├── LICENSE
├── README.md
├── TODO.md
├── __init__.py
├── libdlmalloc_26x.py
├── libdlmalloc_28x.py
├── libdlmalloc_gdb.py
└── setup.py


/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2017, NCC Group
 2 | All rights reserved.
 3 | 
 4 | Redistribution and use in source and binary forms, with or without modification,
 5 | are permitted provided that the following conditions are met:
 6 | 
 7 | * Redistributions of source code must retain the above copyright notice, this
 8 |   list of conditions and the following disclaimer.
 9 | 
10 | * Redistributions in binary form must reproduce the above copyright notice, this
11 |   list of conditions and the following disclaimer in the documentation and/or
12 |   other materials provided with the distribution.
13 | 
14 | * Neither the name of the {organization} nor the names of its
15 |   contributors may be used to endorse or promote products derived from
16 |   this software without specific prior written permission.
17 | 
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
19 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
22 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
27 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # libdlmalloc
  2 | 
  3 | **libdlmalloc** is a python script designed for use with GDB that can be used to
  4 | analyse the Doug Lea's allocator, aka dlmalloc. It currently supports dlmalloc
  5 | 2.8.x versions. Note that some parts can also be used independently GDB, for
  6 | instance to do offline analysis of some snapshotted heap memory.
  7 | 
  8 | libdlmalloc was inspired by other gdb python scripts for analyzing heaps like
  9 | [libtalloc](https://github.com/nccgroup/libtalloc),
 10 | [unmask_jemalloc](https://github.com/argp/unmask_jemalloc) and
 11 | [libheap](https://github.com/cloudburst/libheap). Some basic functionality is
 12 | almost identical to these projects.
 13 | 
 14 | ## Supported versions
 15 | 
 16 | libdlmalloc has been tested predominately on 32-bit and 64-bit Cisco ASA
 17 | devices which use dlmalloc 2.8.3. It should work with other 2.8.x versions,
 18 | however due to significant differences it will not work on earlier releases,
 19 | such as <= 2.7.x.
 20 | 
 21 | If you successfully test libdlmalloc on some specific 2.8.x release or some
 22 | specific device, please let the authors know and we will update the documents.
 23 | 
 24 | ## Installation 
 25 | 
 26 | The script just requires a relatively modern version of GDB with python3
 27 | support. We have primarily tested on python3, so we expect it will break on
 28 | python2.7 atm.
 29 | 
 30 | If you want to use the gdb commands you can use:
 31 | 
 32 | ```
 33 |     (gdb) source libdlmalloc_28x.py
 34 | ```
 35 | 
 36 | A bunch of the core logic is broken out into the `dl_helper` class, which allows
 37 | you to directly import libdlmalloc and access certain important structures
 38 | outside of a GDB session. This is useful if you want to analyze offline
 39 | chunk/heap snapshots.
 40 | 
 41 | # Usage
 42 | 
 43 | Most of the functionality is modelled after the approach in unmask_jemalloc and
 44 | libtalloc where a separate GDB command is provided. Though we do also use a
 45 | fair number of switches.
 46 | 
 47 | To see a full list of currently supported commands you can use the `dlhelp`
 48 | command:
 49 | 
 50 | ## dlhelp
 51 | 
 52 | This is the main function to view the available commands. Each of the commands
 53 | supports the `-h` option which allows you to obtain more detailed usage
 54 | instructions.
 55 | 
 56 | ```
 57 | (gdb) dlhelp
 58 | [libdlmalloc] dlmalloc commands for gdb
 59 | [libdlmalloc] dlchunk    : show one or more chunks metadata and contents
 60 | [libdlmalloc] dlmstate   : print mstate structure information. caches address after first use
 61 | [libdlmalloc] dlcallback : register a callback or query/modify callback status
 62 | [libdlmalloc] dlhelp     : this help message
 63 | [libdlmalloc] NOTE: Pass -h to any of these commands for more extensive usage. Eg: dlchunk -h
 64 | ```
 65 | 
 66 | ## Chunk analysis
 67 | 
 68 | `dlchunk` can provide you with a summary of a chunk, or more verbose
 69 | information of every field. You can also use it to list information about
 70 | multiple chunks, search chunks, etc. Usage for dlchunk can be seen below:
 71 | 
 72 | ```
 73 | (gdb) dlchunk -h
 74 | [libdlmalloc] usage: dlchunk [-v] [-f] [-x] [-c <count>] <addr>
 75 | [libdlmalloc]  <addr>  a dlmalloc chunk header
 76 | [libdlmalloc]  -v      use verbose output (multiples for more verbosity)
 77 | [libdlmalloc]  -f      use <addr> explicitly, rather than be smart
 78 | [libdlmalloc]  -x      hexdump the chunk contents
 79 | [libdlmalloc]  -m      max bytes to dump with -x
 80 | [libdlmalloc]  -c      number of chunks to print
 81 | [libdlmalloc]  -s      search pattern when print chunks
 82 | [libdlmalloc]  --depth depth to search inside chunk
 83 | [libdlmalloc]  -d      debug and force printing stuff
 84 | [libdlmalloc] Flag legend: C=CINUSE, P=PINUSE
 85 | ```
 86 | 
 87 | Basic output looks like this:
 88 | 
 89 | ```
 90 | (gdb) dlchunk 0xacff59d0
 91 | 0xacff59d0 M sz:0x000f8 fl:CP
 92 | ```
 93 | 
 94 | As you can see you want to give it the address of the actual dlmalloc metadata
 95 | itself. To get more verbose output you can use `-v`.
 96 | 
 97 | ```
 98 | (gdb) dlchunk -v 0xacff59d0
 99 | struct malloc_chunk @ 0xacff59d0 {
100 | prev_foot   = 0x8140d4d0
101 | size        = 0xf8 (CINUSE|PINUSE)
102 | ```
103 | 
104 | You can also list multiple adjacent chunks by using the `-c <count>` switch.
105 | 
106 | ```
107 | (gdb) dlchunk -c 2 0xacff59d0
108 | 0xacff59d0 M sz:0x000f8 fl:CP
109 | 0xacff5ac8 M sz:0x00270 fl:CP
110 | (gdb) dlchunk -v -c 2 0xacff59d0
111 | struct malloc_chunk @ 0xacff59d0 {
112 | prev_foot   = 0x8140d4d0
113 | size        = 0xf8 (CINUSE|PINUSE)
114 | --
115 | struct malloc_chunk @ 0xacff5ac8 {
116 | prev_foot   = 0x8140d4d0
117 | size        = 0x270 (CINUSE|PINUSE)
118 | ```
119 | 
120 | You can dump the hex contents of a chunk with `-x` and control how many bytes
121 | you want to dump with `-m`.
122 | 
123 | 
124 | ```
125 | (gdb) dlchunk -v -x -m 16 -c 2 0xacff59d0
126 | struct malloc_chunk @ 0xacff59d0 {
127 | prev_foot   = 0x8140d4d0
128 | size        = 0xf8 (CINUSE|PINUSE)
129 | 0x10 bytes of chunk data:
130 | 0xacff59d8:	0xa11c0123	0x000000cc	0x00000000	0x00000000
131 | --
132 | struct malloc_chunk @ 0xacff5ac8 {
133 | prev_foot   = 0x8140d4d0
134 | size        = 0x270 (CINUSE|PINUSE)
135 | 0x10 bytes of chunk data:
136 | 0xacff5ad0:	0xa11c0123	0x00000244	0x00000000	0x00000000
137 | ```
138 | 
139 | You can also search inside the chunks. Let's search 2 chunks for the value
140 | `0x00000244`, which we see above is only in the second chunk.
141 | 
142 | ```
143 | (gdb) dlchunk -s 0x00000244 -c 2 0xacff59d0
144 | 0xacff59d0 M sz:0x000f8 fl:CP [NO MATCH]
145 | 0xacff5ac8 M sz:0x00270 fl:CP [MATCH]
146 | ```
147 | 
148 | All matches inside the number of chunks searched will be shown. Let's search
149 | for `0xa11c01123` which we saw above is present in both chunks:
150 | 
151 | ```
152 | (gdb) dlchunk -s 0xa11c0123 -c 2 0xacff59d0
153 | 0xacff59d0 M sz:0x000f8 fl:CP [MATCH]
154 | 0xacff5ac8 M sz:0x00270 fl:CP [MATCH]
155 | ```
156 | 
157 | ## dlmstate
158 | 
159 | The dlmstate command can be used for analyzing the `mstate` structure used to
160 | manage a discrete dlmalloc heap (aka mspace if compiled with `MSPACES`). You
161 | can see the usage of the command with the `-h` switch.
162 | 
163 | 
164 | ```
165 | (gdb) dlmstate -h
166 | [libdlmalloc] usage: dlmstate [-v] [-f] [-x] [-c <count>] <addr>
167 | [libdlmalloc]  <addr>  a mstate struct addr. Optional if mstate cached
168 | [libdlmalloc]  -v      use verbose output (multiples for more verbosity)
169 | [libdlmalloc]  -c      print bin counts
170 | [libdlmalloc]  --depth how deep to count each bin (default 10)
171 | [libdlmalloc]  NOTE: Last defined mstate will be cached for future use
172 | ```
173 | 
174 | If you know the address holding the mstate, which is usually the first chunk
175 | inside of the first malloc asegment, you can pass it to dlmstate:
176 | 
177 | ```
178 | (gdb) dlmstate 0xa8400008
179 | struct dl_mstate @ 0xa8400008 {
180 | smallmap    = 0b000000000000010000011111111100
181 | treemap     = 0b000000000000000000000000000111
182 | dvsize      = 0x0
183 | topsize     = 0x2ebdf040
184 | least_addr  = 0xa8400000
185 | dv          = 0x0
186 | top         = 0xad020f90
187 | trim_check  = 0x200000
188 | magic       = 0x2900d4d8
189 | smallbin[00] (sz 0x0)   = 0xa840002c, 0xa840002c [EMPTY]
190 | smallbin[01] (sz 0x8)   = 0xa8400034, 0xa8400034 [EMPTY]
191 | smallbin[02] (sz 0x10)  = 0xacbf7ad0, 0xa88647f0
192 | smallbin[03] (sz 0x18)  = 0xa95059b8, 0xa9689a20
193 | smallbin[04] (sz 0x20)  = 0xac79a028, 0xa87206f8
194 | smallbin[05] (sz 0x28)  = 0xacff0120, 0xa948a0f8
195 | smallbin[06] (sz 0x30)  = 0xac4e4af8, 0xacb56878
196 | smallbin[07] (sz 0x38)  = 0xacfe3880, 0xacfe0df0
197 | smallbin[08] (sz 0x40)  = 0xa9509b28, 0xa9509b28
198 | smallbin[09] (sz 0x48)  = 0xa8a1dc80, 0xa8a1dc80
199 | smallbin[10] (sz 0x50)  = 0xac782cb0, 0xac782cb0
200 | smallbin[11] (sz 0x58)  = 0xacbf7a88, 0xacbf7a88 [EMPTY]
201 | smallbin[12] (sz 0x60)  = 0xac782c00, 0xac782c00 [EMPTY]
202 | smallbin[13] (sz 0x68)  = 0xacbf7a78, 0xacbf7a78 [EMPTY]
203 | smallbin[14] (sz 0x70)  = 0xa89b9650, 0xa89b9650 [EMPTY]
204 | smallbin[15] (sz 0x78)  = 0xac789828, 0xac789828 [EMPTY]
205 | smallbin[16] (sz 0x80)  = 0xa89b9738, 0xa94af740
206 | smallbin[17] (sz 0x88)  = 0xac4e5700, 0xac4e5700 [EMPTY]
207 | smallbin[18] (sz 0x90)  = 0xac788030, 0xac788030 [EMPTY]
208 | smallbin[19] (sz 0x98)  = 0xac782bc8, 0xac782bc8 [EMPTY]
209 | smallbin[20] (sz 0xa0)  = 0xa89b9718, 0xa89b9718 [EMPTY]
210 | smallbin[21] (sz 0xa8)  = 0xa8a1dc20, 0xa8a1dc20 [EMPTY]
211 | smallbin[22] (sz 0xb0)  = 0xac782af8, 0xac782af8 [EMPTY]
212 | smallbin[23] (sz 0xb8)  = 0xac789ed0, 0xac789ed0 [EMPTY]
213 | smallbin[24] (sz 0xc0)  = 0xacbf7a20, 0xacbf7a20 [EMPTY]
214 | smallbin[25] (sz 0xc8)  = 0xac789940, 0xac789940 [EMPTY]
215 | smallbin[26] (sz 0xd0)  = 0xac789eb8, 0xac789eb8 [EMPTY]
216 | smallbin[27] (sz 0xd8)  = 0xa94af6e8, 0xa94af6e8 [EMPTY]
217 | smallbin[28] (sz 0xe0)  = 0xacbf78e8, 0xacbf78e8 [EMPTY]
218 | smallbin[29] (sz 0xe8)  = 0xac4e4e68, 0xac4e4e68 [EMPTY]
219 | smallbin[30] (sz 0xf0)  = 0xac4e5780, 0xac4e5780 [EMPTY]
220 | smallbin[31] (sz 0xf8)  = 0xac7880b0, 0xac7880b0 [EMPTY]
221 | treebin[00] (sz 0x180)      = 0xac783cb0
222 | treebin[01] (sz 0x200)      = 0xac789dc0
223 | treebin[02] (sz 0x300)      = 0xa883db48
224 | treebin[03] (sz 0x400)      =        0x0 [EMPTY]
225 | treebin[04] (sz 0x600)      =        0x0 [EMPTY]
226 | treebin[05] (sz 0x800)      =        0x0 [EMPTY]
227 | treebin[06] (sz 0xc00)      =        0x0 [EMPTY]
228 | treebin[07] (sz 0x1000)     =        0x0 [EMPTY]
229 | treebin[08] (sz 0x1800)     =        0x0 [EMPTY]
230 | treebin[09] (sz 0x2000)     =        0x0 [EMPTY]
231 | treebin[10] (sz 0x3000)     =        0x0 [EMPTY]
232 | treebin[11] (sz 0x4000)     =        0x0 [EMPTY]
233 | treebin[12] (sz 0x6000)     =        0x0 [EMPTY]
234 | treebin[13] (sz 0x8000)     =        0x0 [EMPTY]
235 | treebin[14] (sz 0xc000)     =        0x0 [EMPTY]
236 | treebin[15] (sz 0x10000)    =        0x0 [EMPTY]
237 | treebin[16] (sz 0x18000)    =        0x0 [EMPTY]
238 | treebin[17] (sz 0x20000)    =        0x0 [EMPTY]
239 | treebin[18] (sz 0x30000)    =        0x0 [EMPTY]
240 | treebin[19] (sz 0x40000)    =        0x0 [EMPTY]
241 | treebin[20] (sz 0x60000)    =        0x0 [EMPTY]
242 | treebin[21] (sz 0x80000)    =        0x0 [EMPTY]
243 | treebin[22] (sz 0xc0000)    =        0x0 [EMPTY]
244 | treebin[23] (sz 0x100000)   =        0x0 [EMPTY]
245 | treebin[24] (sz 0x180000)   =        0x0 [EMPTY]
246 | treebin[25] (sz 0x200000)   =        0x0 [EMPTY]
247 | treebin[26] (sz 0x300000)   =        0x0 [EMPTY]
248 | treebin[27] (sz 0x400000)   =        0x0 [EMPTY]
249 | treebin[28] (sz 0x600000)   =        0x0 [EMPTY]
250 | treebin[29] (sz 0x800000)   =        0x0 [EMPTY]
251 | treebin[30] (sz 0xc00000)   =        0x0 [EMPTY]
252 | treebin[31] (sz 0xffffffff) =        0x0 [EMPTY]
253 | footprint   = 0x33800000
254 | max_footprint = 0x33800000
255 | mflags      = 0x7
256 | mutex       = 0x0,0x0,0x0,0x0,0xa8400000,
257 | seg = struct malloc_segment @ 0xa84001d4 {
258 | base        = 0xa8400000
259 | size        = 0x33800000
260 | next        = 0x0
261 | sflags      = 0x8
262 | ```
263 | 
264 | To speed up output on slower devices we cache the last mstate data that we
265 | read. So if you just run dlmstate again, you will see the previously dumped
266 | output (which of course could be stale).
