Fix more SyntaxWarnings in Python 3.13#212
Fix more SyntaxWarnings in Python 3.13#212SweetVishnya merged 5 commits intoJonathanSalwan:masterfrom
Conversation
|
Unfortunately, this PR changes behaviour, as CI shows that fewer gadgets are found ending with >>> opcode = b"\x20\x00\x3f\xd6"
>>> [m.start() for m in re.finditer(b"[\x00\x20\x40\x60\x80\xa0\xc0\xe0]{1}[\x00-\x03]{1}\?\xd6", opcode)]
<stdin>:1: SyntaxWarning: invalid escape sequence '\?'
[0]
>>> [m.start() for m in re.finditer(b"[\x00\x20\x40\x60\x80\xa0\xc0\xe0]{1}[\x00-\x03]{1}\x3f\xd6", opcode)]
[]What about using >>> [m.start() for m in re.finditer(rb"[\x00\x20\x40\x60\x80\xa0\xc0\xe0]{1}[\x00-\x03]{1}\?\xd6", opcode)]
[0] |
Good idea. I added the |
|
The tests still fail, but now we're finding more gadgets! |
Some newly found 'gadgets' are actually not real gadgets, e.g., |
|
I'm trying to figure out why The first "gadget" does not end with a jump/ret instruction, so it should not be printed. The second one is fine. The problem is that this regex has for i in range(self.__options.depth):
start = ref - (i * gad_align)
if (sec_vaddr + start) % gad_align == 0: # always True for gad_align == 1I don't know how to fix this: We would need to set |
It seems strange to me that gadgets are specified as |
|
@Ordoviz, can you try aligning with 2-byte boundaries as @nurmukhametov suggested? |
This does not help. The "bad gadget" is 2 bytes before the good gadget, so it will be found when |
Then can you try adding pass clean as you proposed earllier? |
|
I finally found a good way to filter out the bad RISC-V gadgets. See the commit messages for details. This is ready to merge now. |
|
The CI fails because it uses Python 2 where |
|
Yeah, we're still willing to support python2 as far as possible |
Defer parsing of backslash escapes to the regex engine. Previously, some hex-escaped bytes were parsed as regex metacharacters, e.g. "[\x41\x2d\x48]" is the range expression "[A-H]".
This filters out gadgets like "andi sp, sp, -0x10", which do not
perform a jump, but whose last two bytes ("01ff" in this case) are
a compressed jump instruction ("c.bnez a4, -0xe8" in this case).
We perform this filtering only on RISC-V because it leads to missed
gadgets in x86, where prefixes can be added to an instruction that change
its size but not its behavior. MIPS is especially problematic because we
set gad_size = 8 in order to display the next instruction in the branch
delay slot. On other architectures this filter makes no difference on
the test suite.
You cannot jump to misaligned instructions. Try it yourself:
$ pwn asm --debug --context riscv64 'lui ra, 0x11; addi ra, ra, 0xf1; ret; .byte 0; nop; nop;'
──────────────────────[ DISASM / rv64 / set emulate on ]──────────────────────
0x110e8 c.lui ra, 0x11 RA => 0x11000
0x110ea addi ra, ra, 0xf1 RA => 0x110f1 (0x11000 + 0xf1)
► 0x110ee c.jr ra <0x110f1>
↓
0x110f1 c.nop
0x110f3 c.nop
After a single step in pwndbg the jump target was rounded down to 0x110f0
and the disassembly changed:
──────────────────────[ DISASM / rv64 / set emulate on ]──────────────────────
► 0x110f0 c.addi4spn s0, sp, 0x80
0x110f2 c.addi4spn s0, sp, 0x80
|
It turns out that Python2 supports |
|
Thank you! Give me a week to review the changes. |
SweetVishnya
left a comment
SweetVishnya
left a comment
There was a problem hiding this comment.
Yeah, thank you very much for the fix, I'll merge it
3 participants
Following #209, this fixes two runtime warnings:
SyntaxWarning: invalid escape sequence '\?', andSyntaxWarning: invalid escape sequence '\['You can see that escaping
?was indeed intentional by considering that the arm instructionblr regis 32-bit wide and follows this format. I replaced\?with\x3fbecausechr(0x3f) == '?'.