought mangled tool pc-relative was a clean call, resulting in incorrect translations and crashes. Adds a test case to api.detach_state by adding a client (by converting it to use static DR) which inserts a pc-relative load. This reproduces the crash on detach, and is fixed with this fix. The added instrumentation caused periodic detach failures which were solved by setting the translation and adding a restore-state event: i#4232 covers trying to improve the situation. Adds a new instr_t.offset field. Stops using instr_t.note to hold encoding offsets for pc-releative operands. Adds a new field instr_t.offset which is used for this purpose. This leaves note values in place across encodings, which is needed for new clean call marking labels and also simplifies rseq handling code. This instr_t field is a compatibility break and we bump the version and OLDEST_COMPATIBLE_VERSION here to 990. Updates dr_get_note docs. Augments logging of xl8 info with new flag info. Reduces DR_NOTE_FIRST_RESERVED to give DR more reserved labels. This is another compatibility break, while at it. Fixes several issues hit in tests that happened to trigger on the heap bucket size and other changes: + Fixes a rank order violation at loglevel 5: xref #1649 + Writes real xstate_bv into signal frame when setting the xstate context to avoid lazy AVX restore problems. + Tweaks the thread_churn test to work around non-linearities. Issue: #5786, #4232 Fixes #5786 | 3 年前 | |
| 7 年前 | ||
i#5383 mac a64, part 2: Fix compiler warnings (#5632) Fixes many unused-variable warnings when building the core and extension libraries. This enables a config without tests or docs to build. The drsyms libraries are missing so clients/ is not yet built. Increases the clang-format version from 12 to 14 to match local versions, as 12 has bugs in clang-format-diff that showed up in many places in this PR. Adds alignment of adjusted stack size options to page sizes in options_enable_code_api_dependences(). Issue: #5383 | 3 年前 | |
i#3348 sym conflicts: Rename set_cache_size to proc_set_cache_size (#5276) Fixes a symbol conflict with a python package PyTables that is hit when statically linking with certain toolchains where non-exported symbol hiding is not available. The fix is to rename set_cache_size() to proc_set_cache_size(). This also matches the proc_ prefix for related functions, so we do not resort to the d_r_ prefix. Issue: #3348 | 4 年前 | |
i#5383 mac a64, part 1: Build on M1 (#5610) This patch adds enough support to run simple hello world on M1 MacOS. It separates x86 and aarch64 Mac code in many places, adjusts the TLS from tpidr_el0 to tpidrro_el0, tweaks the assembly syntax, adds support for decoding and handling some of the pointer authentication opcodes in ARMv8.3 (mainly just strips off any PAC bits before jumping anywhere), adds pthread_jit_write_protect_np() calls for written executable code, and updates the system call number register. There are a number of unresolved and missing pieces, which are marked with comments in the code: + DR_TLS_BASE_OFFSET needs further investigation + dynamorio_{sigreturn,exit} are NYI + The pointer authentication opcodes need tests, and the full set of opcodes needs to be added + The gettimeofday library call inserted here should be replaced with a system call. + The PTHREAD_JIT_WRITE calls are likely missing from some places and not at the right level to be most efficient. Original version contributed by: Anthony Romano <anthony@forallsecure.com> Co-authored-by: Anthony Romano <anthony@forallsecure.com> Issue: #5383 | 3 年前 | |
i#803: Cross-arch Windows injection (#4653) Adds a long-missing feature: following into a Windows child process of a different bitwidth. Switches injection from DR and from drinjectlib (including drrun and drinject) to use -early_inject_map. This was most easily done by turning on -early_inject by default as well. However, the -early_inject_location default is INJECT_LOCATION_ThreadStart, a new "early" injection location which is the same late takeover point as with thread injection (we could also use _ImageEntry, which is only very slightly later, but that fails for .NET and other applications). Switching all injection over to map-from-the-parent simplifies cross-arch following, as well as making it easier to shift the takeover point to an earlier spot in the future. This is a step toward #607 by switching drinjectlib to use map injection; the takeover point, as mentioned, is still the thread start. Placing a hook at the thread start causes some stability issues, so