267 | 
268 | ```
269 | (gdb) dlmstate
270 | [libdlmalloc] Using cached mstate
271 | struct dl_mstate @ 0xa8400008 {
272 | smallmap    = 0b000000000000010000011111111100
273 | treemap     = 0b000000000000000000000000000111
274 | dvsize      = 0x0
275 | topsize     = 0x2ebdf040
276 | least_addr  = 0xa8400000
277 | dv          = 0x0
278 | top         = 0xad020f90
279 | trim_check  = 0x200000
280 | magic       = 0x2900d4d8
281 | smallbin[00] (sz 0x0)   = 0xa840002c, 0xa840002c [EMPTY]
282 | smallbin[01] (sz 0x8)   = 0xa8400034, 0xa8400034 [EMPTY]
283 | smallbin[02] (sz 0x10)  = 0xacbf7ad0, 0xa88647f0
284 | smallbin[03] (sz 0x18)  = 0xa95059b8, 0xa9689a20
285 | [...]
286 | ```
287 | 
288 | The `-c` switch can be used to count the number of chunks in a given bin. Note
289 | that this can be quite slow if you're debugging over a serial line, so we also
290 | provide the `--depth` option to limit how many bin entries will be counted. By
291 | default the depth is set to 10:
292 | 
293 | ```
294 | (gdb) dlmstate -c
295 | [libdlmalloc] Using cached mstate
296 | 
297 | smallbin[00] (sz 0x0)   = 0xa840002c, 0xa840002c [EMPTY]
298 | smallbin[01] (sz 0x8)   = 0xa8400034, 0xa8400034 [EMPTY]
299 | smallbin[02] (sz 0x10)  = 0xacbf7ad0, 0xa88647f0 [10+]
300 | smallbin[03] (sz 0x18)  = 0xa95059b8, 0xa9689a20 [10+]
301 | smallbin[04] (sz 0x20)  = 0xac79a028, 0xa87206f8 [10+]
302 | smallbin[05] (sz 0x28)  = 0xacff0120, 0xa948a0f8 [10+]
303 | smallbin[06] (sz 0x30)  = 0xac4e4af8, 0xacb56878 [10+]
304 | smallbin[07] (sz 0x38)  = 0xacfe3880, 0xacfe0df0 [10]
305 | smallbin[08] (sz 0x40)  = 0xa9509b28, 0xa9509b28 [2]
306 | smallbin[09] (sz 0x48)  = 0xa8a1dc80, 0xa8a1dc80 [2]
307 | smallbin[10] (sz 0x50)  = 0xac782cb0, 0xac782cb0 [2]
308 | [...]
309 | ```
310 | 
311 | As shown the count is displayed in brackets to the right of the bin contents.
312 | We use the mstate bitmap to first test if a bin is empty, so you can expect to
313 | occasionally see bin entries that have valid pointers that to the heap, but
314 | that are marked `[EMPTY]`. These pointers are just stale at this point.
315 | 
316 | ## dlcallback
317 | 
318 | We support the concept of inter-plugin callbacks. You can register a callback
319 | function in a specified module and that function will be called with a dict
320 | holding a bunch of information about the state of whatever is being looked at.
321 | The callback is called when both dlchunk and dlmstate area finished doing
322 | whatever they do with their arguments.
323 | 
324 | The usage can be seen with the `-h` switch:
325 | 
326 | ```
327 | (gdb) dlcallback -h
328 | [libdlmalloc] usage: dlcallback <option>
329 | [libdlmalloc]  disable                  temporarily disable the registered callback
330 | [libdlmalloc]  enable                   enable the registered callback
331 | [libdlmalloc]  status                   check if a callback is registered
332 | [libdlmalloc]  clear                    forget the registered callback
333 | [libdlmalloc]  register <name> <module> use a global function <name> as callback from <module>
334 | [libdlmalloc]                           ex: register mpcallback libmempool/libmempool
335 | ```
336 | 
337 | To demonstrate this functionality, we will use a callback we developed for a
338 | separate GDB plugin called [libmempool](https://github.com/nccgroup/libmempool),
339 | 
340 | 
341 | ```
342 | (gdb) dlcallback register mpcallback libmempool/libmempool
343 | [libmempool] loaded
344 | [libdlmalloc] mpcallback registered as callback
345 | (gdb) dlcallback status
346 | [libdlmalloc] a callback is registered and enabled
347 | ```
348 | 
349 | Now when we use a command like dlchunk, we can see some additional annotation:
350 | 
351 | ```
352 | (gdb) dlchunk 0xacff59d0
353 | 0xacff59d0 M sz:0x000f8 fl:CP alloc_pc:0x08262b45,-
354 | (gdb) dlchunk -v 0xacff59d0
355 | struct malloc_chunk @ 0xacff59d0 {
356 | prev_foot   = 0x8140d4d0
357 | size        = 0xf8 (CINUSE|PINUSE)
358 | struct mp_header @ 0xacff59d8 {
359 | mh_magic      = 0xa11c0123
360 | mh_len        = 0xcc
361 | mh_refcount   = 0x0
362 | mh_unused     = 0x0
363 | mh_fd_link    = 0xa9515ed0 (OK)
364 | mh_bk_link    = 0xa84005c4 (-)
365 | alloc_pc      = 0x8262b45 (-)
366 | free_pc       = 0x0 (-)
367 | ```
368 | 
369 | Similarly, we can see significantly more data tacked onto the default dlmalloc
370 | mstate shown by dlmstate:
371 | 
372 | ```
373 | (gdb) dlmstate
374 | [libdlmalloc] Using cached mstate
375 | struct dl_mstate @ 0xa8400008 {
376 | smallmap    = 0b000000000000010000011111111100
377 | treemap     = 0b000000000000000000000000000111
378 | dvsize      = 0x0
379 | topsize     = 0x2ebdf040
380 | least_addr  = 0xa8400000
381 | dv          = 0x0
382 | top         = 0xad020f90
383 | trim_check  = 0x200000
384 | magic       = 0x2900d4d8
385 | smallbin[00] (sz 0x0)   = 0xa840002c, 0xa840002c [EMPTY]
386 | smallbin[01] (sz 0x8)   = 0xa8400034, 0xa8400034 [EMPTY]
387 | smallbin[02] (sz 0x10)  = 0xacbf7ad0, 0xa88647f0
388 | smallbin[03] (sz 0x18)  = 0xa95059b8, 0xa9689a20
389 | smallbin[04] (sz 0x20)  = 0xac79a028, 0xa87206f8
390 | smallbin[05] (sz 0x28)  = 0xacff0120, 0xa948a0f8
391 | smallbin[06] (sz 0x30)  = 0xac4e4af8, 0xacb56878
392 | smallbin[07] (sz 0x38)  = 0xacfe3880, 0xacfe0df0
393 | smallbin[08] (sz 0x40)  = 0xa9509b28, 0xa9509b28
394 | smallbin[09] (sz 0x48)  = 0xa8a1dc80, 0xa8a1dc80
395 | smallbin[10] (sz 0x50)  = 0xac782cb0, 0xac782cb0
396 | smallbin[11] (sz 0x58)  = 0xacbf7a88, 0xacbf7a88 [EMPTY]
397 | smallbin[12] (sz 0x60)  = 0xac782c00, 0xac782c00 [EMPTY]
398 | smallbin[13] (sz 0x68)  = 0xacbf7a78, 0xacbf7a78 [EMPTY]
399 | smallbin[14] (sz 0x70)  = 0xa89b9650, 0xa89b9650 [EMPTY]
400 | smallbin[15] (sz 0x78)  = 0xac789828, 0xac789828 [EMPTY]
401 | smallbin[16] (sz 0x80)  = 0xa89b9738, 0xa94af740
402 | smallbin[17] (sz 0x88)  = 0xac4e5700, 0xac4e5700 [EMPTY]
403 | smallbin[18] (sz 0x90)  = 0xac788030, 0xac788030 [EMPTY]
404 | smallbin[19] (sz 0x98)  = 0xac782bc8, 0xac782bc8 [EMPTY]
405 | smallbin[20] (sz 0xa0)  = 0xa89b9718, 0xa89b9718 [EMPTY]
406 | smallbin[21] (sz 0xa8)  = 0xa8a1dc20, 0xa8a1dc20 [EMPTY]
407 | smallbin[22] (sz 0xb0)  = 0xac782af8, 0xac782af8 [EMPTY]
408 | smallbin[23] (sz 0xb8)  = 0xac789ed0, 0xac789ed0 [EMPTY]
409 | smallbin[24] (sz 0xc0)  = 0xacbf7a20, 0xacbf7a20 [EMPTY]
410 | smallbin[25] (sz 0xc8)  = 0xac789940, 0xac789940 [EMPTY]
411 | smallbin[26] (sz 0xd0)  = 0xac789eb8, 0xac789eb8 [EMPTY]
412 | smallbin[27] (sz 0xd8)  = 0xa94af6e8, 0xa94af6e8 [EMPTY]
413 | smallbin[28] (sz 0xe0)  = 0xacbf78e8, 0xacbf78e8 [EMPTY]
414 | smallbin[29] (sz 0xe8)  = 0xac4e4e68, 0xac4e4e68 [EMPTY]
415 | smallbin[30] (sz 0xf0)  = 0xac4e5780, 0xac4e5780 [EMPTY]
416 | smallbin[31] (sz 0xf8)  = 0xac7880b0, 0xac7880b0 [EMPTY]
417 | treebin[00] (sz 0x180)      = 0xac783cb0
418 | treebin[01] (sz 0x200)      = 0xac789dc0
419 | treebin[02] (sz 0x300)      = 0xa883db48
420 | treebin[03] (sz 0x400)      =        0x0 [EMPTY]
421 | treebin[04] (sz 0x600)      =        0x0 [EMPTY]
422 | treebin[05] (sz 0x800)      =        0x0 [EMPTY]
423 | treebin[06] (sz 0xc00)      =        0x0 [EMPTY]
424 | treebin[07] (sz 0x1000)     =        0x0 [EMPTY]
425 | treebin[08] (sz 0x1800)     =        0x0 [EMPTY]
426 | treebin[09] (sz 0x2000)     =        0x0 [EMPTY]
427 | treebin[10] (sz 0x3000)     =        0x0 [EMPTY]
428 | treebin[11] (sz 0x4000)     =        0x0 [EMPTY]
429 | treebin[12] (sz 0x6000)     =        0x0 [EMPTY]
430 | treebin[13] (sz 0x8000)     =        0x0 [EMPTY]
431 | treebin[14] (sz 0xc000)     =        0x0 [EMPTY]
432 | treebin[15] (sz 0x10000)    =        0x0 [EMPTY]
433 | treebin[16] (sz 0x18000)    =        0x0 [EMPTY]
434 | treebin[17] (sz 0x20000)    =        0x0 [EMPTY]
435 | treebin[18] (sz 0x30000)    =        0x0 [EMPTY]
436 | treebin[19] (sz 0x40000)    =        0x0 [EMPTY]
437 | treebin[20] (sz 0x60000)    =        0x0 [EMPTY]
438 | treebin[21] (sz 0x80000)    =        0x0 [EMPTY]
439 | treebin[22] (sz 0xc0000)    =        0x0 [EMPTY]
440 | treebin[23] (sz 0x100000)   =        0x0 [EMPTY]
441 | treebin[24] (sz 0x180000)   =        0x0 [EMPTY]
442 | treebin[25] (sz 0x200000)   =        0x0 [EMPTY]
443 | treebin[26] (sz 0x300000)   =        0x0 [EMPTY]
444 | treebin[27] (sz 0x400000)   =        0x0 [EMPTY]
445 | treebin[28] (sz 0x600000)   =        0x0 [EMPTY]
446 | treebin[29] (sz 0x800000)   =        0x0 [EMPTY]
447 | treebin[30] (sz 0xc00000)   =        0x0 [EMPTY]
448 | treebin[31] (sz 0xffffffff) =        0x0 [EMPTY]
449 | footprint   = 0x33800000
450 | max_footprint = 0x33800000
451 | mflags      = 0x7
452 | mutex       = 0x0,0x0,0x0,0x0,0xa8400000,
453 | seg = struct malloc_segment @ 0xa84001d4 {
454 | base        = 0xa8400000
455 | size        = 0x33800000
456 | next        = 0x0
457 | sflags      = 0x8
458 | struct mp_mstate @ 0xa84001e4 {
459 | mp_smallbin[00] - sz: 0x00000000 cnt: 0x0000, mh_fd_link: 0x0
460 | mp_smallbin[01] - sz: 0x00000008 cnt: 0x0000, mh_fd_link: 0x0
461 | mp_smallbin[02] - sz: 0x00000010 cnt: 0x0000, mh_fd_link: 0x0
462 | mp_smallbin[03] - sz: 0x00000018 cnt: 0x0000, mh_fd_link: 0x0
463 | mp_smallbin[04] - sz: 0x00000020 cnt: 0x0000, mh_fd_link: 0x0
464 | mp_smallbin[05] - sz: 0x00000028 cnt: 0x0000, mh_fd_link: 0x0
465 | mp_smallbin[06] - sz: 0x00000030 cnt: 0x0213, mh_fd_link: 0xacfdf800
466 | mp_smallbin[07] - sz: 0x00000038 cnt: 0x0cb3, mh_fd_link: 0xaae0ff70
467 | mp_smallbin[08] - sz: 0x00000040 cnt: 0x1c99, mh_fd_link: 0xac4e4b30
468 | mp_smallbin[09] - sz: 0x00000048 cnt: 0x027b, mh_fd_link: 0xaae0fe30
469 | mp_smallbin[10] - sz: 0x00000050 cnt: 0x0415, mh_fd_link: 0xac782c68
470 | mp_smallbin[11] - sz: 0x00000058 cnt: 0x012d, mh_fd_link: 0xac799fd8
471 | mp_smallbin[12] - sz: 0x00000060 cnt: 0x0125, mh_fd_link: 0xacbf7a78
472 | mp_smallbin[13] - sz: 0x00000068 cnt: 0x0a06, mh_fd_link: 0xac789b78
473 | mp_smallbin[14] - sz: 0x00000070 cnt: 0x003e, mh_fd_link: 0xa9515fc8
474 | mp_smallbin[15] - sz: 0x00000078 cnt: 0x0074, mh_fd_link: 0xac789830
475 | mp_smallbin[16] - sz: 0x00000080 cnt: 0x0124, mh_fd_link: 0xac7827a0
476 | mp_smallbin[17] - sz: 0x00000088 cnt: 0x0016, mh_fd_link: 0xac799f50
477 | mp_smallbin[18] - sz: 0x00000090 cnt: 0x0025, mh_fd_link: 0xac784e58
478 | mp_smallbin[19] - sz: 0x00000098 cnt: 0x004e, mh_fd_link: 0xac4e56f8
479 | mp_smallbin[20] - sz: 0x000000a0 cnt: 0x01c8, mh_fd_link: 0xacfefbf0
480 | mp_smallbin[21] - sz: 0x000000a8 cnt: 0x0189, mh_fd_link: 0xacff05e0
481 | mp_smallbin[22] - sz: 0x000000b0 cnt: 0x00e9, mh_fd_link: 0xacbf79c8
482 | mp_smallbin[23] - sz: 0x000000b8 cnt: 0x0165, mh_fd_link: 0xac96be20
483 | mp_smallbin[24] - sz: 0x000000c0 cnt: 0x0017, mh_fd_link: 0xac789a50
484 | mp_smallbin[25] - sz: 0x000000c8 cnt: 0x001a, mh_fd_link: 0xacb4d998
485 | mp_smallbin[26] - sz: 0x000000d0 cnt: 0x004d, mh_fd_link: 0xa9519150
486 | mp_smallbin[27] - sz: 0x000000d8 cnt: 0x0024, mh_fd_link: 0xacbf78f0
487 | mp_smallbin[28] - sz: 0x000000e0 cnt: 0x002c, mh_fd_link: 0xacff49d8
488 | mp_smallbin[29] - sz: 0x000000e8 cnt: 0x0014, mh_fd_link: 0xa89b9658
489 | mp_smallbin[30] - sz: 0x000000f0 cnt: 0x0008, mh_fd_link: 0xacfde720
490 | mp_smallbin[31] - sz: 0x000000f8 cnt: 0x0044, mh_fd_link: 0xacff59d8
491 | mp_treebin[00] - sz: 0x00000180 cnt: 0x0190, mh_fd_link: 0xacb48318
492 | mp_treebin[01] - sz: 0x00000200 cnt: 0x0134, mh_fd_link: 0xa95059d8
493 | mp_treebin[02] - sz: 0x00000300 cnt: 0x01ac, mh_fd_link: 0xad01cd38
494 | mp_treebin[03] - sz: 0x00000400 cnt: 0x004e, mh_fd_link: 0xacffbac8
495 | mp_treebin[04] - sz: 0x00000600 cnt: 0x0073, mh_fd_link: 0xac4e4fa0
496 | mp_treebin[05] - sz: 0x00000800 cnt: 0x0030, mh_fd_link: 0xacfebe20
497 | mp_treebin[06] - sz: 0x00000c00 cnt: 0x0277, mh_fd_link: 0xac7887e8
498 | mp_treebin[07] - sz: 0x00001000 cnt: 0x004f, mh_fd_link: 0xa9507570
499 | mp_treebin[08] - sz: 0x00001800 cnt: 0x0041, mh_fd_link: 0xac784fa8
500 | mp_treebin[09] - sz: 0x00002000 cnt: 0x0010, mh_fd_link: 0xac74f248
501 | mp_treebin[10] - sz: 0x00003000 cnt: 0x0024, mh_fd_link: 0xac796020
502 | mp_treebin[11] - sz: 0x00004000 cnt: 0x0028, mh_fd_link: 0xacf9a3e0
503 | mp_treebin[12] - sz: 0x00006000 cnt: 0x009a, mh_fd_link: 0xad01cf68
504 | mp_treebin[13] - sz: 0x00008000 cnt: 0x000b, mh_fd_link: 0xacae3978
505 | mp_treebin[14] - sz: 0x0000c000 cnt: 0x0027, mh_fd_link: 0xad014678
506 | mp_treebin[15] - sz: 0x00010000 cnt: 0x000b, mh_fd_link: 0xacab7098
507 | mp_treebin[16] - sz: 0x00018000 cnt: 0x0062, mh_fd_link: 0xacafa7c8
508 | mp_treebin[17] - sz: 0x00020000 cnt: 0x0007, mh_fd_link: 0xac2cda88
509 | mp_treebin[18] - sz: 0x00030000 cnt: 0x0012, mh_fd_link: 0xac800720
510 | mp_treebin[19] - sz: 0x00040000 cnt: 0x000a, mh_fd_link: 0xac6e21e0
511 | mp_treebin[20] - sz: 0x00060000 cnt: 0x0006, mh_fd_link: 0xaa5b0f28
512 | mp_treebin[21] - sz: 0x00080000 cnt: 0x0004, mh_fd_link: 0xacf152e8
513 | mp_treebin[22] - sz: 0x000c0000 cnt: 0x000e, mh_fd_link: 0xaac896f0
514 | mp_treebin[23] - sz: 0x00100000 cnt: 0x0000, mh_fd_link: 0x0
515 | mp_treebin[24] - sz: 0x00180000 cnt: 0x0004, mh_fd_link: 0xa934b730
516 | mp_treebin[25] - sz: 0x00200000 cnt: 0x0001, mh_fd_link: 0xaa6d6cc8
517 | mp_treebin[26] - sz: 0x00300000 cnt: 0x0003, mh_fd_link: 0xacc1feb0
518 | mp_treebin[27] - sz: 0x00400000 cnt: 0x0001, mh_fd_link: 0xa8f39370
519 | mp_treebin[28] - sz: 0x00600000 cnt: 0x0000, mh_fd_link: 0x0
520 | mp_treebin[29] - sz: 0x00800000 cnt: 0x0001, mh_fd_link: 0xa9689a40
521 | mp_treebin[30] - sz: 0x00c00000 cnt: 0x0001, mh_fd_link: 0xaae41208
522 | mp_treebin[31] - sz: 0xffffffff cnt: 0x0001, mh_fd_link: 0xab641738 [UNSORTED]
523 | ```
524 | 
525 | ## Callback dict
526 | 
527 | Right now we just blast a lot of information from libdlmalloc to the callback
528 | function and it can choose to do whatever it wants to with the information. We
529 | provide more information than most callbacks will need. Also the expectation is
530 | that the callback will likely need to be aware of the plugin issuing the
531 | callback, in order for it to inform what additional information it will show.
