2009-07-07 23:36:36 +03:00
|
|
|
/*
|
|
|
|
|
* Load, verify and execute ClamAV bytecode.
|
|
|
|
|
*
|
2025-02-14 10:24:30 -05:00
|
|
|
* Copyright (C) 2013-2025 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
|
2019-01-25 10:15:50 -05:00
|
|
|
* Copyright (C) 2009-2013 Sourcefire, Inc.
|
2009-07-07 23:36:36 +03:00
|
|
|
*
|
|
|
|
|
* Authors: Török Edvin
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
|
|
|
|
* MA 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef BYTECODE_PRIV_H
|
|
|
|
|
#define BYTECODE_PRIV_H
|
2009-07-31 15:28:36 +03:00
|
|
|
|
2010-03-20 21:18:54 +02:00
|
|
|
#include <zlib.h>
|
2009-12-09 16:50:55 +02:00
|
|
|
#include "bytecode.h"
|
2009-07-31 15:28:36 +03:00
|
|
|
#include "type_desc.h"
|
2009-09-30 13:41:02 +03:00
|
|
|
#include "execs.h"
|
|
|
|
|
#include "bytecode_hooks.h"
|
2009-12-03 11:37:38 +02:00
|
|
|
#include "fmap.h"
|
2010-01-20 20:04:01 +02:00
|
|
|
#include "mpool.h"
|
2010-03-21 15:10:49 +02:00
|
|
|
#include "hashtab.h"
|
2010-10-18 10:30:20 +03:00
|
|
|
#include "events.h"
|
2009-12-03 11:25:24 +02:00
|
|
|
|
2009-07-07 23:36:36 +03:00
|
|
|
typedef uint32_t operand_t;
|
|
|
|
|
typedef uint16_t bbid_t;
|
|
|
|
|
typedef uint16_t funcid_t;
|
|
|
|
|
|
|
|
|
|
struct cli_bc_callop {
|
2018-12-03 12:40:13 -05:00
|
|
|
operand_t *ops;
|
|
|
|
|
uint16_t *opsizes;
|
2009-07-07 23:36:36 +03:00
|
|
|
funcid_t funcid;
|
2010-06-09 13:42:47 +03:00
|
|
|
uint8_t numOps;
|
2009-07-07 23:36:36 +03:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct branch {
|
|
|
|
|
operand_t condition;
|
|
|
|
|
bbid_t br_true;
|
|
|
|
|
bbid_t br_false;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct cli_bc_cast {
|
|
|
|
|
uint64_t mask;
|
2009-07-20 16:34:32 +03:00
|
|
|
operand_t source;
|
2018-12-03 12:40:13 -05:00
|
|
|
uint8_t size; /* 0: 1-bit, 1: 8b, 2: 16b, 3: 32b, 4: 64b */
|
2009-07-07 23:36:36 +03:00
|
|
|
};
|
2009-07-20 16:34:32 +03:00
|
|
|
|
|
|
|
|
typedef uint8_t interp_op_t;
|
2009-07-07 23:36:36 +03:00
|
|
|
struct cli_bc_inst {
|
|
|
|
|
enum bc_opcode opcode;
|
|
|
|
|
uint16_t type;
|
2009-07-08 12:45:06 +03:00
|
|
|
operand_t dest;
|
2018-12-03 12:40:13 -05:00
|
|
|
interp_op_t interp_op; /* opcode for interpreter */
|
2009-07-07 23:36:36 +03:00
|
|
|
union {
|
2014-01-16 17:57:21 -05:00
|
|
|
operand_t unaryop;
|
|
|
|
|
struct cli_bc_cast cast;
|
|
|
|
|
operand_t binop[2];
|
|
|
|
|
operand_t three[3];
|
|
|
|
|
struct cli_bc_callop ops;
|
|
|
|
|
struct branch branch;
|
|
|
|
|
bbid_t jump;
|
2009-07-07 23:36:36 +03:00
|
|
|
} u;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct cli_bc_bb {
|
|
|
|
|
unsigned numInsts;
|
|
|
|
|
struct cli_bc_inst *insts;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct cli_bc_func {
|
|
|
|
|