instead of the usual hook for -early_inject_map, for INJECT_LOCATION_ThreadStart we set the thread context, like thread injection does. The gencode still restores the hook as a nop, for simplicity. For parent64 child32, we can't easily locate the thread start, so we assume it's ntdll32!RtlUserThreadStart (which is also a fallback if anything fails in other cases; the final fallback is a hook at the image entry, which works nearly everywhere but not for .NET where the image entry is not reached). Adds an -inject_x64 option to inject a 64-bit DR lib into a 32-bit child from a 64-bit parent, but this option is only sketched out and is not fully supported yet: #49 covers adding tests and official support. Adds library swapping code to find the other-bitwidth library, which assumes a parallel directory structure. Add a new fatal error if the library for a child is not found. To support generating code for all 3 child-parent cases (same-same, 32-64, and 64-32), and in particular for 32-64, switches the small gencode sequence for -early_inject_map from using IR to using raw bytes. A multi-arch encoder (#1684) would help but we would need cross-bitwidth support there, which is not on the horizon. Fixes what look like bugs in the original gencode generation along the way (s/pc/cur_local_pos/ and s/local_code_buf/remote_code_buf/): it's not clear how it worked before. Adds support for several system calls from a 32-bit parent to a 64-bit child where the desired NtWow64* system call does not exist. We use switch_modes_and_call() for NtProtectVirtualMemory and NtQueryVirtualMemory. Changes all types in the injection code to handle 64-bit addresses in 32-bit code. Adds UNICODE_STRING_32 and RTL_USER_PROCESS_PARAMETERS_32 for handling 32-bit structures from 64-bit parents. Similarly, adds RTL_USER_PROCESS_PARAMETERS_64 and PROCESS_BASIC_INFORMATION64. Adds get_process_imgname_cmdline() capability for 64-bit remote from 32-bit. Adds get_remote_proc_address() and uses it to look up dynamorio_earliest_init_takeover() in a child DR. Finds the remote ntdll base via a remote query memory walk plus remote image header parsing. This requires adding a switch_modes_and_call() version of NtQueryVirtualMemory (also mentioned above), which needs 64-bit args: so we refactor switch_modes_and_call() to take in a struct of all 64-bit fields for the args. Fixes a few bugs in other routines to properly get the image name and image entry for 32-bit children of 64-bit parents. Updates environment variable propagation code to handle a 32-bit parent and a 64-bit child. Updates a 64-bit parent and 32-bit child to insert the variables into the 32-bit PEB (64-bit does no good), which requires finding the 32-bit PEB. This is done via the 32-bit TEB, using a hack due to what seems like a kernel bug where it has the TebBaseAddress 0x2000 too low. Makes environment variable propagation failures fatal and visible, unlike previously where errors would just result in silently letting the child run natively. Turns some other prior soft errors into fatal errors on child takeover. Moves environment variable propagation to post-CreateUserProcess instead of waiting for ResumeThread, which avoids having to get the thread context (for which we have no other-bitwidth support) to figure out whether it's the first thread in the process or not. We bail on propagation for pre-Vista where we'd have to wait for ResumeThred. Generalizes the other-bitwidth Visual Studio toolchain environment variable setting for use in a new build-and-test other-bitwidth test which builds dynamorio and the large_options client (to ensure options are propagated to children; and it has convenient init and exit time prints) for the other bitwidth, arranges parallel lib dirs, and runs the other client. Issue: #803, #147, #607, #49 Fixes #803 | 5 年前 | |
i#3092 genapi: Refactor instr_create exports (#4833) The arm, aarch64, and shared instr and opnd create macro files were already pure-public, so we rename them to add _api.h to the end: core/ir/instr_create_shared_api.h, core/ir/arm/instr_create_api.h, core/ir/aarch64/instr_create_api.h, For x86, we also rename core/ir/x86/instr_create_api.h, but since we have some private macros, we also create a new instr_create_shared.h and x86/instr_create.h for those. The core includes instr_create_shared.h now. Replaces the handful of dcontext_t types with void*. Issue: #3092 | 5 年前 |
| 文件 | 最后提交记录 | 最后更新时间 |
|---|---|---|
| 4 年前 | ||
| 3 年前 | ||
| 3 年前 | ||
| 7 年前 | ||
| 3 年前 | ||
| 4 年前 | ||
| 3 年前 | ||
| 5 年前 | ||
| 5 年前 |