Newer
Older
4001
4002
4003
4004
4005
4006
4007
4008
4009
4010
4011
4012
4013
4014
4015
4016
4017
4018
4019
4020
4021
4022
4023
4024
4025
4026
4027
4028
4029
4030
4031
4032
4033
4034
4035
4036
4037
4038
4039
4040
4041
4042
4043
4044
4045
4046
4047
4048
4049
4050
4051
4052
4053
4054
4055
4056
4057
4058
4059
4060
4061
4062
4063
4064
4065
4066
4067
4068
4069
4070
4071
4072
4073
4074
4075
4076
4077
4078
4079
4080
4081
4082
4083
4084
4085
4086
4087
4088
4089
4090
4091
4092
4093
4094
4095
4096
4097
4098
4099
4100
4101
4102
4103
4104
4105
4106
4107
4108
4109
4110
4111
4112
4113
4114
4115
4116
4117
4118
4119
4120
4121
4122
4123
4124
4125
4126
4127
4128
4129
4130
4131
4132
4133
4134
4135
4136
4137
4138
4139
4140
4141
4142
4143
4144
4145
4146
4147
4148
4149
4150
4151
4152
4153
4154
4155
4156
4157
4158
4159
4160
4161
4162
4163
4164
4165
4166
4167
4168
4169
4170
4171
4172
4173
4174
4175
4176
4177
4178
4179
4180
4181
4182
4183
4184
4185
4186
4187
4188
4189
4190
4191
4192
4193
4194
4195
4196
4197
4198
4199
4200
4201
4202
4203
4204
4205
4206
4207
4208
4209
4210
4211
4212
4213
4214
4215
4216
4217
4218
4219
4220
4221
4222
4223
4224
4225
4226
4227
4228
4229
4230
4231
4232
4233
4234
4235
4236
4237
4238
4239
4240
4241
4242
4243
4244
4245
4246
4247
4248
4249
4250
4251
4252
4253
4254
4255
4256
4257
4258
4259
4260
4261
4262
4263
4264
4265
4266
4267
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("mbtowc");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("wctomb");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("mbstowcs");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("wcstombs");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
// <stdio.h>
MapEntry.first = string("remove");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("rename");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("tmpnam");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fclose");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fflush");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fopen");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("freopen");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1 | STARS_ARG_POS_2);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("setbuf");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("setvbuf");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fprintf");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fscanf");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("printf");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("scanf");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("sprintf");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("sscanf");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("vfprintf");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("vprintf");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("vsprintf");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fgetc");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fgets");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_2);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fputc");
MapEntry.second = STARS_ARG_POS_1;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fputs");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("getc");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("gets");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("putc");
MapEntry.second = STARS_ARG_POS_1;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("puts");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("ungetc");
MapEntry.second = STARS_ARG_POS_1;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fread");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_3);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fwrite");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_3);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fgetpos");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fseek");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("fsetpos");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_1);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("ftell");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("rewind");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("clearerr");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("feof");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("ferror");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("perror");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
// <time.h>
MapEntry.first = string("mktime");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("time");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("asctime");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("ctime");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("gmtime");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("localtime");
MapEntry.second = STARS_ARG_POS_0;
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
MapEntry.first = string("strftime");
MapEntry.second = (STARS_ARG_POS_0 | STARS_ARG_POS_2 | STARS_ARG_POS_3);
InsertResult = PointerArgPositionMap.insert(MapEntry);
assert(InsertResult.second);
return;
} // end of InitPointerArgPositionMap()
// Return POINTER arg position bitset for call name from the POINTER arg map.
// If we don't find the call name, we return 0 in ArgPosBits.
void GetPointerArgPositionsForCallName(string CalleeName, unsigned int &ArgPosBits) {
map<string, unsigned int>::iterator MapIter;
ArgPosBits = 0; // Change if found later
MapIter = PointerArgPositionMap.find(CalleeName);
if (MapIter != PointerArgPositionMap.end()) { // found it
ArgPosBits = MapIter->second;
}
return;
}
// Utility to count bits set in an unsigned int, e.g. ArgPosBits.
unsigned int CountBitsSet(unsigned int ArgPosBits) {
unsigned int count; // count accumulates the total bits set in ArgPosBits
for (count = 0; ArgPosBits; ++count) {
ArgPosBits &= (ArgPosBits - 1); // clear the least significant bit set
}
// Brian Kernighan's method goes through as many iterations as there are set bits.
// So if we have a 32-bit word with only the high bit set, then it will only go once through the loop.
// Published in 1988, the C Programming Language 2nd Ed. (by Brian W. Kernighan and Dennis M. Ritchie) mentions this in exercise 2-9.
// On April 19, 2006 Don Knuth pointed out to me that this method "was first published by Peter Wegner in CACM 3 (1960), 322.