uint8_t numArgs;
|
|
|
|
|
uint16_t numLocals;
|
|
|
|
|
uint32_t numInsts;
|
2018-12-03 12:40:13 -05:00
|
|
|
uint32_t numValues; /* without constants */
|
2009-07-07 23:36:36 +03:00
|
|
|
uint32_t numConstants;
|
2018-12-03 12:40:13 -05:00
|
|
|
uint32_t numBytes; /* stack size */
|
2009-07-07 23:36:36 +03:00
|
|
|
uint16_t numBB;
|
2009-08-27 18:12:39 +03:00
|
|
|
uint16_t returnType;
|
2009-07-07 23:36:36 +03:00
|
|
|
uint16_t *types;
|
|
|
|
|
uint32_t insn_idx;
|
|
|
|
|
struct cli_bc_bb *BB;
|
|
|
|
|
struct cli_bc_inst *allinsts;
|
2009-07-23 17:33:11 +03:00
|
|
|
uint64_t *constants;
|
2009-11-30 15:22:20 +02:00
|
|
|
unsigned *dbgnodes;
|
2009-07-07 23:36:36 +03:00
|
|
|
};
|
2009-11-30 15:22:20 +02:00
|
|
|
|
|
|
|
|
struct cli_bc_dbgnode_element {
|
|
|
|
|
unsigned nodeid;
|
|
|
|
|
unsigned len;
|
2010-06-09 13:42:47 +03:00
|
|
|
char *string;
|
2009-11-30 15:22:20 +02:00
|
|
|
uint64_t constant;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct cli_bc_dbgnode {
|
|
|
|
|
unsigned numelements;
|
2018-12-03 12:40:13 -05:00
|
|
|
struct cli_bc_dbgnode_element *elements;
|
2009-11-30 15:22:20 +02:00
|
|
|
};
|
|
|
|
|
|
2009-07-23 17:33:11 +03:00
|
|
|
#define MAX_OP ~0u
|
2009-12-09 16:50:55 +02:00
|
|
|
enum trace_level {
|
2018-12-03 12:40:13 -05:00
|
|
|
trace_none = 0,
|
2009-12-09 16:50:55 +02:00
|
|
|
trace_func,
|
|
|
|
|
trace_param,
|
|
|
|
|
trace_scope,
|
|
|
|
|
trace_line,
|
|
|
|
|
trace_col,
|
|
|
|
|
trace_op,
|
|
|
|
|
trace_val
|
|
|
|
|
};
|
2010-03-21 12:56:05 +02:00
|
|
|
|
|
|
|
|
struct bc_buffer {
|
|
|
|
|
unsigned char *data;
|
|
|
|
|
unsigned size;
|
|
|
|
|
unsigned write_cursor;
|
|
|
|
|
unsigned read_cursor;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct bc_inflate {
|
|
|
|
|
z_stream stream;
|
|
|
|
|
int32_t from;
|
|
|
|
|
int32_t to;
|
2018-12-03 12:40:13 -05:00
|
|
|
int8_t needSync;
|
2010-03-21 12:56:05 +02:00
|
|
|
};
|
|
|
|
|
|
2010-03-31 10:53:11 +03:00
|
|
|
struct bc_jsnorm {
|
|
|
|
|
struct parser_state *state;
|
|
|
|
|
int32_t from;
|
|
|
|
|
};
|
|
|
|
|
|
2010-10-18 10:30:20 +03:00
|
|
|
enum bc_events {
|
|
|
|
|
BCEV_VIRUSNAME,
|
|
|
|
|
BCEV_EXEC_RETURNVALUE,
|
|
|
|
|
BCEV_WRITE,
|
|
|
|
|
BCEV_OFFSET,
|
|
|
|
|
BCEV_READ,
|
|
|
|
|
BCEV_DBG_STR,
|
|
|
|
|
BCEV_DBG_INT,
|
|
|
|
|
BCEV_MEM_1,
|
|
|
|
|
BCEV_MEM_2,
|
|
|
|
|
BCEV_FIND,
|
|
|
|
|
BCEV_EXTRACTED,
|
|
|
|
|
BCEV_EXEC_TIME,
|
|
|
|
|
/* API failures (that are not serious), count must be 0 for testmode */
|
|
|
|
|
BCEV_API_WARN_BEGIN,
|
|
|
|
|
BCEV_READ_ERR,
|
|
|
|
|
BCEV_DISASM_FAIL,
|
|
|
|
|
BCEV_API_WARN_END,
|
|
|
|
|
/* real errors (write failure) are reported via cli_event_error_str */
|
|
|
|
|
BCEV_LASTEVENT
|
|
|
|
|
};
|
|
|
|
|
|
2009-07-07 23:36:36 +03:00
|
|
|
