Handle case and refactor test APIs

Author: giridh1337

src/rz_solver.c

@@ -23,7 +23,6 @@ typedef struct {
 typedef struct {
   const RzCore *core;
   const RzRopConstraint *constraint;
-  const ut64 val;
   const RzRopRegInfo *reg_info;
   const RzRopGadgetInfo *gadget_info;
 } RopStackConstraintParams;
@@ -47,9 +46,6 @@ static void update_rop_constraint_result(const RzRopSolverResult *result,
 
 static ut64 parse_rop_constraint_int_val(const RzRopConstraint *rop_constraint,
                                          const RzRopArgType type) {
-  if (!rop_constraint) {
-    return -1;
-  }
   const char *src_const = rop_constraint->args[type];
   char *endptr;
   ut64 src_val;
@@ -118,6 +114,11 @@ static void handle_mov_reg_analysis(const RopSolverAnalysisOpParams *op_params,
                     op_params->gadget_info && v);
   const RzAnalysisOp *op = (RzAnalysisOp *)v;
   const RzRopConstraint *constraint = op_params->constraint;
+  const char *dst_reg = constraint->args[DST_REG];
+  if (!dst_reg) {
+    return;
+  }
+
   const RzRopGadgetInfo *gadget_info = op_params->gadget_info;
 }
 
@@ -127,9 +128,6 @@ handle_mov_const_analysis(const RopSolverAnalysisOpParams *op_params,
   rz_return_if_fail(op_params && op_params->constraint && op_params &&
                     op_params->result && v && op_params->core);
   const RzRopConstraint *constraint = op_params->constraint;
-  if (!constraint) {
-    return;
-  }
   const char *dst_reg = constraint->args[DST_REG];
   if (!dst_reg) {
     return;
@@ -190,10 +188,10 @@ static bool has_value_cb(void *user, const void *key, const ut64 value) {
   RzRopSolverResult *result = user;
   if (!value) {
     result->is_solved = false;
-    return true; // Continue iteration rop solver is not complete
+    return false; // If it has one value, break from the loop
   }
   result->is_solved = true;
-  return false;
+  return true;
 }
 
 static bool is_rop_solver_complete(const RzRopSolverResult *result) {
@@ -202,25 +200,6 @@ static bool is_rop_solver_complete(const RzRopSolverResult *result) {
   return result->is_solved;
 }
 
-static void mov_reg(const RzCore *core, const RzRopGadgetInfo *gadget_info,
-                    const RzRopConstraint *rop_constraint,
-                    const RopSolverCallbackParams *params) {
-  // Assertions for mov_reg solver
-  rz_return_if_fail(gadget_info && rop_constraint);
-  rz_return_if_fail(rop_constraint->args[SRC_REG] &&
-                    rop_constraint->args[DST_REG]);
-  rz_return_if_fail(core && core->analysis && core->analysis->reg);
-
-  RzRopRegInfo *info = rz_core_rop_gadget_info_get_modified_register(
-      gadget_info, rop_constraint->args[DST_REG]);
-  if (!info) {
-    return;
-  }
-  if (is_rop_solver_complete(params->result)) {
-    return;
-  }
-}
-
 static bool stack_constraint(const RopStackConstraintParams *params,
                              const RzRopSolverResult *result) {
   rz_return_val_if_fail(params && params->constraint && params->reg_info,
@@ -284,7 +263,8 @@ static bool stack_constraint(const RopStackConstraintParams *params,
 }
 
 static bool is_direct_lookup(const RzCore *core,
-                             const RzRopGadgetInfo *gadget_info, char *dst) {
+                             const RzRopGadgetInfo *gadget_info,
+                             RzPVector *dep_allow_list) {
   if (!gadget_info) {
     return false;
   }
@@ -293,8 +273,32 @@ static bool is_direct_lookup(const RzCore *core,
     return false;
   }
 