// (Also discovered independently by Derrick Lehmer and published in 1964 in a book edited by Beckenbach.)"
return count;
}
// Utility to get highest bit set in a byte.
unsigned int HighestBitSet(unsigned char Byte) {
unsigned int RetVal = 0;
if (Byte & 0xf0) { // check upper 4 bits
RetVal |= 4; // at least bit 4 or higher is set
Byte >>= 4; // shift upper nibble to lower nibble
}
if (Byte & 0xc) { // check upper two bits of lower nibble
RetVal |= 2; // At least bit 2 or higher is set
Byte >>= 2; // shift upper two bits of lower nibble into lowest two bits
}
if (Byte & 0x2) { // Check second least significant bit
RetVal |= 1;
}
return RetVal;
}
// Initialize the FG info for the return register from any library function
// whose name implies that we know certain return values (e.g. atoi() returns
// a signed integer, while strtoul() returns an unsigned long).
void GetLibFuncFGInfo(string FuncName, struct FineGrainedInfo &InitFGInfo) {
map<string, struct FineGrainedInfo>::iterator FindIter;
FindIter = ReturnRegisterTypeMap.find(FuncName);
if (FindIter == ReturnRegisterTypeMap.end()) { // not found
InitFGInfo.SignMiscInfo = 0;
InitFGInfo.SizeInfo = 0;
}
else { // found
InitFGInfo = FindIter->second;
}
return;
} // end of GetLibFuncFGInfo()
4318
4319
4320
4321
4322
4323
4324
4325
4326
4327
4328
4329
4330
4331
4332
4333
4334
4335
4336
4337
4338
4339
4340
4341
4342
4343
4344
4345
4346
4347
4348
4349
4350
4351
4352
4353
// Is FuncName a standard library function name?
bool IsLibFuncName(std::string CalleeName) {
// Return true if we find the name in any of our function type maps.
map<string, struct FineGrainedInfo>::iterator RetTypeIter = ReturnRegisterTypeMap.find(CalleeName);
if (RetTypeIter != ReturnRegisterTypeMap.end()) { // found
return true;
}
map<string, unsigned int>::iterator PtrArgIter = PointerArgPositionMap.find(CalleeName);
if (PtrArgIter != PointerArgPositionMap.end()) { // found it
return true;
}
map<string, unsigned int>::iterator TaintIter = TaintWarningArgPositionMap.find(CalleeName);
if (TaintIter != TaintWarningArgPositionMap.end()) { // found it
return true;
}
map<string, unsigned int>::iterator UnsignedIter = UnsignedArgPositionMap.find(CalleeName);
if (UnsignedIter != UnsignedArgPositionMap.end()) { // found it
return true;
}
map<string, string>::iterator SinkIter = IntegerErrorCallSinkMap.find(CalleeName);
if (SinkIter != IntegerErrorCallSinkMap.end()) { // found it
return true;
}
// Put searches for additional library function names here.
if (0 == CalleeName.compare("setuid")) {
return true;
}
return false;
} // end of IsLibFuncName()
4354
4355
4356
4357
4358
4359
4360
4361
4362
4363
4364
4365
4366
4367
4368
4369
4370
4371
4372
4373
4374
4375
4376
4377
4378
4379
4380
4381
4382
4383
4384
4385
4386
4387
4388
4389
4390
4391
4392
4393
4394
4395
4396
4397
4398
4399
// Is FuncName a startup func called before main(), or a wrapup function called by the system?
bool IsStartupFuncName(const std::string FuncName) {
bool NameMatched = false;
char IDA_func_name[STARS_MAXSTR];
std::size_t SkipCount;
SkipCount = strspn(FuncName.c_str(), "._");
std::string TempFuncName = FuncName.substr(SkipCount); // remove leading periods and underscores
if (0 == TempFuncName.compare("init_proc")) {
NameMatched = true;
}
else if (0 == TempFuncName.compare("init")) {
NameMatched = true;
}
else if (0 == TempFuncName.compare("start")) {
NameMatched = true;
}
else if (0 == TempFuncName.compare("gmon_start")) {
NameMatched = true;
}
else if (0 == TempFuncName.compare("call_gmon_start")) {
NameMatched = true;
}
else if (0 == TempFuncName.compare("libc_start_main")) {
NameMatched = true;
}
else if (0 == TempFuncName.compare("call_gmon_start__")) {
NameMatched = true;
}
else if (0 == TempFuncName.compare("libc_start_main__")) {
NameMatched = true;
}
else if (0 == TempFuncName.compare("libc_csu_init")) {
NameMatched = true;
}
else if (0 == TempFuncName.compare("libc_csu_fini")) {
NameMatched = true;
}
else if (0 == TempFuncName.compare("do_global_dtors_aux")) {
NameMatched = true;
}
else if (0 == TempFuncName.compare("term_proc")) {
NameMatched = true;
}
clc5q
committed
else if (0 == TempFuncName.compare("fini")) {
NameMatched = true;
}