struct cli_bc_ctx {
|
2018-12-03 12:40:13 -05:00
|
|
|
uint8_t timeout; /* must be first byte in struct! */
|
2010-06-09 13:42:47 +03:00
|
|
|
uint16_t funcid;
|
|
|
|
|
unsigned numParams;
|
2009-07-07 23:36:36 +03:00
|
|
|
/* id and params of toplevel function called */
|
2009-07-10 16:11:54 +03:00
|
|
|
const struct cli_bc *bc;
|
|
|
|
|
const struct cli_bc_func *func;
|
2010-03-22 17:16:07 +02:00
|
|
|
uint32_t bytecode_timeout;
|
2009-07-23 17:33:11 +03:00
|
|
|
unsigned bytes;
|
|
|
|
|
uint16_t *opsizes;
|
|
|
|
|
char *values;
|
2009-07-07 23:36:36 +03:00
|
|
|
operand_t *operands;
|
2010-01-18 19:31:59 +02:00
|
|
|
uint32_t file_size;
|
2010-06-09 13:42:47 +03:00
|
|
|
int outfd;
|
2009-09-04 17:29:13 +03:00
|
|
|
off_t off;
|
2009-12-03 11:37:38 +02:00
|
|
|
fmap_t *fmap;
|
2010-05-12 18:26:02 +03:00
|
|
|
fmap_t *save_map;
|
2009-09-22 11:03:17 +03:00
|
|
|
const char *virname;
|
2009-09-30 13:41:02 +03:00
|
|
|
struct cli_bc_hooks hooks;
|
2010-08-02 17:04:35 +03:00
|
|
|
struct cli_exe_info exeinfo;
|
2010-08-02 23:06:33 +03:00
|
|
|
uint32_t lsigcnt[64];
|
|
|
|
|
uint32_t lsigoff[64];
|
2010-08-02 15:42:58 +03:00
|
|
|
uint32_t pdf_nobjs;
|
2018-08-14 14:00:31 -07:00
|
|
|
struct pdf_obj **pdf_objs;
|
2018-12-03 12:40:13 -05:00
|
|
|
uint32_t *pdf_flags;
|
2010-08-02 15:42:58 +03:00
|
|
|
uint32_t pdf_size;
|
|
|
|
|
uint32_t pdf_startoff;
|
|
|
|
|
unsigned pdf_phase;
|
|
|
|
|
int32_t pdf_dumpedid;
|
2010-02-12 16:47:44 +02:00
|
|
|
const struct cli_exe_section *sections;
|
2010-08-02 21:50:14 +03:00
|
|
|
uint32_t resaddr;
|
2009-12-02 17:13:07 +02:00
|
|
|
char *tempfile;
|
|
|
|
|
void *ctx;
|
|
|
|
|
unsigned written;
|
2010-03-19 15:47:26 +02:00
|
|
|
unsigned filewritten;
|
|
|
|
|
unsigned found;
|
2010-06-09 13:42:47 +03:00
|
|
|
unsigned ninflates;
|
2020-04-29 09:26:07 -07:00
|
|
|
unsigned nlzmas;
|
|
|
|
|
unsigned nbzip2s;
|
2009-12-09 16:50:55 +02:00
|
|
|
bc_dbg_callback_trace trace;
|
|
|
|
|
bc_dbg_callback_trace_op trace_op;
|
|
|
|
|
bc_dbg_callback_trace_val trace_val;
|
2009-12-17 17:40:35 +02:00
|
|
|
bc_dbg_callback_trace_ptr trace_ptr;
|
2009-12-09 16:50:55 +02:00
|
|
|
const char *directory;
|
|
|
|
|
const char *file;
|
2009-12-08 23:02:49 +02:00
|
|
|
const char *scope;
|
2010-06-09 13:42:47 +03:00
|
|
|
unsigned trace_level;
|
2009-12-08 23:02:49 +02:00
|
|
|
uint32_t scopeid;
|
2009-12-09 16:50:55 +02:00
|
|
|
unsigned line;
|
|
|
|
|
unsigned col;
|
2010-01-20 20:04:01 +02:00
|
|
|
mpool_t *mpool;
|
2018-12-03 12:40:13 -05:00
|
|
|
struct bc_inflate *inflates;
|
2020-04-29 09:26:07 -07:00
|
|
|
struct bc_lzma *lzmas;
|
|
|
|
|
struct bc_bzip2 *bzip2s;
|
2010-03-21 12:56:05 +02:00
|
|
|
struct bc_buffer *buffers;
|
|
|
|
|
unsigned nbuffers;
|
2010-03-21 15:10:49 +02:00
