-
Notifications
You must be signed in to change notification settings - Fork 724
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
munmap logic change to avoid crashes #861
base: old_dev
Are you sure you want to change the base?
munmap logic change to avoid crashes #861
Conversation
ql.mem.unmap will crash if we will munmap more memory than available in unicorn memory, which can be used to break qiling execution. This patch will unmap only available memory pages.
Fmm, interesting check result. Actually yes, I forgot about devices |
Sorry, I don't get it. It is undefined behavior either to unmap a mapping by a larger size or to unmap a mapping twice. Why would you like to rely on this behavior? |
The executable in example 1 will work without errors of memory violations, this way it can be used as anti-qiling method 'cuz qiling will fail this checks. The second case is legitimate and works w/o errors via qemu, but because of bad borders of munmap qiling won't handle it too. Let's add memory listeners after each mmap and munmap method: def show_memory_map(ql, *args):
print("### MAPINFO AFTER mmap ###")
ql.mem.show_mapinfo()
print("### ################## ###")
return 1
...
ql = Qiling([file], f"rootfs/{env}", verbose=QL_VERBOSE.DEBUG, profile = 'ql_profile.ql')
ql.set_syscall("mmap", ql_syscall_mmap) # mmap patch from https://github.com/qilingframework/qiling/pull/841
ql.set_syscall("mmap", show_memory_map, QL_INTERCEPT.EXIT)
ql.set_syscall("munmap", show_memory_map, QL_INTERCEPT.EXIT) And execute it:
As we can see, munmap tries to free the memory range 0x100_000 - 0x19f_b54 And there are two pages with gap between them (0x13e_000 - 0x190_000) that will be freed after this operation.
After this patch:
But actually idk why the second fix will crash ci/cd socket checks) |
Two things
|
ql.mem.unmap will crash if we will munmap more memory than available in unicorn memory, which can be used to break qiling execution. This patch will unmap only available memory pages.
Case 1 - intentionally breaking qiling (possible malware case)
Code:
Execution by actual linux system:
Execution by qiling:
Case 2 - upx unpack process on MIPS (the case that was the reason for this pr)
Sample - upxed hello world for mipsel:
Qiling run:
So this patch will solve both problems - by checking munmap target mem existence and handling address overlapping.
Checklist
Which kind of PR do you create?
Coding convention?
Extra tests?
Changelog?
Target branch?
One last thing