-  RzRopRegInfo *reg_info;
+  RzRopRegInfo *reg_info = NULL;
   RzListIter *iter;
+  if (dep_allow_list) {
+    RzPVector *events = rz_core_rop_gadget_get_reg_info_by_event(
+        gadget_info, RZ_ROP_EVENT_VAR_READ);
+    if (rz_pvector_empty(events)) {
+      return false;
+    }
+    while (!rz_pvector_empty(events)) {
+      reg_info = rz_pvector_pop(events);
+      if (!reg_info) {
+        continue;
+      }
+      if (rz_reg_is_role(core->analysis->reg, reg_info->name, RZ_REG_NAME_SP) ||
+          rz_reg_is_role(core->analysis->reg, reg_info->name, RZ_REG_NAME_BP)) {
+        continue;
+      }
+      if (rz_pvector_find(dep_allow_list, reg_info->name,
+                          (RzPVectorComparator)strcmp, NULL)) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
   rz_list_foreach(gadget_info->dependencies, iter, reg_info) {
     if (rz_reg_is_role(core->analysis->reg, reg_info->name, RZ_REG_NAME_SP) ||
         rz_reg_is_role(core->analysis->reg, reg_info->name, RZ_REG_NAME_BP)) {
@@ -306,10 +310,9 @@ static bool is_direct_lookup(const RzCore *core,
   return true;
 }
 
-static void rz_solver_direct_lookup(const RzCore *core,
-                                    const RzRopGadgetInfo *gadget_info,
-                                    const RzRopConstraint *rop_constraint,
-                                    const RzRopSolverResult *result) {
+static void rz_solver_mov_const_direct_lookup(
+    const RzCore *core, const RzRopGadgetInfo *gadget_info,
+    const RzRopConstraint *rop_constraint, const RzRopSolverResult *result) {
   RzRopRegInfo *info = rz_core_rop_gadget_info_get_modified_register(
       gadget_info, rop_constraint->args[DST_REG]);
   if (!info) {
@@ -321,8 +324,7 @@ static void rz_solver_direct_lookup(const RzCore *core,
   if (src_val == -1) {
     return;
   }
-  const bool is_dir_lookup =
-      is_direct_lookup(core, gadget_info, rop_constraint->args[DST_REG]);
+  const bool is_dir_lookup = is_direct_lookup(core, gadget_info, NULL);
   if (info->new_val == src_val && is_dir_lookup) {
     update_rop_constraint_result(result, rop_constraint, gadget_info->address);
     return;
@@ -332,14 +334,56 @@ static void rz_solver_direct_lookup(const RzCore *core,
   const RopStackConstraintParams stack_params = {
       .core = core,
       .constraint = rop_constraint,
-      .val = src_val,
       .reg_info = info,
       .gadget_info = gadget_info,
   };
   if (stack_constraint(&stack_params, result)) {
     return;
   }
-  return;
+}
+
+static void rz_solver_mov_reg_direct_lookup(
+    const RzCore *core, const RzRopGadgetInfo *gadget_info,
+    const RzRopConstraint *rop_constraint, const RzRopSolverResult *result) {
+  RzRopRegInfo *dst_info = rz_core_rop_gadget_info_get_modified_register(
+      gadget_info, rop_constraint->args[DST_REG]);
+
+  if (!dst_info) {
+    return;
+  }
+  RzPVector *dep_allow_list = rz_pvector_new(free);
+  if (!dep_allow_list) {
+    return;
+  }
+  rz_pvector_push(dep_allow_list, rz_str_dup(rop_constraint->args[SRC_REG]));
+  const bool is_dir_lookup =
+      is_direct_lookup(core, gadget_info, dep_allow_list);
+  if (is_dir_lookup) {
+    update_rop_constraint_result(result, rop_constraint, gadget_info->address);
+    goto exit;
+  }
+
+exit:
+  rz_pvector_fini(dep_allow_list);
+}
+
+static void rz_solver_direct_lookup(const RzCore *core,
+                                    const RzRopGadgetInfo *gadget_info,
+                                    const RzRopConstraint *rop_constraint,
+                                    const RzRopSolverResult *result) {
+  if (!rop_constraint) {
+    return;
+  }
+  switch (rop_constraint->type) {
+  case MOV_CONST:
+    return rz_solver_mov_const_direct_lookup(core, gadget_info, rop_constraint,
+                                             result);
+  case MOV_REG:
+    return rz_solver_mov_reg_direct_lookup(core, gadget_info, rop_constraint,
+                                           result);
+  default:
+    break;
+  }
 }
 
 static void mov_const(const RzCore *core, const RzRopGadgetInfo *gadget_info,
@@ -370,6 +414,28 @@ static void mov_const(const RzCore *core, const RzRopGadgetInfo *gadget_info,
   // Recipe : Search for dependencies and create a z3 state
 }
 
