librasan: Support patching Thumb functions

Author: wfdewith

libafl_qemu/librasan/asan/src/patch/raw.rs

@@ -14,6 +14,8 @@ pub struct RawPatch;
 
 impl Patch for RawPatch {
     type Error = RawPatchError;
+
+    #[cfg(not(target_arch = "arm"))]
     fn patch(target: GuestAddr, destination: GuestAddr) -> Result<(), Self::Error> {
         debug!("patch - addr: {:#x}, target: {:#x}", target, destination);
         if target == destination {
@@ -25,6 +27,26 @@ impl Patch for RawPatch {
         dest.copy_from_slice(&patch);
         Ok(())
     }
+
+    #[cfg(target_arch = "arm")]
+    fn patch(target: GuestAddr, destination: GuestAddr) -> Result<(), Self::Error> {
+        debug!("patch - addr: {:#x}, target: {:#x}", target, destination);
+        if target == destination {
+            Err(RawPatchError::IdentityPatch(target))?;
+        }
+
+        let patch = if target & 1 == 1 {
+            Self::get_patch_thumb(destination)?
+        } else {
+            Self::get_patch_arm(destination)?
+        };
+
+        trace!("patch: {:02x?}", patch);
+        let target = target & !1;
+        let dest = unsafe { from_raw_parts_mut(target as *mut u8, patch.len()) };
+        dest.copy_from_slice(&patch);
+        Ok(())
+    }
 }
 
 impl RawPatch {
@@ -69,7 +91,7 @@ impl RawPatch {
     }
 
     #[cfg(target_arch = "arm")]
-    fn get_patch(destination: GuestAddr) -> Result<Vec<u8>, RawPatchError> {
+    fn get_patch_arm(destination: GuestAddr) -> Result<Vec<u8>, RawPatchError> {
         // ldr ip, [pc]
         // bx ip
         // .long 0xdeadface
@@ -83,6 +105,21 @@ impl RawPatch {
         Ok(insns_mod.into_iter().flatten().cloned().collect())
     }
 
+    #[cfg(target_arch = "arm")]
+    fn get_patch_thumb(destination: GuestAddr) -> Result<Vec<u8>, RawPatchError> {
+        // ldr ip, [pc, #2]
+        // bx ip
+        // .long 0xdeadface
+        let insns = [
+            [0xdf, 0xf8, 0x02, 0xc0].to_vec(),
+            [0x60, 0x47].to_vec(),
+            [0xce, 0xfa, 0xad, 0xde].to_vec(),
+        ];
+        let addr = destination.to_ne_bytes().to_vec();
+        let insns_mod = [&insns[0], &insns[1], &addr];
+        Ok(insns_mod.into_iter().flatten().cloned().collect())
+    }
+
     #[cfg(target_arch = "aarch64")]
     fn get_patch(destination: GuestAddr) -> Result<Vec<u8>, RawPatchError> {
         // ldr x16, #8

libafl_qemu/librasan/asan/tests/patch_raw.rs

@@ -1,5 +1,8 @@
+#![cfg_attr(target_arch = "arm", feature(arm_target_feature))]
+
 #[cfg(test)]
 #[cfg(feature = "libc")]
+#[cfg(not(target_arch = "arm"))]
 mod tests {
     use asan::{
         GuestAddr,
@@ -55,3 +58,102 @@ mod tests {
         assert_eq!(ret, 0xd00df00d);
     }
 }
+
+#[cfg(test)]
+#[cfg(feature = "libc")]
+#[cfg(target_arch = "arm")]
+mod tests {
+    use asan::{
+        GuestAddr,
+        mmap::{Mmap, MmapProt, linux::LinuxMmap},
+        patch::{Patch, raw::RawPatch},
+    };
+    use log::info;
+
+    macro_rules! define_test_function {
+        ($fn_name:ident, $ret_val:expr) => {
+            define_test_function!([], $fn_name, $ret_val);
+        };
+
+        ($attr:meta, $fn_name:ident, $ret_val:expr) => {
+            define_test_function!([$attr], $fn_name, $ret_val);
+        };
+
+        ([$($attr:meta)*], $fn_name:ident, $ret_val:expr) => {
+            #[unsafe(no_mangle)]
+            $(#[$attr])*
+            extern "C" fn $fn_name(
+                a1: usize,
+                a2: usize,
+                a3: usize,
+                a4: usize,
+                a5: usize,
+                a6: usize,
+            ) -> usize {
+                assert_eq!(a1, 1);
+                assert_eq!(a2, 2);
+                assert_eq!(a3, 3);
+                assert_eq!(a4, 4);
+                assert_eq!(a5, 5);
+                assert_eq!(a6, 6);
+                return $ret_val;
+            }
+        };
+    }
+
+    macro_rules! define_test {
+        ($fn_name:ident, $test_fn1:ident, $test_fn2:ident, $test_ret_val1:expr, $test_ret_val2:expr) => {
+            #[test]
+            fn $fn_name() {
+                #[allow(unused_unsafe)]
+                unsafe {
+                    let ret1 = $test_fn1(1, 2, 3, 4, 5, 6);
+                    assert_eq!(ret1, $test_ret_val1);
+
+                    let ret2 = $test_fn2(1, 2, 3, 4, 5, 6);
+                    assert_eq!(ret2, $test_ret_val2);
+
+                    let ptest1 = $test_fn1 as *const () as GuestAddr;
+                    let ptest2 = $test_fn2 as *const () as GuestAddr;
+                    info!("pfn: {:#x}", ptest1);
+                    let aligned_pfn = ptest1 & !0xfff;
+                    info!("aligned_pfn: {:#x}", aligned_pfn);
+                    LinuxMmap::protect(
+                        aligned_pfn,
+                        0x4096,
+                        MmapProt::READ | MmapProt::WRITE | MmapProt::EXEC,
+                    )
+                    .unwrap();
+
+                    RawPatch::patch(ptest1, ptest2).unwrap();
+                    let ret = $test_fn1(1, 2, 3, 4, 5, 6);
+                    assert_eq!(ret, $test_ret_val2);
+                }
+            }
+        };
+    }
+
+    define_test_function!(test_arm1, 0xdeadface);
+    define_test_function!(test_arm2, 0xd00df00d);
+    define_test_function!(test_arm3, 0xfeeddeaf);
+    define_test_function!(
+        target_feature(enable = "thumb-mode"),
+        test_thumb1,
+        0xcafebabe
+    );
+    define_test_function!(
+        target_feature(enable = "thumb-mode"),
+        test_thumb2,
+        0xbeeffade
+    );
+    define_test_function!(
+        target_feature(enable = "thumb-mode"),
+        test_thumb3,
+        0xdeedcede
+    );
+
+    define_test!(test_patch_arm_to_arm, test_arm2, test_arm1, 0xd00df00d, 0xdeadface);
+    define_test!(test_patch_arm_to_thumb, test_arm3, test_thumb1, 0xfeeddeaf, 0xcafebabe);
+    define_test!(test_patch_thumb_to_arm, test_thumb3, test_arm1, 0xdeedcede, 0xdeadface);
+    define_test!(test_patch_thumb_to_thumb, test_thumb2, test_thumb1, 0xbeeffade, 0xcafebabe);
+}