532 | On the flip side, the plugin (libdlmalloc in this case) calling into the
533 | callback doesn't currently need to know (or care) about anything that the
534 | this external callback provider does.
535 | 
536 | An example of some of the data we provide to the callback function is:
537 | 
538 | * `caller`: name of calling gdb command or function
539 | * `allocator`: backing allocator that manages the chunk address we send
540 | * `addr`: address of the chunk contents after the core alloctor's metadata
541 | * `hdr_sz`: size of the core allocator's metadata header
542 | * `chunksz`: size of the chunk according to the core allocators metadata header
543 | * `min_hdr_sz`: the minimum header size possible for this core allocator
544 | * `data_size`: size of the data at `addr`
545 | * `inuse`: whether a chunk is inuse according to the core allocator
546 | * `chunk_info`: whether or not the calling library is printing chunk info
547 | * `size_sz`: The calculated size of a `size_t` data type on the debugged platform
548 | 
549 | # Future development
550 | 
551 | We will likely add functionality to libdlmalloc as we need or while doing
552 | future Cisco ASA research. Planned additions currently are:
553 | 
554 | - Abstract out the debug engine logic to be more like libheap or shadow's newer
555 |   designs
556 | - Write `dlsearch` which walks all msegments searching for some value.
557 | - A dlchunk option for a free chunk that allows finding the bin by walking the
558 |   linkage, and thus infering the associated `mstate` base address
559 | 
560 | # Notes on dlmalloc
561 | 
562 | ## dlmalloc vs ptmalloc
563 | 
564 | The ptmalloc allocator, which is part of glibc, was regularly forked from
565 | dlmalloc. The following table demonstrates the relationship of versions:
566 | 
567 | | dlmalloc       | ptmalloc  | Types of bins                |
568 | | -------------- | --------- | ---------------------------- |
569 | | dlmalloc 2.5.x | N/A       | bins                         |
570 | | dlmalloc 2.6.x | ptmalloc  | smallbins/bins               |
571 | | dlmalloc 2.7.x | ptmalloc2 | fastbins/smallbins/largebins |
572 | | dlmalloc 2.8.x | ptmalloc3 | smallbins/treebins           |
573 | 
574 | ## Reading
575 | 
576 | dlmalloc 2.8.x differs in many ways from earlier dlmalloc versions, namely due
577 | to the use of a tree structure for large allocations. The best documentation is
578 | the [source code](http://g.oswego.edu/pub/misc/). For some good background on
579 | the differences between ptmalloc2 and ptmalloc3 (which translates to dlmalloc
580 | 2.7.x vs 2.8.x) see blackngel's Phrack 67 paper [The House Of Lore:
581 | Reloaded](http://phrack.org/issues/67/8.html).
582 | 
583 | # Contact
584 | 
585 | We would love to hear feedback about this tool and also are happy to get pull
586 | requests.
587 | 
588 | * Aaron Adams
589 |     * Email: `aaron<dot>adams<at>nccgroup<dot>trust`
590 |     * Twitter: @fidgetingbits
591 | 
592 | * Cedric Halbronn
593 |     * Email: `cedric<dot>halbronn<at>nccgroup<dot>trust`
594 |     * Twitter: @saidelike
595 | 


--------------------------------------------------------------------------------
/TODO.md:
--------------------------------------------------------------------------------
 1 | * Add an offset command for printing objects? Seems useful to prefix with
 2 |   +0x124 type stuff
 3 | * dlsearch - walk an mstates segments looking for data
 4 | * Look into using argparse with a custom override for integer values that
 5 |   need to be read from gdb?
 6 | * remove all the old libheap stuff we don't actually use
 7 | * If we know the address of the mstate we could cache the address of the dv
 8 |   and check each free chunk we analyze against that value and mark it as
 9 |   such. This would prevent invalid values shown for the victim chunk when
10 |   using -v.
11 | * Support setting the dl_helper 'foot' option to dictate if we bother with the
12 |   footer-related stuff
13 | * have a dlbinwalk command similar to mpbinwalk (libmempool) to list chunks for a
14 |   given bin size
15 | 


--------------------------------------------------------------------------------
/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nccgroup/libdlmalloc/9c4b5646a653e6c19b33c3507e8b7033874fbba7/__init__.py


--------------------------------------------------------------------------------
/libdlmalloc_26x.py:
--------------------------------------------------------------------------------
   1 | # libdlmalloc_26x.py
   2 | #
   3 | # This file is part of libdlmalloc.
   4 | # Copyright (c) 2017, Aaron Adams <aaron.adams(at)nccgroup(dot)trust>
   5 | # Copyright (c) 2017, Cedric Halbronn <cedric.halbronn(at)nccgroup(dot)trust>
   6 | #
   7 | # Some parts of this code were taken from libheap, a ptmalloc2 GDB
   8 | # plugin: https://github.com/cloudburst/libheap
   9 | #
  10 | # Some gdb argument handling functions were taken and/or inspired from
  11 | # https://github.com/0vercl0k/stuffz/blob/master/dps_like_for_gdb.py
  12 | #
  13 | # The show_last_exception() code was derived from https://github.com/hugsy/gef
  14 | #
  15 | # Note libdmalloc_26x was primarily tested on 2.6.3i?, which is not the latest
  16 | # version.
  17 | #
  18 | # Note this has been heavily ported from libdlmalloc_28x.py so it may not actually
  19 | # be close enough to malloc-2.6.3i.c. It still contains lots of 2.8.x
  20 | # references that need to be cleaned up.
  21 | #
  22 | # See http://gee.cs.oswego.edu/pub/misc/malloc-2.6.7.c
  23 | #
  24 | # TODO
  25 | # - support IS_MMAPPED
  26 | 
  27 | from __future__ import print_function
  28 | 
  29 | import traceback
  30 | import importlib
  31 | 
  32 | try:
  33 |     import gdb
  34 |     is_gdb = True
  35 | except ImportError:
  36 |     is_gdb = False
  37 |     print("[libdlmalloc_26x] Not running inside of GDB, limited functionality")
  38 | 
  39 | from os.path import basename
  40 | 
  41 | import re
  42 | import sys, os, json
  43 | import struct
  44 | from functools import wraps
  45 | 
  46 | ################################################################################
  47 | # HELPERS
  48 | ################################################################################
  49 | 
  50 | # XXX - move to _gdb.py
  51 | # Taken from gef. Let's us see proper backtraces from python exceptions
  52 | def show_last_exception():
  53 |     PYTHON_MAJOR = sys.version_info[0]
  54 |     horizontal_line = "-"
  55 |     right_arrow = "->"
  56 |     down_arrow = "\\->"
  57 | 
  58 |     print("")
  59 |     exc_type, exc_value, exc_traceback = sys.exc_info()
  60 |     print(" Exception raised ".center(80, horizontal_line))
  61 |     print("{}: {}".format(exc_type.__name__, exc_value))
  62 |     print(" Detailed stacktrace ".center(80, horizontal_line))
  63 |     for fs in traceback.extract_tb(exc_traceback)[::-1]:
  64 |         if PYTHON_MAJOR==2:
  65 |             filename, lineno, method, code = fs
  66 |         else:
  67 |             try:
  68 |                 filename, lineno, method, code = fs.filename, fs.lineno, fs.name, fs.line
  69 |             except:
  70 |                 filename, lineno, method, code = fs
  71 | 
  72 |         print("""{} File "{}", line {:d}, in {}()""".format(down_arrow, filename,
  73 |                                                             lineno, method))
  74 |         print("   {}    {}".format(right_arrow, code))
  75 | 
  76 | # XXX - move to _gdb.py
  77 | def get_info():
  78 |     res = gdb.execute("maintenance info sections ?", to_string=True)
  79 |     bin_name = basename(build_bin_name(res))
  80 |     if not bin_name:
  81 |         raise("get_info: failed to find bin name")
  82 |     if bin_name[0] == '_':
  83 |         return bin_name[1:]
  84 |     return bin_name
  85 | 
  86 | # XXX - Not sure if these should go into dlmalloc()
  87 | # XXX - move to _gdb.py
  88 | def get_inferior():
  89 |     if not is_gdb:
  90 |         return
  91 |     try:
  92 |         if len(gdb.inferiors()) == 0:
  93 |             logmsg("No gdb inferior could be found.")
  94 |             return -1
  95 |         else:
  96 |             inferior = gdb.inferiors()[0]
  97 |             return inferior
  98 |     except AttributeError:
  99 |         logmsg("This gdb's python support is too old.")
 100 |         exit()
 101 | 
 102 | # XXX - move to _gdb.py
 103 | def has_inferior(f):
 104 |     "decorator to make sure we have an inferior to operate on"
 105 | 
 106 |     @wraps(f)
 107 |     def with_inferior(*args, **kwargs):
 108 |         inferior = get_inferior()
 109 |         if inferior != -1:
 110 |             if (inferior.pid != 0) and (inferior.pid is not None):
 111 |                 return f(*args, **kwargs)
 112 |             else:
 113 |                 logmsg("No debugee could be found.  Attach or start a program.")
 114 |                 exit()
 115 |         else:
 116 |             exit()
 117 |     return with_inferior
 118 | 
 119 | # General class for most dlmalloc-related methods to avoid namespace overlap
 120 | # with other heap libraries we might load at the same time. Most helper methods
 121 | # try to match the macros from malloc-2.8.x.c files
 122 | class dl_helper:
 123 | 
 124 |     DLMALLOC_VERSION  = "2.6"
 125 | 
 126 |     MALLOC_ALIGNMENT  = 8
 127 |     SIZE_T_ZERO       = 0
 128 |     SIZE_T_ONE        = 1
 129 |     SIZE_T_TWO        = 2
 130 |     CHUNK_ALIGN_MASK  = MALLOC_ALIGNMENT - SIZE_T_ONE
 131 | 
 132 |     NSMALLBINS        = 32
 133 |     NTREEBINS         = 32
 134 |     SMALLBIN_SHIFT    = 3
 135 |     SMALLBIN_WIDTH    = SIZE_T_ONE << SMALLBIN_SHIFT
 136 |     TREEBIN_SHIFT     = 8
 137 |     MIN_LARGE_SIZE    = SIZE_T_ONE << TREEBIN_SHIFT
 138 |     MAX_SMALL_SIZE    = MIN_LARGE_SIZE - SIZE_T_ONE
 139 |     #MAX_SMALL_REQUEST = (MAX_SMALL_SIZE - CHUNK_ALIGN_MASK - CHUNK_OVERHEAD)
 140 | 
 141 |     PINUSE_BIT = 1
 142 |     IS_MMAPPED = 2
 143 |     SIZE_BITS = (PINUSE_BIT|IS_MMAPPED)
 144 | 
 145 |     # XXX - If we find the malloc_params struct in mem, we should update these
 146 |     DEFAULT_TRIM_THRESHOLD = 2 * 1024 * 1024
 147 | 
 148 |     treebin_sz = [ 0x180, 0x200, 0x300, 0x400, 0x600, 0x800, 0xc00, 0x1000,
 149 |         0x1800, 0x2000, 0x3000, 0x4000, 0x6000, 0x8000, 0xc000, 0x10000,
 150 |         0x18000, 0x20000, 0x30000, 0x40000, 0x60000, 0x80000, 0xc0000, 0x100000,
 151 |         0x180000, 0x200000, 0x300000, 0x400000, 0x600000, 0x800000, 0xc00000,
 152 |         0xffffffff]
 153 | 
 154 |     def __init__(self, size_sz=0):
 155 |         self.terse = True # XXX - This should be configurable
 156 |         # Non-gdb users will have to specify the size themselves
 157 |         if size_sz == 0:
 158 |             self.retrieve_sizesz()
 159 |         else:
 160 |             self.SIZE_SZ = size_sz
 161 | 
 162 |         self.INUSE_HDR_SZ      = 2 * self.SIZE_SZ
 163 |         self.FREE_HDR_SZ       = 4 * self.SIZE_SZ
 164 |         self.MAX_HDR_SZ        = self.FREE_HDR_SZ
 165 | 
 166 |         self.MIN_CHUNK_SZ      = 4 * self.SIZE_SZ
 167 |         self.MALLOC_ALIGNMENT  = 2 * self.SIZE_SZ
 168 |         self.MALLOC_ALIGN_MASK = self.MALLOC_ALIGNMENT - 1
 169 |         self.MINSIZE           = (self.MIN_CHUNK_SZ+self.MALLOC_ALIGN_MASK) & \
 170 |                                     ~self.MALLOC_ALIGN_MASK
 171 | 
 172 |         self.MSEGMENT_SZ       = 4 * self.SIZE_SZ
 173 | 
 174 |         # The MSTATE_SZ constants used here are a best guess. It will be
 175 |         # dynamically adjusted if found to be incorrect. We want this size to
 176 |         # be the largest possible though, so we always have enough memory to
 177 |         # figure it out.