+static void mov_reg(const RzCore *core, const RzRopGadgetInfo *gadget_info,
+                    const RzRopConstraint *rop_constraint,
+                    const RopSolverCallbackParams *callback_params) {
+  // Assertions for mov_reg solver
+  rz_return_if_fail(gadget_info && rop_constraint);
+  rz_return_if_fail(rop_constraint->args[SRC_REG] &&
+                    rop_constraint->args[DST_REG]);
+  rz_return_if_fail(core && core->analysis && core->analysis->reg);
+
+  RzRopRegInfo *info = rz_core_rop_gadget_info_get_modified_register(
+      gadget_info, rop_constraint->args[DST_REG]);
+  if (!info) {
+    return;
+  }
+  // Direct lookup case
+  rz_solver_direct_lookup(core, gadget_info, rop_constraint,
+                          callback_params->result);
+  if (is_rop_solver_complete(callback_params->result)) {
+    return;
+  }
+}
+
 static void rop_gadget_info_constraint_find(
     const RzCore *core, const RzRopConstraint *rop_constraint,
     const RzRopGadgetInfo *gadget_info, const RopSolverCallbackParams *params) {
@@ -385,8 +451,6 @@ static void rop_gadget_info_constraint_find(
   default:
     break;
   }
-
-  return;
 }
 
 static bool rop_solver_cb(void *user, const ut64 k, const void *v) {
@@ -479,7 +543,11 @@ RZ_API void rz_rop_solver_result_free(RzRopSolverResult *result) {
  * \brief Prints the result of the ROP solver.
  * \param result The RzRopSolverResult object to print.
  */
-RZ_API void rz_rop_solver_result_print(const RzRopSolverResult *result) {
+RZ_API void
+rz_rop_solver_result_print(RZ_NULLABLE const RzRopSolverResult *result) {
+  if (!result) {
+    return;
+  }
   void **it;
   rz_pvector_foreach(result->gadget_info_addr_set, it) {
     const ut64 addr = (ut64)*it;

tests/test_rop_solver.c

@@ -3,6 +3,20 @@
 #include <rz_core.h>
 #include <rz_rop.h>
 
+// Only one gadget is added once for each test case.
+#define ROP_GADGET_MAX_SIZE 16
+
+static const char *x86_64_buf_str[] = {
+    // mov rbx, 1; ret;
+    "48C7C301000000C3",
+    // mov rbx, rax; ret;
+    "89c3c3"};
+
+static const char *x86_64_constraints_str[] = {
+    "rbx=1",
+    "rbx=rax",
+};
+
 static RzCoreAsmHit *setup_rop_hitasm(int addr, int len) {
   RzCoreAsmHit *hit = rz_core_asm_hit_new();
   if (!hit) {
@@ -13,21 +27,24 @@ static RzCoreAsmHit *setup_rop_hitasm(int addr, int len) {
   return hit;
 }
 
-static RzList *setup_rop_hitlist(RzCore *core, ut8 *buf_str, int addr,
-                                 int len) {
+static RzList /*<RzCoreAsmHit *>*/ *
+setup_rop_hitlist(RzCore *core, ut8 *buf_str, int addr, int len) {
   RzAnalysisOp aop = {0};
   rz_analysis_op_init(&aop);
   if (rz_analysis_op(core->analysis, &aop, addr + len - 1, buf_str + len - 1, 1,
                      RZ_ANALYSIS_OP_MASK_DISASM) < 0) {
     return NULL;
   }
+
   if (aop.type != RZ_ANALYSIS_OP_TYPE_RET) {
     return NULL;
   }
-  RzList *hitlist = rz_list_newf(rz_core_asm_hit_free);
+
+  RzList /*<RzCoreAsmHit *>*/ *hitlist = rz_list_newf(rz_core_asm_hit_free);
   if (!hitlist) {
     return NULL;
   }
+
   RzCoreAsmHit *hit = setup_rop_hitasm(addr, len - 1);
   if (!hit) {
     rz_list_free(hitlist);
@@ -43,36 +60,68 @@ static RzList *setup_rop_hitlist(RzCore *core, ut8 *buf_str, int addr,
   return hitlist;
 }
 