|
|
|
unsigned nhashsets;
|
2010-03-31 10:53:11 +03:00
|
|
|
unsigned njsnorms;
|
|
|
|
|
unsigned jsnormwritten;
|
2010-06-09 13:42:47 +03:00
|
|
|
struct cli_hashset *hashsets;
|
2018-12-03 12:40:13 -05:00
|
|
|
struct bc_jsnorm *jsnorms;
|
2010-06-09 13:42:47 +03:00
|
|
|
char *jsnormdir;
|
2010-05-12 18:26:02 +03:00
|
|
|
struct cli_map *maps;
|
|
|
|
|
unsigned nmaps;
|
|
|
|
|
unsigned containertype;
|
|
|
|
|
unsigned extracted_file_input;
|
Introduce BC_STARTUP bytecode (bb #2101, #2078).
This bytecode will be run in interpreter mode on startup:
it can disable the JIT, or disable all further bytecodes.
There will be a builtin copy of it that is loaded if
no BC_STARTUP bytecodes were loaded (like filetypes_int.h and daily.ftm).
Only one BC_STARTUP bytecode is accepted, so as soon as bytecode.cvd will
contain one, it won't be overridable!
This bytecode will replace all the JIT checks (CPU, selinux, pax) etc.,
and allows to disable the JIT on just specific OS/arch/compiler/etc.
combinations. There are too many combinations to have a dconf flag for each.
Also fix the bytecode dconf so that the individual JIT_* flags actually work
(previously we could disable the entire JIT, or none at all).
Also introduce preliminary support for bytecode test mode (we already have
auto, jit and interpreter mode, introducing another mode here is easiest).
The test mode doesn't actually compare the outputs yet, but it does fail if
the JIT is disabled / falls back to interpreter.
2010-07-29 13:32:15 +03:00
|
|
|
const struct cli_environment *env;
|
|
|
|
|
unsigned bytecode_disable_status;
|
2010-10-18 10:30:20 +03:00
|
|
|
cli_events_t *bc_events;
|
2010-10-18 12:31:18 +03:00
|
|
|
int on_jit;
|
|
|
|
|
int no_diff;
|
2014-06-03 11:19:01 -04:00
|
|
|
void **jsonobjs;
|
2014-05-06 13:43:02 -04:00
|
|
|
unsigned njsonobjs;
|
2009-07-07 23:36:36 +03:00
|
|
|
};
|
2009-08-25 18:54:14 +03:00
|
|
|
struct cli_all_bc;
|
2022-08-17 06:48:36 -07:00
|
|
|
cl_error_t cli_vm_execute(const struct cli_bc *bc, struct cli_bc_ctx *ctx, const struct cli_bc_func *func, const struct cli_bc_inst *inst);
|
2009-08-25 18:54:14 +03:00
|
|
|
|
|
|
|
|
#ifdef __cplusplus
|
|
|
|
|
extern "C" {
|
|
|
|
|
#endif
|
|
|
|
|
|
2022-08-17 06:48:36 -07:00
|
|
|
cl_error_t cli_vm_execute_jit(const struct cli_all_bc *bcs, struct cli_bc_ctx *ctx, const struct cli_bc_func *func);
|
|
|
|
|
cl_error_t cli_bytecode_prepare_jit(struct cli_all_bc *bc);
|
|
|
|
|
cl_error_t cli_bytecode_init_jit(struct cli_all_bc *bc, unsigned dconfmask);
|
|
|
|
|
cl_error_t cli_bytecode_done_jit(struct cli_all_bc *bc, int partial);
|
2009-08-25 18:54:14 +03:00
|
|
|
|
|
|
|
|
#ifdef __cplusplus
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2009-07-07 23:36:36 +03:00
|
|
|
#endif
|