 178 |         if self.SIZE_SZ == 4:
 179 |             self.MSTATE_SZ = 0x1dc
 180 |         elif self.SIZE_SZ == 8:
 181 |             self.MSTATE_SZ = 0x3b0
 182 | 
 183 |         self.MALLOC_PARAM_SZ = (self.SIZE_SZ * 5) + 4
 184 | 
 185 | 
 186 |         self.dlchunk_callback = None
 187 |         self.dlchunk_callback_cached = None
 188 |         self.cached_mstate = None
 189 |         self.colors = True
 190 | 
 191 |     def logmsg(self, s, end=None):
 192 |         if type(s) == str:
 193 |             if end != None:
 194 |                 print("[libdlmalloc] " + s, end=end)
 195 |             else:
 196 |                 print("[libdlmalloc] " + s)
 197 |         else:
 198 |             print(s)
 199 | 
 200 |     # XXX - move to _gdb.py
 201 |     def retrieve_sizesz(self):
 202 |         "Retrieve the SIZE_SZ after binary loading finished"
 203 | 
 204 |         _machine = self.get_arch()
 205 |         if "elf64" in _machine:
 206 |             self.SIZE_SZ = 8
 207 |         elif "elf32" in _machine:
 208 |             self.SIZE_SZ = 4
 209 |         else:
 210 |             raise Exception("Retrieving the SIZE_SZ failed.")
 211 | 
 212 |     def register_callback(self, func):
 213 |         self.dlchunk_callback = func
 214 |         self.logmsg("Registered new dlchunk callback")
 215 | 
 216 |     # XXX - move to _gdb.py
 217 |     def get_arch(self):
 218 |         res = gdb.execute("maintenance info sections ?", to_string=True)
 219 |         if "elf32-i386" in res and "elf64-x86-64" in res:
 220 |             raise("get_arch: could not determine arch (1)")
 221 |         if "elf32-i386" not in res and "elf64-x86-64" not in res:
 222 |             raise("get_arch: could not determine arch (2)")
 223 |         if "elf32-i386" in res:
 224 |             return "elf32-i386"
 225 |         elif "elf64-x86-64" in res:
 226 |             return "elf64-x86-64"
 227 |         else:
 228 |             raise("get_arch: failed to find arch")
 229 | 
 230 |     # This is the 64-bit version of the macro since the 32-bit uses inline asm
 231 |     def compute_tree_index(self, sz):
 232 |         x = sz >> self.TREEBIN_SHIFT
 233 |         if x == 0:
 234 |             return 0
 235 |         elif x > 0xffff:
 236 |             return self.NTREEBINS-1
 237 |         else:
 238 |             y = x
 239 |             n = ((y - 0x100) >> 16) & 8
 240 |             k = (((y << n) - 0x1000) >> 16) & 4
 241 |             n += k
 242 |             y <<= k
 243 |             k = ((y - 0x4000) >> 16) & 2
 244 |             n += k
 245 |             y <<= k
 246 |             k = 14 - n + (y >> 15)
 247 |             return (k << 1) + ((sz >> (k + (self.TREEBIN_SHIFT-1)) & 1))
 248 | 
 249 |     def chunk2mem(self, p):
 250 |         "conversion from malloc header to user pointer"
 251 |         return (p.address + (2 * self.SIZE_SZ))
 252 | 
 253 |     def mem2chunk(self, mem):
 254 |         "conversion from user pointer to malloc header"
 255 |         return (mem - (2 * self.SIZE_SZ))
 256 | 
 257 |     def request2size(self, req):
 258 |         "pad request bytes into a usable size"
 259 | 
 260 |         if (req + self.SIZE_SZ + self.MALLOC_ALIGN_MASK < self.MINSIZE):
 261 |             return self.MINSIZE
 262 |         else:
 263 |             return (int(req + self.SIZE_SZ + self.MALLOC_ALIGN_MASK) & \
 264 |                     ~self.MALLOC_ALIGN_MASK)
 265 | 
 266 |     def pinuse(self, p):
 267 |         "extract inuse bit of previous chunk"
 268 |         return (p.size & self.PINUSE_BIT)
 269 | 
 270 |     def chunksize(self, p):
 271 |         "Get size, ignoring use bits"
 272 |         return (p.size & ~self.SIZE_BITS)
 273 | 
 274 |     def ptr_from_chunk(self, p):
 275 |         return (p.address + p.hdr_size)
 276 | 
 277 |     def next_chunk(self, p):
 278 |         "Ptr to next physical malloc_chunk."
 279 |         return (p.address + (p.size & ~self.SIZE_BITS))
 280 | 
 281 |     def prev_chunk(self, p):
 282 |         "Ptr to previous physical malloc_chunk"
 283 |         return (p.address - p.prev_size)
 284 | 
 285 |     def next_pinuse(self, p):
 286 |         "extract next chunk's pinuse bit"
 287 |         chunk = dl_chunk(self, self.next_chunk(p), inuse=False)
 288 |         return self.pinuse(chunk)
 289 | 
 290 |     def chunk_plus_offset(self, p, s):
 291 |         "Treat space at ptr + offset as a chunk"
 292 |         return dl_chunk(self, p.address + s, inuse=False)
 293 | 
 294 |     def chunk_minus_offset(self, p, s):
 295 |         "Treat space at ptr - offset as a chunk"
 296 |         return dl_chunk(self, p.address - s, inuse=False)
 297 | 
 298 |     def set_cinuse(self, p):
 299 |         "set chunk as being inuse without otherwise disturbing"
 300 |         chunk = dl_chunk(self, (p.address + (p.size & ~self.SIZE_BITS)),
 301 |                             inuse=False)
 302 |         next_chunk = self.next_chunk(p)
 303 |         next_chunk.size |= self, self.PINUSE_BIT
 304 |         next_chunk.write()
 305 | 
 306 |     def clear_cinuse(self, p):
 307 |         "clear chunk as being inuse without otherwise disturbing"
 308 |         chunk = dl_chunk(self, (p.address + (p.size & ~self.SIZE_BITS)), 
 309 |                             inuse=False)
 310 |         next_chunk = self.next_chunk(p)
 311 |         next_chunk.size &= ~self.PINUSE_BIT
 312 |         next_chunk.write()
 313 | 
 314 |     def pinuse(self, p):
 315 |         "extract p's inuse bit"
 316 |         return (p.size & self.PINUSE_BIT)
 317 | 
 318 |     def set_pinuse(self, p):
 319 |         "set chunk as having prev_inuse without otherwise disturbing"
 320 |         chunk = dl_chunk(self, (p.address + (p.size & ~self.SIZE_BITS)), 
 321 |                             inuse=False)
 322 |         chunk.size |= self.PINUSE_BIT
 323 |         chunk.write()
 324 | 
 325 |     def clear_pinuse(self, p):
 326 |         "clear chunk as not having pre_inuse without otherwise disturbing"
 327 |         chunk = dl_chunk(self, (p.address + (p.size & ~self.SIZE_BITS)), 
 328 |                              inuse=False)
 329 |         chunk.size &= ~self.PINUSE_BIT
 330 |         chunk.write()
 331 | 
 332 |     def is_small(self, sz):
 333 |         "check if size is in smallbin range"
 334 |         return (sz < self.MIN_LARGE_SIZE)
 335 | 
 336 |     def small_index(self, sz):
 337 |         "return the smallbin index"
 338 | 
 339 |         if self.SMALLBIN_WIDTH == 16:
 340 |             return (sz >> 4)
 341 |         else:
 342 |             return (sz >> 3)
 343 | 
 344 |     # The very last chunk in a segment is free but does not have the PINUSE
 345 |     # flag set. This should never normally happen, because coalescing should
 346 |     # always force a free chunk to be adjacent to an inuse chunk. So we can
 347 |     # detect it. Size might always be 0x30 on 32-bit too? Not sure
 348 |     def is_end_chunk(self, p):
 349 |         if not self.next_pinuse(p) and not self.pinuse(p):
 350 |             return True
 351 |         return False
 352 | 
 353 |     def top(self, mstate):
 354 |         return mstate.top
 355 | 
 356 |     # XXX - This should decode the footer if it exists
 357 |     def mstate_for_ptr(self, ptr):
 358 |         "find the heap and corresponding mstate for a given ptr"
 359 |         return (ptr & ~(self.HEAP_MAX_SIZE-1))
 360 | 
 361 |     # XXX - move to _gdb.py
 362 |     def hexdump(self, p, maxlen=0, off=0):
 363 |         data = self.ptr_from_chunk(p) + off
 364 |         size = self.chunksize(p) - p.hdr_size - off
 365 |         if size < 0:
 366 |             self.logmsg("[!] Chunk corrupt? Bad size")
 367 |             return
 368 |         elif size == 0:
 369 |             self.logmsg("[!] Empty chunk?")
 370 |             return
 371 |         if maxlen != 0:
 372 |             if size > maxlen:
 373 |                 size = maxlen
 374 |         print("0x%x bytes of chunk data:" % size)
 375 |         cmd = "x/%dwx 0x%x\n" % (size/4, data)
 376 |         gdb.execute(cmd, True)
 377 |         return
 378 | 
 379 |     def chunk_info(self, p):
 380 |         info = []
 381 |         info.append("0x%lx " % p.address)
 382 |         if self.next_pinuse(p):
 383 |             info.append("M ")
 384 |         else:
 385 |             info.append("F ")
 386 |         sz = self.chunksize(p)
 387 |         if sz == 0:
 388 |             self.logmsg("[!] Chunk at address 0x%.x invalid or corrupt?" % p.address)
 389 |         if self.terse:
 390 |             info.append("sz:0x%.05x " % sz)
 391 |         else:
 392 |             info.append("sz:0x%.08x " % sz)
 393 |         flag_str = ""
 394 |         if self.terse:
 395 |             info.append("fl:")
 396 |             if self.pinuse(p):
 397 |                 flag_str += "P"
 398 |             else:
 399 |                 flag_str += "-"
 400 |             info.append("%1s" % flag_str)
 401 | 
 402 |         else:
 403 |             info.append("flags: ")
 404 |             if self.pinuse(p):
 405 |                 flag_str += "PINUSE"
 406 |             else:
 407 |                 flag_str += "------"
 408 |             info.append("%6s" % flag_str)
 409 | 
 410 |         if self.dlchunk_callback != None:
 411 |             size = self.chunksize(p) - p.hdr_size
 412 |             cbinfo = {}
 413 |             cbinfo["caller"] = "dlchunk" # This is a lie but shouldn't matter
 414 |             cbinfo["allocator"] = "dlmalloc"
 415 |             cbinfo["version"] = self.DLMALLOC_VERSION
 416 |             cbinfo["addr"] = p.data_address
 417 |             cbinfo["hdr_sz"] = p.hdr_size
 418 |             cbinfo["chunksz"] = self.chunksize(p)
 419 |             cbinfo["min_hdr_sz"] = self.INUSE_HDR_SZ
 420 |             cbinfo["data_size"] = size
 421 |             cbinfo["inuse"] = p.inuse
 422 |             cbinfo["chunk_info"] = True
 423 |             cbinfo["size_sz"] = self.SIZE_SZ
 424 |             if p.from_mem:
 425 |                 cbinfo["mem"] = p.mem[p.hdr_size:]
 426 | 
 427 |             extra = self.dlchunk_callback(cbinfo)
 428 |             info.append(" " + extra)
 429 | 
 430 |         return ''.join(info)
 431 | 
 432 |     def print_segment_chunks(self, seg=None, show_free=True, show_inuse=True, 
 433 |             sz=0, min_sz=0, max_sz=0):
 434 |         addr = seg.base
 435 |         while addr < (seg.base + seg.size):
 436 |             chunk = dl_chunk(self.dl, addr)
 437 |             chunksz = self.dl.chunksize(chunk)
 438 |             if min_sz != 0:
 439 |                 if chunksz > min_sz:
 440 |                     continue
 441 |             if max_sz != 0:
 442 |                 if chunksz > max_sz:
 443 |                     continue
 444 |             if sz != 0:
 445 |                 if chunksz != sz:
 446 |                     continue
 447 |             if show_free != True and not self.dl.next_pinuse(chunk):
 448 |                 continue
 449 |             if show_inuse != True and self.dl.next_pinuse(chunk):
 450 |                 continue
 451 | 
 452 |             print(self.dl.chunk_info(chunk))
 453 |             addr += self.dl.chunksize(chunk)
 454 |         # Walk from the start showing each chunk, but only printing an 
 455 |         # abbreviated version.
 456 | 
 457 |     def print_mstate_chunks(self, addr=None, mstate=None, seg=None):
 458 |         cur_seg = mstate.seg
 459 |         while True:
 460 |             self.print_segment_chunks(cur_seg)
 461 |             if cur_seg.next == 0:
 462 |                 break
 463 |             cur_seg = dl_msegment(self.dl, cur_seg.next)
 464 | 
 465 |     # XXX - anything that walks segments is redundant so should be done with
 466 |     # callbacks maybe?
 467 |     def print_mstate_segments(self, addr=None, mstate=None, seg=None):
 468 |         cur_seg = mstate.seg
 469 |         while True:
 470 |             print(cur_seg)
 471 |             if cur_seg.next == 0:
 472 |                 break
 473 |             cur_seg = dl_msegment(self.dl, cur_seg.next)
 474 | 
 475 |     # XXX - This is broken atm.
 476 |     def search_heap(self, seg, search_for, min_size, max_size):
 477 |         "walk chunks searching for value starting from the seg address"
 478 |         results = []
 479 | 
 480 |         # XXX - Use global constants for 0x440 and 0x868
 481 |         if self.SIZE_SZ == 4:
 482 |             p = dl_chunk(seg) # need to fix
 483 |         elif self.SIZE_SZ == 8:
 484 |             # empiric offset: chunks start after the dl_mstate + offset
 485 |             p = dl_chunk(seg)
 486 | #        heap_size = heap_info(mstate_for_ptr(ar_ptr))
 487 | 
 488 |         while True:
 489 |             if self.chunksize(p) == 0x0:
 490 |                 self.logmsg("sz=0x0 detected at 0x%x, assuming end of heap" 
 491 |                         % p.address)
 492 |                 break
 493 |             if max_size == 0 or self.chunksize(p) <= max_size:
 494 |                 if self.chunksize(p) >= min_size:
 495 |                     print(self.chunk_info(p)) # debug
 496 |                     if self.search_chunk(p, search_for):
 497 |                         results.append(p.address)
 498 |             p = dl_chunk(self.dl, addr=(p.address + self.chunksize(p)))
 499 |         return results
 500 | 
 501 |     def search_chunk(self, p, search_for, depth=0):
 502 |         "searches a chunk. includes the chunk header in the search"
 503 | 
 504 |         if depth == 0 or depth > self.chunksize(p):
 505 |             depth = self.chunksize(p)
 506 | 
 507 |         try:
 508 |             out_str = gdb.execute('find /1w 0x%x, 0x%x, %s' % \
 509 |                 (p.address, p.address + depth, search_for), \
 510 |                 to_string = True)
 511 |         except Exception:
 512 |             #print(sys.exc_info()[0])
 513 |             #print("[libdlmalloc] failed to execute 'find'")
 514 |             return False
 515 | 
 516 |         str_results = out_str.split('\n')
 517 | 
 518 |         for str_result in str_results:
 519 |             if str_result.startswith('0x'):
 520 |                 return True
 521 | 
 522 |         return False
 523 | 
 524 |     # Assumes caller checked for cached mstate...
 525 |     def is_smallbin_empty(self, bidx):
 526 |         mstate = self.cached_mstate
 527 |         if mstate.smallmap & (1 << bidx):
 528 |             return False
 529 |         return True
 530 | 
 531 |     # Assumes caller checked for cached mstate...