-bool test_rz_direct_solver() {
-  // mov rbx, 1; ret;
-  ut8 buf_str[] = "48C7C301000000C3";
-
+static RzCore *setup_rz_core(char *arch, int bits) {
   RzCore *core = rz_core_new();
+  if (!core) {
+    return NULL;
+  }
   rz_io_open_at(core->io, "malloc://0x100", RZ_PERM_RX, 0644, 0, NULL);
-  rz_core_set_asm_configs(core, "x86", 64, 0);
+  rz_core_set_asm_configs(core, arch, bits, 0);
   rz_config_set_b(core->config, "asm.lines", false);
-  ut8 buf[128] = {0};
-  int len = rz_hex_str2bin(buf_str, buf);
-  RzPVector *vec = rz_pvector_new((RzPVectorFree)rz_analysis_disasm_text_free);
-  mu_assert_notnull(vec, "rz_core_print_disasm vec not null");
-  int addr = 0;
-  rz_io_write_at(core->io, addr, buf, len);
-  RzList /*<RzCoreAsmHit *>*/ *hitlist =
-      setup_rop_hitlist(core, buf, addr, len);
-  if (!hitlist) {
+  return core;
+}
+
+static RzPVector *setup_rop_constraints(RzCore *core) {
+  RzPVector *constraints = rz_core_rop_constraint_new();
+  if (!constraints) {
     return NULL;
   }
+  int size = sizeof(x86_64_constraints_str) / sizeof(x86_64_constraints_str[0]);
+  for (int i = 0; i < size; i++) {
+    RzRopConstraint *rop_constraint =
+        rop_constraint_parse_args(core, x86_64_constraints_str[i]);
+    if (!rop_constraint) {
+      rz_pvector_fini(constraints);
+      return NULL;
+    }
+    rz_pvector_push(constraints, rop_constraint);
+  }
+  return constraints;
+}
+
+static void cleanup_test(RzCore *core, RzPVector *constraints,
+                         RzRopSolverResult *result) {
+  rz_pvector_fini(constraints);
+  rz_rop_solver_result_free(result);
+  rz_core_free(core);
+}
+
+bool test_rz_direct_solver() {
+  RzCore *core = setup_rz_core("x86", 64);
+  mu_assert_notnull(core, "setup_rz_core failed");
+  int size = sizeof(x86_64_buf_str) / sizeof(x86_64_buf_str[0]);
+  int addr = 0;
   RzRopSearchContext *context = rz_core_rop_search_context_new(
       core, NULL, false, RZ_ROP_GADGET_PRINT_DETAIL | RZ_ROP_GADGET_ANALYZE,
       NULL);
-  rz_core_handle_rop_request_type(core, context, hitlist);
-  RzPVector *constraints = rz_core_rop_constraint_map_new();
-  RzRopConstraint *rop_constraint = rop_constraint_parse_args(core, "rbx=1");
-  rz_pvector_push(constraints, rop_constraint);
-  mu_assert_notnull(rop_constraint, "rop_constraint_parse_args failed");
+  mu_assert_notnull(context, "rz_core_rop_search_context_new failed");
+  for (int i = 0; i < size; i++) {
+    ut8 buf[ROP_GADGET_MAX_SIZE] = {0};
+    int len = rz_hex_str2bin(x86_64_buf_str[i], buf);
+    rz_io_write_at(core->io, addr, buf, len);
+    RzList /*<RzCoreAsmHit *>*/ *hitlist =
+        setup_rop_hitlist(core, buf, addr, len);
+    mu_assert_notnull(hitlist, "setup_rop_hitlist failed");
+    rz_core_handle_rop_request_type(core, context, hitlist);
+    addr += len + 1;
+    rz_list_free(hitlist);
+  }
+
+  RzPVector *constraints = setup_rop_constraints(core);
+  mu_assert_notnull(constraints, "rop_constraint_parse_args failed");
   RzRopSolverResult *result = rz_rop_solver(core, constraints);
   mu_assert_true(result->is_solved, "rz_rop_solver failed");
-  rz_pvector_fini(constraints);
+  cleanup_test(core, constraints, result);
   mu_end;
 }