 532 |     def is_treebin_empty(self, bidx):
 533 |         mstate = self.cached_mstate
 534 |         if mstate.treemap & (1 << bidx):
 535 |             return False
 536 |         return True
 537 | 
 538 |     # Count the number of entries in a smallbin
 539 |     # XXX - We could speed this up significantly by just reading the fd instead
 540 |     # of creating new chunks each time. Quite slow over serial
 541 |     def smallbin_count(self, bidx, depth=0, get_sz_set=False):
 542 |         sz_set = []
 543 |         if self.cached_mstate == None:
 544 |             print("Can't currently count bins without cached mstate")
 545 |             return None
 546 |         mstate = self.cached_mstate
 547 |         if bidx > len(mstate.smallbins):
 548 |             print("idx %d is outside of smallbin range")
 549 |             return None
 550 | 
 551 |         if not self.is_smallbin_empty(bidx):
 552 |             bins_addr = mstate.address + mstate.small_bins_off
 553 |             # Each index holds an fd and bck pointer
 554 |             bin_addr = bins_addr + (2*self.SIZE_SZ) * bidx
 555 |             # Due to trickery, the chunk address points to the "prev_size"
 556 |             # of the chunk which doesn't, actually exist. But we need to use
 557 |             # that address
 558 |             bin_addr -= 2*self.SIZE_SZ
 559 | 
 560 |             count = 1
 561 |             cur = dl_chunk(dl=self, addr=bin_addr)
 562 |             while cur.fd != bin_addr:
 563 |                 count += 1
 564 |                 if depth != 0 and count > depth:
 565 |                     return count
 566 |                 cur = dl_chunk(dl=self, addr=cur.fd)
 567 |                 if get_sz_set:
 568 |                     sz_set.append(self.chunksize(cur))
 569 |             if get_sz_set:
 570 |                 print(sz_set)
 571 |             return count
 572 |         return 0
 573 | 
 574 |     def treebin_count_children(self, p, depth=0, sz_set=None):
 575 |         count = 0
 576 |         if sz_set != None:
 577 |             sz_set.append(self.chunksize(p))
 578 |         if p.left != 0:
 579 |             count += 1
 580 |             if depth != 0 and count > depth:
 581 |                 return count
 582 |             chunk = dl_chunk(dl=self, addr=p.left)
 583 |             count += self.treebin_count_children(chunk, depth, sz_set)
 584 |         if p.right != 0:
 585 |             count += 1
 586 |             if depth != 0 and count > depth:
 587 |                 return count
 588 |             chunk = dl_chunk(dl=self, addr=p.right)
 589 |             count += self.treebin_count_children(chunk, depth, sz_set)
 590 |         return count
 591 | 
 592 |     # Count the number of entries in a treebin
 593 |     def treebin_count(self, bidx, depth=0, get_sz_set=False):
 594 |         if get_sz_set:
 595 |             sz_set = []
 596 |         else:
 597 |             sz_set = None
 598 |         if self.cached_mstate == None:
 599 |             print("Can't currently count bins without cached mstate")
 600 |             return None
 601 |         mstate = self.cached_mstate
 602 |         if bidx > len(mstate.treebins):
 603 |             print("idx %d is outside of treebin range")
 604 |             return None
 605 |         if not self.is_treebin_empty(bidx):
 606 |             count = 1
 607 |             cur = dl_chunk(dl=self, addr=mstate.treebins[bidx])
 608 |             count += self.treebin_count_children(cur, depth, sz_set)
 609 |             if get_sz_set:
 610 |                 print("bin sizes: " + ", ".join(("0x{:02x}".format(s) \
 611 |                                 for s in sz_set)))
 612 |             return count
 613 | 
 614 |         return 0
 615 | 
 616 |     # XXX - fixme
 617 |     def print_smallbins(self, inferior, mstate=None):
 618 |         "walk and print the small bins"
 619 | 
 620 |         print("Smallbins")
 621 | 
 622 |         pad_width = 33
 623 | 
 624 |         if mstate == None and self.cached_mstate == None:
 625 |             self.logmsg("Don't know where mstate is and no address specified")
 626 |             return
 627 | 
 628 |         if mstate == None:
 629 |             mstate = self.cached_mstate
 630 |         else:
 631 |             mstate = dl_mstate(mstate)
 632 |             if mstate == None:
 633 |                 self.logmsg("Can't print bins from bad mstate")
 634 |                 return
 635 |             else:
 636 |                 cached_mstate = mstate
 637 | 
 638 |         # XXX - This doesn't properly print everything
 639 |         for i in range(2, (self.NSMALLBINS+1), 2):
 640 | 
 641 |             print("")
 642 |             print("[ sb {:02} ] ".format(int(i/2)))
 643 |     #        print("{:#x}{:>{width}}".format(int(), "-> ", width=5), end="")
 644 |             print("[ {:#x} | {:#x} ] ".format(int(mstate.smallbins[i]), int(mstate.smallbins[i+1])))
 645 |             print("")
 646 | 
 647 |             nextc = dl_chunk(mstate.smallbins[i])
 648 |             while (1):
 649 |                 if nextc.fd == mstate.smallbins[i]:
 650 |                     break
 651 |                 print(self.chunk_info(nextc))
 652 |                 nextc = dl_chunk(nextc.fd)
 653 |     #            print("")
 654 |     #            print("{:>{width}}{:#x} | {:#x} ] ".format("[ ", int(chunk.fd), int(chunk.bk), width=pad_width))
 655 |     #            print("({})".format(int(chunksize(chunk))), end="")
 656 |     #            fd = chunk.fd
 657 |     #
 658 |     #        if sb_num != None: #only print one smallbin
 659 |     #            return
 660 |     # XXX - this currently assumes p is a chunk vs mstate
 661 |     def dispatch_callback(self, p, debug=False, caller="dlchunk"):
 662 |         if self.dlchunk_callback != None:
 663 |             size = self.chunksize(p) - p.hdr_size
 664 |             if p.data_address != None:
 665 |                 # We can provide an excess of information and the callback can
 666 |                 # choose what to use
 667 |                 cbinfo = {}
 668 |                 cbinfo["caller"] = caller
 669 |                 cbinfo["allocator"] = "dlmalloc"
 670 |                 cbinfo["version"] = self.DLMALLOC_VERSION
 671 |                 cbinfo["addr"] = p.data_address
 672 |                 if p.from_mem:
 673 |                     cbinfo["mem"] = p.mem[p.hdr_size:]
 674 |                 cbinfo["hdr_sz"] = p.hdr_size
 675 |                 cbinfo["chunksz"] = self.chunksize(p)
 676 |                 cbinfo["min_hdr_sz"] = self.INUSE_HDR_SZ
 677 |                 cbinfo["data_size"] = size
 678 |                 cbinfo["inuse"] = p.inuse
 679 |                 cbinfo["size_sz"] = self.SIZE_SZ
 680 |                 if debug:
 681 |                     cbinfo["debug"] = True
 682 |                 # We expect callback to tell us how much data it
 683 |                 # 'consumed' in printing out info
 684 |                 return self.dlchunk_callback(cbinfo)
 685 |         return 0
 686 | 
 687 | 
 688 | ################################################################################
 689 | # STRUCTURES
 690 | ################################################################################
 691 | 
 692 | class dl_structure(object):
 693 | 
 694 |     def __init__(self, dl, inferior=None):
 695 |         self.dl     = dl
 696 |         self.is_x86 = dl.SIZE_SZ == 4
 697 |         self.address = None
 698 |         self.initOK = True
 699 | 
 700 |         if inferior == None:
 701 |             self.inferior = get_inferior()
 702 |             if self.inferior == -1:
 703 |                 self.dl.logmsg("Error obtaining gdb inferior")
 704 |                 self.initOK = False
 705 |                 return
 706 |         else:
 707 |             self.inferior = inferior
 708 | 
 709 |     # XXX - move this to _gdb.py
 710 |     def _get_cpu_register(self, reg):
 711 |         """
 712 |         Get the value holded by a CPU register
 713 |         """
 714 | 
 715 |         expr = ''
 716 |         if reg[0] == '$':
 717 |             expr = reg
 718 |         else:
 719 |             expr = '$' + reg
 720 | 
 721 |         try:
 722 |             val = self._normalize_long(long(gdb.parse_and_eval(expr)))
 723 |         except Exception:
 724 |             self.dl.logmsg("[!] Did you run a process? Can't retrieve registers")
 725 |             return None
 726 |         return val
 727 | 
 728 |     def _normalize_long(self, l):
 729 |         return (0xffffffff if self.is_x86 else 0xffffffffffffffff) & l
 730 | 
 731 |     def _is_register(self, s):
 732 |         """
 733 |         Is it a valid register ?
 734 |         """
 735 |         x86_reg = ['eax', 'ebx', 'ecx', 'edx', 'esi',
 736 |                     'edi', 'esp', 'ebp', 'eip']
 737 |         x64_reg = ['rax', 'rbx', 'rcx', 'rdx', 'rsi',
 738 |                     'rdi', 'rsp', 'rbp', 'rip'] + \
 739 |                         ['r%d' % i for i in range(8, 16)]
 740 | 
 741 |         if s[0] == '$':
 742 |             s = s[1:]
 743 | 
 744 |         if s in (x86_reg if self.is_x86 else x64_reg):
 745 |             return True
 746 |         return False
 747 | 
 748 |     def _parse_base_offset(self, r):
 749 |         base = r
 750 |         offset = 0
 751 |         if "+" in r:
 752 |             # we assume it is a register or address + a hex value
 753 |             tmp = r.split("+")
 754 |             base = tmp[0]
 755 |             offset = int(tmp[1], 16)
 756 |         if "-" in r:
 757 |             # we assume it is a register or address - a hex value
 758 |             tmp = r.split("-")
 759 |             base = tmp[0]
 760 |             offset = int(tmp[1], 16)*-1
 761 |         if self._is_register(base):
 762 |             base = self._get_cpu_register(base)
 763 |             if not base:
 764 |                 return None
 765 |         else:
 766 |             try:
 767 |                 # we assume it's an address
 768 |                 base = int(base, 16)
 769 |             except Exception:
 770 |                 print('Error: not an address')
 771 |                 return None
 772 |         return base, offset
 773 | 
 774 |     def validate_addr(self, addr):
 775 |         if addr == None or addr == 0:
 776 |             self.initOK = False
 777 |             self.address = None
 778 |             return False
 779 | 
 780 |         elif type(addr) == str:
 781 |             res = self._parse_base_offset(addr)
 782 |             if res == None:
 783 |                 self.dl.logmsg('[!] first arg MUST be an addr or a register (+ optional offset)"')
 784 |                 self.initOK = False
 785 |                 return False
 786 |             self.address = res[0] + res[1]
 787 |         else:
 788 |             self.address = addr
 789 |         return True
 790 | 
 791 | 
 792 | ################################################################################
 793 | class dl_chunk(dl_structure):
 794 |     "python representation of a struct malloc_chunk {} (malloc-2.8.3.c)"
 795 | 
 796 |     def __init__(self, dl, addr=None, mem=None, size=None, inferior=None, 
 797 |             inuse=None):
 798 |         # sets self.dl, self.inferior, and self.initOK
 799 |         dl_structure.__init__(self, dl, inferior)
 800 |         if not self.initOK:
 801 |             return
 802 | 
 803 |         self.prev_size   = 0
 804 |         self.size        = 0
 805 |         self.data        = None
 806 |         self.fd          = None
 807 |         self.bk          = None
 808 | 
 809 |         # Tree chunk specific
 810 |         self.left        = None
 811 |         self.right       = None
 812 |         self.parent      = None
 813 |         self.bindex      = None
 814 | 
 815 |         # Actual chunk flags
 816 |         self.cinuse_bit  = 0
 817 |         self.pinuse_bit  = 0
 818 |         self.mmapped_bit = 0
 819 | 
 820 |         # General indicator if we are inuse
 821 |         self.inuse       = inuse
 822 |         self.istree      = False
 823 | 
 824 |         self.data_address = None
 825 |         self.hdr_size = 0
 826 | 
 827 |         self.mem = mem
 828 |         self.from_mem = False
 829 | 
 830 |         # setup self.address
 831 |         if not self.validate_addr(addr):
 832 |             return
 833 | 
 834 |         if mem == None:
 835 |             # a string of raw memory was not provided
 836 |             try:
 837 |                 # MAX_HDR_SZ is based on SIZE_SZ already
 838 |                 mem = self.inferior.read_memory(self.address, self.dl.MAX_HDR_SZ)
 839 |                 # XXX - Technically if the last chunk is only 0x10 bytes, and
 840 |                 # we read it as a MAX_HDR_SZ it will fail. Better way to do the
 841 |                 # above
 842 |             except TypeError:
 843 |                 self.dl.logmsg("Invalid address specified.")
 844 |                 self.initOK = False
 845 |                 return
 846 |             except RuntimeError:
 847 |                 self.dl.logmsg("Could not read address {0:#x}".format(self.address))
 848 |                 self.initOK = False
 849 |                 return
 850 |         else:
 851 |             self.from_mem = True
 852 |             # a string of raw memory was provided
 853 |             if self.inuse:
 854 |                 if (len(mem) != self.dl.MIN_HDR_SZ) and \
 855 |                                 (len(mem) < self.dl.FREE_HDR_SZ):
 856 |                     self.dl.logmsg("Insufficient memory provided for a dl_chunk.")
 857 |                     self.initOK = False
 858 |                     return
 859 |             else:
 860 |                 if (len(mem) != self.dl.FREE_HDR_SZ) and \
 861 |                                 (len(mem) < self.dl.FREE_HDR_SZ):
 862 |                     self.dl.logmsg("Insufficient memory provided for a free chunk.")
 863 |                     self.initOK = False
 864 |                     return
 865 | 
 866 |         # First we just read the header
 867 |         if self.dl.SIZE_SZ == 4:
 868 |             (self.prev_size,
 869 |             self.size) = struct.unpack_from("<II", mem, 0x0)
 870 |         elif self.dl.SIZE_SZ == 8:
 871 |             (self.prev_size,
 872 |             self.size) = struct.unpack_from("<QQ", mem, 0x0)
 873 | 
 874 |         # read next chunk size field to determine if current chunk is inuse
 875 |         if size == None:
 876 |             nextchunk_addr = self.address + (self.size & ~self.dl.SIZE_BITS)
 877 |             self.pinuse_bit = self.size & self.dl.PINUSE_BIT
 878 |             real_size = (self.size & ~self.dl.SIZE_BITS)
 879 |         else:
 880 |             nextchunk_addr = self.address + (size & ~self.dl.SIZE_BITS)
 881 |             self.pinuse_bit = size & self.dl.PINUSE_BIT
 882 |             real_size = size & ~self.dl.SIZE_BITS
 883 |         try:
 884 |             mem2 = self.inferior.read_memory(nextchunk_addr + self.dl.SIZE_SZ, 
 885 |                     self.dl.SIZE_SZ)
 886 |         except gdb.MemoryError:
 887 |             self.dl.logmsg("Could not read nextchunk's size. Invalid chunk address?")
 888 |             self.initOK = False
 889 |             return
 890 |         if self.dl.SIZE_SZ == 4:
 891 |             nextchunk_size = struct.unpack_from("<I", mem2, 0x0)[0]
 892 |         elif self.dl.SIZE_SZ == 8:
 893 |             nextchunk_size = struct.unpack_from("<Q", mem2, 0x0)[0]
 894 |         self.cinuse_bit = nextchunk_size & self.dl.PINUSE_BIT
 895 | 
 896 |         if inuse == None:
 897 |             if self.cinuse_bit:
 898 |                 self.inuse = True
 899 |                 self.hdr_size = self.dl.INUSE_HDR_SZ
 900 |             else:
 901 |                 self.inuse = False
 902 |         else:
 903 |             # Trust the caller is right
 904 |             self.inuse = inuse
 905 |             self.hdr_size = self.dl.INUSE_HDR_SZ
 906 | 
 907 |         if self.inuse:
 908 | #            if read_data:
 909 | #                if self.address != None:
 910 | #                    # a string of raw memory was not provided
 911 | #                    try:
 912 | #                        mem = self.inferior.read_memory(self.address, real_size + self.dl.SIZE_SZ)
 913 | #                    except TypeError:
 914 | #                        self.dl.logmsg("Invalid address specified.")
 915 | #                        return None
 916 | #                    except RuntimeError:
 917 | #                        self.dl.logmsg("Could not read address {0:#x}".format(self.address))
 918 | #                        return None
 919 | #
 920 |                 real_size = (real_size - self.dl.SIZE_SZ) / self.dl.SIZE_SZ
 921 | #                self.data = struct.unpack_from("<%dI" % real_size, mem, self.dl.INUSE_HDR_SZ)
 922 | 
 923 |         if not self.inuse:
 924 |             # We sometimes provide an address to use for reference, even when
 925 |             # we pass in mem. So can't just check for self.address != None
 926 |             if self.address != None and mem == None:
 927 |                 # a string of raw memory was not provided
 928 |                 if self.inferior != None:
 929 |                     if self.dl.SIZE_SZ == 4:
 930 |                         mem = self.inferior.read_memory(self.address, self.dl.MAX_HDR_SZ)
 931 |                     elif self.dl.SIZE_SZ == 8:
 932 |                         mem = self.inferior.read_memory(self.address, self.dl.MAX_HDR_SZ)
 933 | 
 934 |             # Both small and large chunks use a regular free chunk structure
 935 |             # There is no concept of tree chunk in dlmalloc 2.6.x
 936 |             if self.dl.SIZE_SZ == 4:
 937 |                 (self.fd, \
 938 |                 self.bk  ) = struct.unpack_from("<II", mem, self.dl.INUSE_HDR_SZ)
 939 |             elif self.dl.SIZE_SZ == 8:
 940 |                 (self.fd, \
 941 |                 self.bk  ) = struct.unpack_from("<QQ", mem, self.dl.INUSE_HDR_SZ)
 942 |             self.hdr_size = self.dl.FREE_HDR_SZ
 943 | 
 944 |         if self.address != None:
 945 |             self.data_address = self.address + self.hdr_size
 946 | 
 947 |     def __str__(self):
 948 |         if self.prev_size == 0 and self.size == 0:
 949 |             return ""
 950 |         # inuse chunk
 951 |         elif self.inuse:
 952 |             mc = "struct malloc_chunk @ "
 953 |             mc += "{:#x} ".format(self.address)
 954 |             mc += "{"
 955 |             mc += "\n{:11} = ".format("prev_size")
 956 |             mc += "{:#x}".format(self.prev_size)
 957 |             mc += "\n{:11} = ".format("size")
 958 |             mc += "{:#x}".format(self.size & ~self.dl.SIZE_BITS)
 959 |             if self.pinuse_bit == 1:
 960 |                 mc += " (PINUSE)"
 961 |             return mc
 962 |         else:
 963 |             if self.istree:
 964 |                 mc = "struct malloc_tree_chunk @ "
 965 |             else:
 966 |                 mc = "struct malloc_chunk @ "
 967 |             mc += "{:#x} ".format(self.address)
 968 |             mc += "{"
 969 |             mc += "\n{:11} = ".format("prev_size")
 970 |             mc += "{:#x}".format(self.prev_size)
 971 |             mc += "\n{:11} = ".format("head")
 972 |             mc += "{:#x}".format(self.dl.chunksize(self))
 973 |             if self.pinuse_bit == 1:
 974 |                 mc += " (PINUSE)"
 975 |             mc += "\n{:11} = ".format("fd")
 976 |             mc += "{:#x}".format(self.fd)
 977 |             mc += "\n{:11} = ".format("bk")
 978 |             mc += "{:#x}".format(self.bk)
 979 |             if self.istree:
 980 |                 mc += "\n{:11} = ".format("left")
 981 |                 mc += "{:#x}".format(self.left)
 982 |                 mc += "\n{:11} = ".format("right")
 983 |                 mc += "{:#x}".format(self.right)
 984 |                 mc += "\n{:11} = ".format("parent")
 985 |                 mc += "{:#x}".format(self.parent)
 986 |                 mc += "\n{:11} = ".format("bindex")
 987 |                 mc += "{:#x}".format(self.bindex)
 988 |             return mc
 989 | 
 990 | ################################################################################
 991 | class dl_msegment(dl_structure):
 992 |     "python representation of a struct malloc_segment"
 993 | 
 994 |     def __init__(self, dl, addr=None, mem=None, inferior=None):
 995 |         dl_structure.__init__(self, dl)
 996 |         #super(dl_msegment, self).__init__()
 997 |         self.dl     = dl
 998 | 
 999 |         self.base   = 0
1000 |         self.size   = 0
1001 |         self.next   = 0
1002 |         self.sflags = 0
1003 | 
1004 |         if addr == None or addr == 0:
1005 |             if mem == None:
1006 |                 self.dl.logmsg("Please specify a valid struct dl_chunk address.")
1007 |                 self.initOK = False
1008 |                 return
1009 | 
1010 |             self.address = None
1011 |         elif type(addr) == str:
1012 |             res = self._parse_base_offset(addr)
1013 |             if res == None:
1014 |                 print('The first argument MUST be either an address or a register (+ optional offset)"')
1015 |                 self.initOK = False
1016 |                 return
1017 |             self.address = res[0] + res[1]
1018 |         else:
1019 |             self.address = addr
1020 | 
1021 |         if inferior == None and mem == None:
1022 |             inferior = get_inferior()
1023 |             if inferior == -1:
1024 |                 return None
1025 | 
1026 |         if self.address != None:
1027 |             # a string of raw memory was not provided
1028 |             if inferior != None:
1029 |                 mem = inferior.read_memory(self.address, self.dl.MSEGMENT_SZ)
1030 | 
1031 |         if mem == None:
1032 |             # a string of raw memory was not provided
1033 |             try:
1034 |                 mem = inferior.read_memory(self.address, self.dl.MSEGMENT_SZ)
1035 |             except TypeError:
1036 |                 self.dl.logmsg("Invalid address specified.")
1037 |                 self.initOK = False
1038 |                 return
1039 |             except RuntimeError:
1040 |                 self.dl.logmsg("Could not read address {0:#x}".format(self.address))
1041 |                 self.initOK = False
1042 |                 return
1043 | 
1044 |         # We either need to read a regular free chunk or a tree chunk
1045 |         if self.dl.SIZE_SZ == 4:
1046 |             (self.base,
1047 |             self.size,
1048 |             self.next,
1049 |             self.sflags) = struct.unpack_from("<4I", mem, 0)
1050 |         elif self.dl.SIZE_SZ == 8:
1051 |             (self.base, \
1052 |             self.size,
1053 |             self.next,
1054 |             self.sflags) = struct.unpack_from("<4Q", mem, 0)
1055 | 
1056 |     def __str__(self):
1057 |         mc = "struct malloc_segment @ "
1058 |         mc += "{:#x} ".format(self.address)
1059 |         mc += "{"
1060 |         mc += "\n{:11} = ".format("base")
1061 |         mc += "{:#x}".format(self.base)
1062 |         mc += "\n{:11} = ".format("size")
1063 |         mc += "{:#x}".format(self.size)
1064 |         mc += "\n{:11} = ".format("next")
1065 |         mc += "{:#x}".format(self.next)
1066 |         mc += "\n{:11} = ".format("sflags")
1067 |         mc += "{:#x}".format(self.sflags)
1068 |         return mc
1069 | 
1070 | ################################################################################
1071 | # XXX: make it inherit from dl_structure
1072 | class dl_mstate:
1073 |     "python representation of a struct malloc_state {} (malloc-2.8.3.c)"
1074 | 
1075 |     def __init__(self, dl, addr=None, mem=None, inferior=None):
1076 |         self.initOK        = False
1077 |         self.dl            = dl
1078 | 
1079 |         # mstate structure members
1080 |         self.smallmap      = 0
1081 |         self.treemap       = 0
1082 |         self.dvsize        = 0
1083 |         self.topsize       = 0
1084 |         self.least_addr    = 0
1085 |         self.dv            = 0
1086 |         self.top           = 0
1087 |         self.trim_check    = 0
1088 |         self.magic         = 0
1089 |         self.smallbins     = None
1090 |         self.treebins      = None
1091 |         self.footprint     = 0
1092 |         self.max_footprint = 0
1093 |         self.mflags        = 0
1094 |         self.mutex         = [] # We rely on being able to use len on this so
1095 |                                 # want it to be something like an empty list
1096 |         self.seg           = None # dl_msegment
1097 |         self.size = self.dl.MSTATE_SZ
1098 | 
1099 |         # printing options
1100 |         self.prefix_address = False # show address of each member when printed
1101 | 
1102 |         if addr == None or addr == 0:
1103 |             if mem == None:
1104 |                 self.dl.logmsg("Please specify a valid struct dl_mstate address.")
1105 |                 return None
1106 |             self.address = None
1107 |         else:
1108 |             self.address = addr
1109 | 
1110 |         if inferior == None and mem == None:
1111 |             inferior = get_inferior()
1112 |             if inferior == -1:
1113 |                 return None
1114 | 
1115 |         if mem == None:
1116 |             # a string of raw memory was not provided
1117 |             try:
1118 |                 # read more bytes to support the segment size bruteforce below?
1119 |                 mem = inferior.read_memory(addr, self.dl.MSTATE_SZ) #+0x30)
1120 |             except TypeError:
1121 |                 self.dl.logmsg("Invalid address specified.")
1122 |                 self.initOK = False
1123 |                 return None
1124 |             except RuntimeError:
1125 |                 self.dl.logmsg("Could not read address {0:#x}".format(addr))
1126 |                 self.initOK = False
1127 |                 return
1128 |         else:
1129 |             if len(mem) != self.dl.MSTATE_SZ:
1130 |                 self.dl.logmsg("Insufficient memory provided for a struct dl_mstate")
1131 |                 self.initOK = False
1132 |                 return None
1133 | 
1134 |         # The offset values can likely be the same for both SIZE_SZ
1135 |         if self.dl.SIZE_SZ == 4:
1136 |             # I do the 2 * explicitly to denote the unused part which is
1137 |             # technically part of smallbins in the source, but not actually
1138 |             # used
1139 |             self.small_bins_off = (9 * self.dl.SIZE_SZ) + (2 * self.dl.SIZE_SZ)
1140 |             nsbins = (self.dl.NSMALLBINS * 2) # in src is (NSMALLINBS+1)*2
1141 |             self.tree_bins_off = self.small_bins_off + \
1142 |                                  (nsbins * self.dl.SIZE_SZ)
1143 |             self.footprint_off = self.tree_bins_off + \
1144 |                                  (self.dl.NTREEBINS * self.dl.SIZE_SZ)
1145 | 
1146 |             (self.smallmap,
1147 |              self.treemap,
1148 |              self.dvsize,
1149 |              self.topsize,
1150 |              self.least_addr,
1151 |              self.dv,
1152 |              self.top,
1153 |              self.trim_check,
1154 |              self.magic) = struct.unpack_from("<9I", mem, 0x0)
1155 |             self.unused = struct.unpack_from("<2I", mem, self.small_bins_off)
1156 |             self.smallbins = struct.unpack_from("<%dI" % nsbins, mem, 
1157 |                     self.small_bins_off)
1158 |             self.treebins = struct.unpack_from("<%dI" % self.dl.NTREEBINS, mem, 
1159 |                     self.tree_bins_off)
1160 |             (self.footprint,
1161 |              self.max_footprint,
1162 |              self.mflags) = struct.unpack_from("<3I", mem, self.footprint_off)
1163 | 
1164 |             # NOTE: This is only present of USE_LOCKS is defined, which for
1165 |             # now we assume is true. However, not only that, but the
1166 |             # pthread_mutex_t structure can change. We have observed
1167 |             # 0x10 and 0x14 bytes. We don't want to hardcode this, so we rely
1168 |             # on the fact that the dl_msegment structure should have an address
1169 |             # value that matches the self.least_addr if our sizeof(mutex) guess 
1170 |             # is right.
1171 |             # If it is wrong, we adjust the size and try again
1172 |             # For general ref of a 0x14-byte mutex see:
1173 |             # http://www.jbox.dk/sanos/source/include/pthread.h.html
1174 |             mutex_off = self.footprint_off + (3*self.dl.SIZE_SZ)
1175 |             mutex_dwords = 5
1176 |             while mutex_dwords > 0:
1177 |                 seg_off =  mutex_off + (mutex_dwords * self.dl.SIZE_SZ)
1178 |                 self.mutex = struct.unpack_from("<%dI" % mutex_dwords, mem, 
1179 |                         mutex_off)
1180 |                 self.seg = dl_msegment(self.dl, self.address + seg_off, 
1181 |                         mem[seg_off:])
1182 |                 if self.seg.base != self.least_addr:
1183 |                     mutex_dwords -= 1
1184 |                 else:
1185 |                     break
1186 | 
1187 |             if mutex_dwords == 0:
1188 |                 self.seg = dl_msegment(self.dl, self.address + mutex_off,
1189 |                         mem[mutex_off:])
1190 |                 if self.seg.base != self.least_addr:
1191 |                     self.dl.logmsg("Problem reading dlsegment")
1192 |                     return
1193 | 
1194 |         elif self.dl.SIZE_SZ == 8:
1195 |             # See 32-bit comments for the explicit 2*SIZE_SZ
1196 |             self.small_bins_off = 2*4 + 7*self.dl.SIZE_SZ + (2*self.dl.SIZE_SZ)
1197 |             nsbins = (self.dl.NSMALLBINS * 2)
1198 |             self.tree_bins_off = self.small_bins_off + \
1199 |                                     (nsbins * self.dl.SIZE_SZ)
1200 |             self.footprint_off = self.tree_bins_off + \
1201 |                                     (self.dl.NTREEBINS * self.dl.SIZE_SZ)
1202 |             mutex_off = self.footprint_off + 0x14
1203 |             seg_off =  mutex_off + 0x2C
1204 |             (self.smallmap,
1205 |              self.treemap,
1206 |              self.dvsize,
1207 |              self.topsize,
1208 |              self.least_addr,
1209 |              self.dv,
1210 |              self.top,
1211 |              self.trim_check,
1212 |              self.magic) = struct.unpack_from("<2I7Q", mem, 0x0)
1213 |             # XXX - since the very base index isn't used due to some 
1214 |             # quirks, it would simplify code elsewhere to unpack it into some
1215 |             # unused/unprinted location
1216 |             # This is missing self.unused and instead calculates exact
1217 |             # small_bins_off
1218 |             self.smallbins = struct.unpack_from("<%dQ" % nsbins, mem, 
1219 |                     self.small_bins_off)
1220 |             self.treebins = struct.unpack_from("<%dQ" % self.dl.NTREEBINS, mem,
1221 |                     self.tree_bins_off)
1222 |             (self.footprint,
1223 |              self.max_footprint,
1224 |              self.mflags) = struct.unpack_from("<2QI", mem, self.footprint_off)
1225 | 
1226 |             mutex_dwords = 5
1227 |             while mutex_dwords > 0:
1228 |                 seg_off =  mutex_off + 4 + (mutex_dwords * self.dl.SIZE_SZ)
1229 |                 self.mutex = struct.unpack_from("<I%dQ" % mutex_dwords, mem, 
1230 |                         mutex_off)
1231 |                 self.seg = dl_msegment(self.dl, self.address + seg_off, 
1232 |                         mem[seg_off:])
1233 |                 if self.seg.base != self.least_addr:
1234 |                     mutex_dwords -= 1
1235 |                 else:
1236 |                     break
1237 | 
1238 |             if mutex_dwords == 0:
1239 |                 self.seg = dl_msegment(self.dl, self.address + mutex_off, 
1240 |                         mem[mutex_off:])
1241 |                 if self.seg.base != self.least_addr:
1242 |                     self.dl.logmsg("Problem reading dlsegment")
1243 |                     return
1244 | 
1245 |         # XXX - why 5?
1246 |         self.size = self.size - (5 - mutex_dwords)*self.dl.SIZE_SZ
1247 |         self.initOK = True
1248 |         self.dl.cached_mstate = self
1249 | 
1250 |     def __str__(self):
1251 |             mc = "struct dl_mstate @ "
1252 |             mc += "{:#x} ".format(self.address)
1253 |             mc += "{"
1254 |             mc += "\n{:11} = ".format("smallmap")
1255 |             mc += "{:#032b}".format(self.smallmap, '032b')
1256 |             mc += "\n{:11} = ".format("treemap")
1257 |             mc += "{:#032b}".format(self.treemap)
1258 |             mc += "\n{:11} = ".format("dvsize")
1259 |             mc += "{:#x}".format(self.dvsize)
1260 |             mc += "\n{:11} = ".format("topsize")
1261 |             mc += "{:#x}".format(self.topsize)
1262 |             mc += "\n{:11} = ".format("least_addr")
1263 |             mc += "{:#x}".format(self.least_addr)
1264 |             mc += "\n{:11} = ".format("dv")
1265 |             mc += "{:#x}".format(self.dv)
1266 |             mc += "\n{:11} = ".format("top")
1267 |             mc += "{:#x}".format(self.top)
1268 |             mc += "\n{:11} = ".format("trim_check")
1269 |             mc += "{:#x}".format(self.trim_check)
1270 |             mc += "\n{:11} = ".format("magic")
1271 |             mc += "{:#x}".format(self.magic)
1272 |             # NOTE: We don't print self.unused because it has no purpose
1273 |             # We rely on self.unused to keep the code below simpler though
1274 |             i = 0
1275 |             while i < len(self.smallbins):
1276 |                 bidx = int(i/2)
1277 |                 maxsz = (bidx * 8)
1278 |                 mc += "\n{:12} ".format("smallbin[%02d]" % bidx)
1279 |                 mc += "{:10} = ".format("(sz 0x%x)" % maxsz)
1280 |                 mc += "{:#10x}, ".format(self.smallbins[i])
1281 |                 mc += "{:#10x}".format(self.smallbins[i+1])
1282 |                 if self.smallmap & (1 << bidx) == 0:
1283 |                     mc += " [EMPTY]"
1284 |                 i += 2
1285 |             # XXX - make this look nicer in output
1286 |             i = 0
1287 |             while i < len(self.treebins):
1288 |                 maxsz = self.dl.treebin_sz[i]
1289 |                 mc += "\n{:10} ".format("treebin[%02d]" % i)
1290 |                 mc += "{:15} = ".format("(sz 0x%x)" % maxsz)
1291 |                 mc += "{:#10x}".format(self.treebins[i])
1292 |                 if self.treemap & (1 << i) == 0:
1293 |                     mc += " [EMPTY]"
1294 |                 i += 1
1295 |             mc += "\n{:11} = ".format("footprint")
1296 |             mc += "{:#x}".format(self.footprint)
1297 |             mc += "\n{:11} = ".format("max_footprint")
1298 |             mc += "{:#x}".format(self.max_footprint)
1299 |             mc += "\n{:11} = ".format("mflags")
1300 |             mc += "{:#x}".format(self.mflags)
1301 |             i = 0
1302 |             mc += "\n{:11} = ".format("mutex")
1303 |             while i < len(self.mutex):
1304 |                 mc += "{:#x},".format(self.mutex[i])
1305 |                 i += 1
1306 |             i = 0
1307 |             mc += "\nseg = %s" % self.seg
1308 |             return mc
1309 | 
1310 | ################################################################################
1311 | class malloc_params:
1312 |     "python representation of a struct malloc_params"
1313 | 
1314 |     def __init__(self, dl, addr=None, mem=None, inferior=None):
1315 |         self.dl = dl
1316 |         self.magic = 0
1317 |         self.page_size = 0
1318 |         self.granularity = 0
1319 |         self.mmap_threshold   = 0
1320 |         self.trim_threshold   = 0
1321 |         self.default_mflags = 0
1322 | 
1323 |         if addr == None:
1324 |             if mem == None:
1325 |                 self.dl.logmsg("Please specify a struct malloc_par address.")
1326 |                 return None
1327 | 
1328 |             self.address = None
1329 |         else:
1330 |             self.address = addr
1331 | 
1332 |         if inferior == None and mem == None:
1333 |             inferior = get_inferior()
1334 |             if inferior == -1:
1335 |                 return None
1336 | 
1337 |         if mem == None:
1338 |             # a string of raw memory was not provided
1339 |             try:
1340 |                 mem = inferior.read_memory(addr, self.dl.MALLOC_PARAM_SZ)
1341 |             except TypeError:
1342 |                 self.dl.logmsg("Invalid address specified.")
1343 |                 return None
1344 |             except RuntimeError:
1345 |                 self.dl.logmsg("Could not read address {0:#x}".format(addr))
1346 |                 return
1347 | 
1348 |         if self.dl.SIZE_SZ == 4:
1349 |             (self.magic, \
1350 |             self.page_size, \
1351 |             self.granularity, \
1352 |             self.mmap_threshold  , \
1353 |             self.trim_threshold  , \
1354 |             self.default_mflags) = struct.unpack("<6I", mem)
1355 |         elif self.dl.SIZE_SZ == 8:
1356 |             (self.magic, \
1357 |             self.page_size, \
1358 |             self.granularity, \
1359 |             self.mmap_threshold  , \
1360 |             self.trim_threshold  , \
1361 |             self.default_mflags) = struct.unpack("<5QI", mem)
1362 | 
1363 |     def __str__(self):
1364 |         mp = "struct malloc_params {"
1365 |         mp += "\n{:16} = ".format("magic")
1366 |         mp += "{:#x}".format(self.magic)
1367 |         mp += "\n{:16} = ".format("page_size")
1368 |         mp += "{:#x}".format(self.page_size)
1369 |         mp += "\n{:16} = ".format("granularity")
1370 |         mp += "{:#x}".format(self.granularity)
1371 |         mp += "\n{:16} = ".format("mmap_threshold")
1372 |         mp += "{:#x}".format(self.mmap_threshold)
1373 |         mp += "\n{:16} = ".format("trim_threshold")
1374 |         mp += "{:#x}".format(self.trim_threshold)
1375 |         mp += "\n{:16} = ".format("default_mflags")
1376 |         mp += "{:#x}".format(self.default_mflags)
1377 |         return mp
1378 | 
1379 | # XXX import this stuff from a separate file
1380 | if is_gdb:
1381 | ################################################################################
1382 | # GDB COMMANDS
1383 | ################################################################################
1384 | 
1385 | # This is a super class with few convenience methods to let all the cmds parse
1386 | # gdb variables easily
1387 |     class dlcmd(gdb.Command):
1388 | 
1389 |         def __init__(self, dl, name):
1390 |             self.dl = dl
1391 |             super(dlcmd, self).__init__(name, gdb.COMMAND_DATA, gdb.COMPLETE_NONE)
1392 | 
1393 |         def parse_var(self, var):
1394 |             if self.dl.SIZE_SZ == 4:
1395 |                 p = self.tohex(int(gdb.parse_and_eval(var)), 32)
1396 |             elif self.dl.SIZE_SZ == 8:
1397 |                 p = self.tohex(int(gdb.parse_and_eval(var)), 64)
1398 |             return int(p, 16)
1399 | 
1400 |         # Because python is incapable of turning a negative integer into a hex value
1401 |         # easily apparently...
1402 |         def tohex(self, val, nbits):
1403 |             result = hex((val + (1 << nbits)) % (1 << nbits))
1404 |             # -1 because hex() only sometimes tacks on a L to hex values...
1405 |             if result[-1] == 'L':
1406 |                 return result[:-1]
1407 |             else:
1408 |                 return result
1409 | 
1410 | ################################################################################
1411 |     class dlhelp(dlcmd):
1412 |         "Details about all libdlmalloc gdb commands"
1413 | 
1414 |         def __init__(self, dl, help_extra=None):
1415 |             self.help_extra = help_extra
1416 |             dlcmd.__init__(self, dl, "dlhelp")
1417 | 
1418 |         def invoke(self, arg, from_tty):
1419 |             self.dl.logmsg('dlmalloc commands for gdb')
1420 |             if self.help_extra != None:
1421 |                 self.dl.logmsg(self.help_extra)
1422 |             self.dl.logmsg('dlchunk    : show one or more chunks metadata and contents')
1423 |             self.dl.logmsg('dlmstate   : print mstate structure information. caches address after first use')
1424 |             self.dl.logmsg('dlcallback : register a callback or query/modify callback status')
1425 |             self.dl.logmsg('dlhelp     : this help message')
1426 |             self.dl.logmsg('NOTE: Pass -h to any of these commands for more extensive usage. Eg: dlchunk -h')
1427 | 
1428 |     class dlcallback(dlcmd):
1429 |         "Manage callbacks"
1430 | 
1431 |         def __init__(self, dl):
1432 |             dlcmd.__init__(self, dl, "dlcallback")
1433 | #        super(dlcallback, self).__init__("dlcallback", gdb.COMMAND_DATA, gdb.COMPLETE_NONE)
1434 |             self.dl = dl
1435 | 
1436 |         def help(self):
1437 |             self.dl.logmsg('usage: dlcallback <option>')
1438 |             self.dl.logmsg(' disable                  temporarily disable the registered callback')
1439 |             self.dl.logmsg(' enable                   enable the registered callback')
1440 |             self.dl.logmsg(' status                   check if a callback is registered')
1441 |             self.dl.logmsg(' clear                    forget the registered callback')
1442 |             self.dl.logmsg(' register <name> <module> use a global function <name> as callback from <module>')
1443 |             self.dl.logmsg('                          ex: register mpcallback libmempool/libmempool')
1444 | 
1445 |         def invoke(self, arg, from_tty):
1446 |             if arg == '':
1447 |                 self.help()
1448 |                 return
1449 | 
1450 |             arg = arg.lower()
1451 |             if arg.find("enable") != -1:
1452 |                 self.dl.dlchunk_callback = self.dl.dlchunk_callback_cached
1453 |                 self.dl.logmsg('callback enabled')
1454 |                 if self.dl.dlchunk_callback == None:
1455 |                     self.dl.logmsg('NOTE: callback was enabled, but is unset')
1456 |             elif arg.find("disable") != -1:
1457 |                 self.dl.dlchunk_callback_cached = self.dl.dlchunk_callback
1458 |                 self.dl.dlchunk_callback = None
1459 |                 self.dl.logmsg('callback disabled')
1460 |             elif arg.find("clear") != -1:
1461 |                 self.dl.dlchunk_callback = None
1462 |                 self.dl.dlchunk_callback_cached = None
1463 |                 self.dl.logmsg('callback cleared')
1464 |             elif arg.find("status") != -1:
1465 |                 if self.dl.dlchunk_callback:
1466 |                     self.dl.logmsg('a callback is registered and enabled')
1467 |                 elif self.dl.dlchunk_callback == None and \
1468 |                          self.dl.dlchunk_callback_cached:
1469 |                     self.dl.logmsg('a callback is registered and disabled')
1470 |                 else:
1471 |                     self.dl.logmsg('a callback is not registered')
1472 |             elif arg.find("register") != -1:
1473 |                 args = arg.split(' ')
1474 |                 if len(args) < 2:
1475 |                     self.dl.logmsg('[!] Must specify object name')
1476 |                     self.help()
1477 |                     return
1478 |                 if args[1] not in globals():
1479 |                     if len(args) == 3:
1480 |                         try:
1481 |                             modpath = os.path.dirname(args[2])
1482 |                             modname = os.path.basename(args[2])
1483 |                             if modpath != "": 
1484 |                                 if modpath[0] == '/':
1485 |                                     sys.path.insert(0, modpath)
1486 |                                 else:
1487 |                                     sys.path.insert(0, os.path.join(os.getcwd(), 
1488 |                                                 modpath))
1489 |                             mod  = importlib.import_module(modname)
1490 |                             importlib.reload(mod)
1491 |                             if args[1] in dir(mod):
1492 |                                 self.dl.dlchunk_callback = getattr(mod, args[1])
1493 |                                 self.dl.dlchunk_callback_cached = None
1494 |                         except Exception as e:
1495 |                             self.dl.logmsg("[!] Couldn't load module: %s" % args[2])
1496 |                             print(e)
1497 |                     else:
1498 |                         self.dl.logmsg("[!] Couldn't find object %s. Specify module" % 
1499 |                                 args[1])
1500 |                         self.help()
1501 |                 else:
1502 |                     self.dl.dlchunk_callback = globals()[args[1]]
1503 |                     self.dl.dlchunk_callback_cached = None
1504 |                 self.dl.logmsg('%s registered as callback' % args[1])
1505 |             else:
1506 |                 self.help()
1507 | 
1508 | ################################################################################
1509 |     class dlchunk(dlcmd):
1510 |         "print a comprehensive view of a dlchunk"
1511 | 
1512 |         def __init__(self, dl):
1513 | #        dlcmd.__init__(self, dl)
1514 |             dlcmd.__init__(self, dl, "dlchunk")
1515 | #        super(dlchunk, self).__init__("dlchunk", gdb.COMMAND_DATA, gdb.COMPLETE_NONE)
1516 |             self.dl = dl
1517 | 
1518 |         def help(self):
1519 |             self.dl.logmsg('usage: dlchunk [-v] [-f] [-x] [-c <count>] <addr>')
1520 |             self.dl.logmsg(' <addr>  a dlmalloc chunk header')
1521 |             self.dl.logmsg(' -v      use verbose output (multiples for more verbosity)')
1522 |             self.dl.logmsg(' -f      use <addr> explicitly, rather than be smart')
1523 |             self.dl.logmsg(' -x      hexdump the chunk contents')
1524 |             self.dl.logmsg(' -m      max bytes to dump with -x')
1525 |             self.dl.logmsg(' -c      number of chunks to print')
1526 |             # I suspect we want this to be a different command?
1527 |             self.dl.logmsg(' -s      search pattern when print chunks')
1528 |             self.dl.logmsg(' --depth depth to search inside chunk')
1529 |             self.dl.logmsg(' -d      debug and force printing stuff')
1530 |             self.dl.logmsg("Flag legend: P=PINUSE")
1531 |             return
1532 | 
1533 |         @has_inferior
1534 |         def invoke(self, arg, from_tty):
1535 |             "Usage can be obtained via dlmalloc -h"
1536 |             try:
1537 | 
1538 |                 if arg == '':
1539 |                     self.help()
1540 |                     return
1541 | 
1542 |                 verbose = 0
1543 |                 force = False
1544 |                 hexdump = False
1545 |                 maxbytes = 0
1546 | 
1547 |                 s_found = False
1548 |                 c_found = False
1549 |                 m_found = False
1550 |                 depth_found = False
1551 |                 debug = False
1552 |                 count = 1
1553 |                 search_val = None
1554 |                 search_depth = 0
1555 |                 for item in arg.split():
1556 |                     if m_found:
1557 |                         if item.find("0x") != -1:
1558 |                             maxbytes = int(item, 16)
1559 |                         else:
1560 |                             maxbytes = int(item)
1561 |                         m_found = False
1562 |                     elif depth_found:
1563 |                         if item.find("0x") != -1:
1564 |                             search_depth = int(item, 16)
1565 |                         else:
1566 |                             search_depth = int(item)
1567 |                         depth_found = False
1568 |                     elif s_found:
1569 |                         if item.find("0x") != -1:
1570 |                             search_val = item
1571 |                         s_found = False
1572 |                     elif c_found:
1573 |                         count = int(item)
1574 |                         c_found = False
1575 |                     elif item.find("-v") != -1:
1576 |                         verbose += 1
1577 |                     elif item.find("-f") != -1:
1578 |                         force = True
1579 |                     elif item.find("-x") != -1:
1580 |                         hexdump = True
1581 |                     elif item.find("-m") != -1:
1582 |                         m_found = True
1583 |                     elif item.find("-s") != -1:
1584 |                         s_found = True
1585 |                     elif item.find("--depth") != -1:
1586 |                         depth_found = True 
1587 |                     elif item.find("-c") != -1:
1588 |                         c_found = True
1589 |                     # XXX Probably make this a helper
1590 |                     elif item.find("0x") != -1:
1591 |                         if item.find("-") != -1 or item.find("+") != -1:
1592 |                             p = self.parse_var(item)
1593 |                         else:
1594 |                             try:
1595 |                                 p = int(item, 16)
1596 |                             except ValueError:
1597 |                                 p = self.parse_var(item)
1598 |                     elif item.find("$") != -1:
1599 |                         p = self.parse_var(item)
1600 |                     elif item.find("-d") != -1:
1601 |                         debug = True # This is an undocumented dev option
1602 |                     elif item.find("-h") != -1:
1603 |                         self.help()
1604 |                         return
1605 | 
1606 |                 if p == None:
1607 |                     print("WARNING: No address supplied?")
1608 |                     self.help()
1609 |                     return
1610 | 
1611 |                 p = dl_chunk(self.dl, p)
1612 |                 dump_offset = 0
1613 |                 while True:
1614 |                     suffix = ""
1615 |                     if search_val != None:
1616 |                         # Don't print if the chunk doesn't have the pattern
1617 |                         if not self.dl.search_chunk(p, search_val, 
1618 |                                 depth=search_depth):
1619 |                             suffix = " [NO MATCH]"
1620 |                         else:
1621 |                             suffix = " [MATCH]"
1622 | 
1623 |                     if verbose == 0:
1624 |                         print(self.dl.chunk_info(p) + suffix)
1625 |                     elif verbose == 1:
1626 |                         print(p)
1627 |                         dump_offset = self.dl.dispatch_callback(p, debug=debug)
1628 |                     if hexdump:
1629 |                         self.dl.hexdump(p, maxbytes, dump_offset)
1630 |                     count -= 1
1631 |                     if count != 0:
1632 |                         if verbose or hexdump:
1633 |                             print('--')
1634 |                         if self.dl.is_end_chunk(p) and force == False:
1635 |                             print("<<< end of heap segment >>>")
1636 |                             break
1637 |                         if self.dl.chunksize(p) == 0:
1638 |                             print("[!] Detected chunksz 0")
1639 |                             break
1640 |                         p = dl_chunk(self.dl, addr=(p.address + self.dl.chunksize(p)))
1641 |                         if p.initOK == False:
1642 |                             break
1643 |                     else:
1644 |                         break
1645 |             except Exception as e:
1646 |                 show_last_exception()
1647 | 
1648 | ################################################################################
1649 |     class dlmstate(dlcmd):
1650 |         "print a comprehensive view of a dlmstate"
1651 | 
1652 |         def __init__(self, dl):
1653 |             dlcmd.__init__(self, dl, "dlmstate")
1654 | #        super(dlmstate, self).__init__("dlmstate", gdb.COMMAND_DATA, gdb.COMPLETE_NONE)
1655 |             self.dl = dl
1656 | 
1657 |         def help(self):
1658 |             self.dl.logmsg('usage: dlmstate [-v] [-f] [-x] [-c <count>] <addr>')
1659 |             self.dl.logmsg(' <addr>  a mstate struct addr. Optional if mstate cached')
1660 |             self.dl.logmsg(' -v      use verbose output (multiples for more verbosity)')
1661 |             self.dl.logmsg(' -c      print bin counts')
1662 |             self.dl.logmsg(' --depth how deep to count each bin (default 10)')
1663 |             self.dl.logmsg(' NOTE: Last defined mstate will be cached for future use')
1664 |             return
1665 | 
1666 |         # This should be in dl_helper probably
1667 |         def print_bin_counts(self, p, depth=10):
1668 |             mc = ""
1669 |             i = 0
1670 |             while i < len(p.smallbins):
1671 |                 bidx = int(i/2)
1672 |                 maxsz = (bidx * 8)
1673 |                 mc += "\n{:12} ".format("smallbin[%02d]" % bidx)
1674 |                 mc += "{:10} = ".format("(sz 0x%x)" % maxsz)
1675 |                 mc += "{:#10x}, ".format(p.smallbins[i])
1676 |                 mc += "{:#10x}".format(p.smallbins[i+1])
1677 |                 if p.smallmap & (1 << bidx) == 0:
1678 |                     mc += " [EMPTY]"
1679 |                 else:
1680 |                     count = self.dl.smallbin_count(bidx, depth)
1681 |                     if count > depth:
1682 |                         mc += " [%d+]" % depth
1683 |                     else:
1684 |                         mc += " [%d]" % count
1685 |                 i += 2
1686 |             i = 0
1687 |             while i < len(p.treebins):
1688 |                 maxsz = self.dl.treebin_sz[i]
1689 |                 mc += "\n{:10} ".format("treebin[%02d]" % i)
1690 |                 mc += "{:15} = ".format("(sz 0x%x)" % maxsz)
1691 |                 mc += "{:#10x}".format(p.treebins[i])
1692 |                 if p.treemap & (1 << i) == 0:
1693 |                     mc += " [EMPTY]"
1694 |                 else:
1695 |                     count = self.dl.treebin_count(i, depth)
1696 |                     if count > depth:
1697 |                         mc += " [%d+]" % depth
1698 |                     else:
1699 |                         mc += " [%d]" % count
1700 | 
1701 |                 i += 1
1702 |             print(mc)
1703 | 
1704 |         @has_inferior
1705 |         def invoke(self, arg, from_tty):
1706 | 
1707 |             if self.dl.cached_mstate == None and (arg == None or arg == ''):
1708 |                 self.help()
1709 |                 return
1710 | 
1711 |             verbose = 0
1712 |             bincount = False
1713 |             p = None
1714 |             count_depth = 10
1715 |             depth_found = False
1716 |             if arg != None:
1717 |                 for item in arg.split():
1718 |                     if item.find("-v") != -1:
1719 |                         verbose += 1
1720 |                     elif item.find("-c") != -1:
1721 |                         bincount = True
1722 |                     elif item.find("--depth") != -1:
1723 |                         depth_found = True 
1724 |                     elif depth_found:
1725 |                         if item.find("0x") != -1:
1726 |                             count_depth = int(item, 16)
1727 |                         else:
1728 |                             count_depth = int(item)
1729 |                         depth_found = False
1730 |                     elif item.find("0x") != -1:
1731 |                         p = int(item, 16)
1732 |                     elif item.find("$") != -1:
1733 |                         p = self.parse_var(item)
1734 |                     elif item.find("-h") != -1:
1735 |                         self.help()
1736 |                         return
1737 | 
1738 |             if p == None and self.dl.cached_mstate == None:
1739 |                 print("WARNING: No address supplied?")
1740 |                 self.help()
1741 |                 return
1742 | 
1743 |             if p != None:
1744 |                 p = dl_mstate(self.dl, p)
1745 |             else:
1746 |                 self.dl.logmsg("Using cached mstate")
1747 |                 p = self.dl.cached_mstate
1748 | 
1749 |             if p.topsize == 0 or p.least_addr == 0:
1750 |                 self.dl.logmsg("[!] doesn't appeart be a valid mstate")
1751 | 
1752 |             # Assume we couldn't read it from memory
1753 |             if p.initOK == False:
1754 |                 return
1755 | 
1756 |             if bincount:
1757 |                 self.print_bin_counts(p, count_depth)
1758 |                 return
1759 | 
1760 |             if verbose == 0:
1761 |                 print(p)
1762 |             # XXX - not sure what all verbose should show
1763 |             elif verbose == 1:
1764 |                 # XXX - Not sure this is the best way to do this :|
1765 |                 p.prefix_address = True
1766 |                 print(p)
1767 |                 p.prefix_address = False
1768 | 
1769 |             if self.dl.dlchunk_callback != None:
1770 |                 if p != None:
1771 |                     cbinfo = {}
1772 |                     cbinfo["caller"] = "dlmstate"
1773 |                     cbinfo["allocator"] = "dlmalloc"
1774 |                     cbinfo["size_sz"] = self.dl.SIZE_SZ
1775 |                     cbinfo["addr"] = p.address + p.size
1776 |                     self.dl.dlchunk_callback(cbinfo)
1777 | 
1778 | # XXX - finish me
1779 |     class dlsearch(dlcmd):
1780 |         def __init__(self):
1781 |             super(dlsearch, self).__init__("dlsearch", gdb.COMMAND_DATA, gdb.COMPLETE_NONE)
1782 | 
1783 |         def help(self):
1784 |             self.dl.logmsg('usage: dlsearch <hex> <min_size> <max_size>')
1785 | 
1786 |         def invoke(self, arg, from_tty):
1787 |             if arg == '':
1788 |                 self.help()
1789 |                 return
1790 |             arg = arg.split()
1791 |             #if arg[0].find("0x") == -1 or (len(arg[0]) != 10 and len(arg[0]) != 18):
1792 |             #    self.dl.logmsg("you need to provide a word or giant word for hex")
1793 |             #    return
1794 |             search_for = arg[0]
1795 |             if len(arg) > 3:
1796 |                 self.help()
1797 |                 return
1798 |             if len(arg) >= 2:
1799 |                 max_size = int(arg[1], 16)
1800 |             else:
1801 |                 max_size = 0
1802 |             if len(arg) == 3:
1803 |                 min_size = int(arg[1], 16)
1804 |             else:
1805 |                 min_size = 0
1806 | 
1807 |             # need segment parsing
1808 | #            while ar_ptr != main_arena_address:
1809 | #                self.dl.logmsg("Handling arena @ 0x%x" % dl_mstate(ar_ptr).address)
1810 | #
1811 | #                results = dl.search_heap(ar_ptr, search_for, min_size, max_size)
1812 | #
1813 | #                if len(results) == 0:
1814 | #                    self.dl.logmsg('value %s not found' % (search_for))
1815 | #                    return
1816 | #
1817 | #                for result in results:
1818 | #                    self.dl.logmsg("%s found in chunk at 0x%lx" % (search_for, int(result)))
1819 | 
1820 | if __name__ == "__main__":
1821 |     dlh = dl_helper()
1822 |     dlhelp(dlh)
1823 |     dlchunk(dlh)
1824 |     dlmstate(dlh)
1825 |     dlcallback(dlh)
1826 |     dlh.logmsg("loaded")
1827 | 


--------------------------------------------------------------------------------
/libdlmalloc_28x.py:
--------------------------------------------------------------------------------
   1 | #!/usr/bin/python3
   2 | #
   3 | # This file is part of libdlmalloc.
   4 | # Copyright (c) 2017, Aaron Adams <aaron.adams(at)nccgroup(dot)trust>
   5 | # Copyright (c) 2017, Cedric Halbronn <cedric.halbronn(at)nccgroup(dot)trust>
   6 | #
   7 | # Some parts of this code were taken from libheap, a ptmalloc2 GDB
   8 | # plugin: https://github.com/cloudburst/libheap
   9 | #
  10 | # Some gdb argument handling functions were taken and/or inspired from
  11 | # https://github.com/0vercl0k/stuffz/blob/master/dps_like_for_gdb.py
  12 | #
  13 | # The show_last_exception() code was derived from https://github.com/hugsy/gef
  14 | #
  15 | # Note libdmalloc_28x was primarily tested on 2.8.3, which is not the latest
  16 | # version. Testing was done on a version that was compiled with the MSPACE and
  17 | # FOOTER constants.
  18 | #
  19 | # See http://gee.cs.oswego.edu/pub/misc/malloc-2.8.3.c
  20 | 
  21 | from __future__ import print_function
  22 | 
  23 | import traceback
  24 | import importlib
  25 | from array import array
  26 | 
  27 | try:
  28 |     import gdb
  29 |     is_gdb = True
  30 | except ImportError:
  31 |     is_gdb = False
  32 |     print("[libdlmalloc_28x] Not running inside of GDB, limited functionality")
  33 | 
  34 | from os.path import basename
  35 | 
  36 | import re, binascii
  37 | import sys, os, json
  38 | import struct
  39 | from functools import wraps
  40 | 
  41 | ################################################################################
  42 | # HELPERS
  43 | ################################################################################
  44 | 
  45 | 
  46 | # XXX - move to helper.py
  47 | def is_ascii(s):
  48 |     return all(c < 128 and c > 1 for c in s)
  49 | 
  50 | # XXX - move to _gdb.py
  51 | # Taken from gef. Let's us see proper backtraces from python exceptions
  52 | def show_last_exception():
  53 |     PYTHON_MAJOR = sys.version_info[0]
  54 |     horizontal_line = "-"
  55 |     right_arrow = "->"
  56 |     down_arrow = "\\->"
  57 | 
  58 |     print("")
  59 |     exc_type, exc_value, exc_traceback = sys.exc_info()
  60 |     print(" Exception raised ".center(80, horizontal_line))
  61 |     print("{}: {}".format(exc_type.__name__, exc_value))
  62 |     print(" Detailed stacktrace ".center(80, horizontal_line))
  63 |     for fs in traceback.extract_tb(exc_traceback)[::-1]:
  64 |         if PYTHON_MAJOR==2:
  65 |             filename, lineno, method, code = fs
  66 |         else:
  67 |             try:
  68 |                 filename, lineno, method, code = fs.filename, fs.lineno, fs.name, fs.line
  69 |             except:
  70 |                 filename, lineno, method, code = fs
  71 | 
  72 |         print("""{} File "{}", line {:d}, in {}()""".format(down_arrow, filename,
  73 |                                                             lineno, method))
  74 |         print("   {}    {}".format(right_arrow, code))
  75 | 
  76 | # XXX - move to _gdb.py
  77 | def get_info():
  78 |     res = gdb.execute("maintenance info sections ?", to_string=True)
  79 |     bin_name = basename(build_bin_name(res))
  80 |     if not bin_name:
  81 |         raise("get_info: failed to find bin name")
  82 |     if bin_name[0] == '_':
  83 |         return bin_name[1:]
  84 |     return bin_name
  85 | 
  86 | # XXX - Not sure if these should go into dlmalloc()
  87 | # XXX - move to _gdb.py
  88 | def get_inferior():
  89 |     if not is_gdb:
  90 |         return
  91 |     try:
  92 |         if len(gdb.inferiors()) == 0:
  93 |             logmsg("No gdb inferior could be found.")
  94 |             return -1
  95 |         else:
  96 |             inferior = gdb.inferiors()[0]
  97 |             return inferior
  98 |     except AttributeError:
  99 |         logmsg("This gdb's python support is too old.")
 100 |         exit()
 101 | 
 102 | # XXX - move to _gdb.py
 103 | def has_inferior(f):
 104 |     "decorator to make sure we have an inferior to operate on"
 105 | 
 106 |     @wraps(f)
 107 |     def with_inferior(*args, **kwargs):
 108 |         inferior = get_inferior()
 109 |         if inferior != -1:
 110 |             if (inferior.pid != 0) and (inferior.pid is not None):
 111 |                 return f(*args, **kwargs)
 112 |             else:
 113 |                 logmsg("No debugee could be found.  Attach or start a program.")
 114 |                 exit()
 115 |         else:
 116 |             exit()
 117 |     return with_inferior
 118 | 
 119 | # General class for most dlmalloc-related methods to avoid namespace overlap
 120 | # with other heap libraries we might load at the same time. Most helper methods
 121 | # try to match the macros from malloc-2.8.x.c files
 122 | class dl_helper:
 123 | 
 124 |     DLMALLOC_VERSION  = "2.8"
 125 |     MALLOC_ALIGNMENT  = 8
 126 |     SIZE_T_ZERO       = 0
 127 |     SIZE_T_ONE        = 1
 128 |     SIZE_T_TWO        = 2
 129 |     CHUNK_ALIGN_MASK  = MALLOC_ALIGNMENT - SIZE_T_ONE
 130 | 
 131 |     NSMALLBINS        = 32
 132 |     NTREEBINS         = 32
 133 |     SMALLBIN_SHIFT    = 3
 134 |     SMALLBIN_WIDTH    = SIZE_T_ONE << SMALLBIN_SHIFT
 135 |     TREEBIN_SHIFT     = 8
 136 |     MIN_LARGE_SIZE    = SIZE_T_ONE << TREEBIN_SHIFT
 137 |     MAX_SMALL_SIZE    = MIN_LARGE_SIZE - SIZE_T_ONE
 138 |     #MAX_SMALL_REQUEST = (MAX_SMALL_SIZE - CHUNK_ALIGN_MASK - CHUNK_OVERHEAD)
 139 | 
 140 |     PINUSE_BIT = 1
 141 |     CINUSE_BIT = 2
 142 |     INUSE_BITS = (PINUSE_BIT|CINUSE_BIT)
 143 | 
 144 |     # XXX - If we find the malloc_params struct in mem, we should update these
 145 |     DEFAULT_TRIM_THRESHOLD = 2 * 1024 * 1024
 146 | 
 147 |     treebin_sz = [ 0x180, 0x200, 0x300, 0x400, 0x600, 0x800, 0xc00, 0x1000,
 148 |         0x1800, 0x2000, 0x3000, 0x4000, 0x6000, 0x8000, 0xc000, 0x10000,
 149 |         0x18000, 0x20000, 0x30000, 0x40000, 0x60000, 0x80000, 0xc0000, 0x100000,
 150 |         0x180000, 0x200000, 0x300000, 0x400000, 0x600000, 0x800000, 0xc00000,
 151 |         0xffffffff]
 152 | 
 153 |     def __init__(self, size_sz=0):
 154 |         self.terse = True # XXX - This should be configurable
 155 |         # Non-gdb users will have to specify the size themselves
 156 |         if size_sz == 0:
 157 |             self.retrieve_sizesz()
 158 |         else:
 159 |             self.SIZE_SZ = size_sz
 160 | 
 161 |         self.INUSE_HDR_SZ      = 2 * self.SIZE_SZ
 162 |         self.FREE_HDR_SZ       = 4 * self.SIZE_SZ
 163 |         self.TREE_HDR_SZ       = 8 * self.SIZE_SZ
 164 | 
 165 |         self.MIN_CHUNK_SZ      = 4 * self.SIZE_SZ
 166 |         self.MALLOC_ALIGNMENT  = 2 * self.SIZE_SZ
 167 |         self.MALLOC_ALIGN_MASK = self.MALLOC_ALIGNMENT - 1
 168 |         self.MINSIZE           = (self.MIN_CHUNK_SZ+self.MALLOC_ALIGN_MASK) & \
 169 |                                     ~self.MALLOC_ALIGN_MASK
 170 | 
 171 |         self.MSEGMENT_SZ       = 4 * self.SIZE_SZ
 172 | 
 173 |         # The MSTATE_SZ constants used here are a best guess. It will be
 174 |         # dynamically adjusted if found to be incorrect. We want this size to
 175 |         # be the largest possible though, so we always have enough memory to
 176 |         # figure it out.
 177 |         if self.SIZE_SZ == 4:
 178 |             self.MSTATE_SZ = 0x1dc
 179 |         elif self.SIZE_SZ == 8:
 180 |             self.MSTATE_SZ = 0x3b0
 181 | 
 182 |         self.MALLOC_PARAM_SZ = (self.SIZE_SZ * 5) + 4
 183 | 
 184 | 
 185 |         self.dlchunk_callback = None
 186 |         self.dlchunk_callback_cached = None
 187 |         self.cached_mstate = None
 188 |         self.colors = True
 189 | 
 190 |     def logmsg(self, s, end=None):
 191 |         if type(s) == str:
 192 |             if end != None:
 193 |                 print("[libdlmalloc] " + s, end=end)
 194 |             else:
 195 |                 print("[libdlmalloc] " + s)
 196 |         else:
 197 |             print(s)
 198 | 
 199 |     # XXX - move to _gdb.py
 200 |     def retrieve_sizesz(self):
 201 |         "Retrieve the SIZE_SZ after binary loading finished"
 202 | 
 203 |         _machine = self.get_arch()
 204 |         if "elf64" in _machine:
 205 |             self.SIZE_SZ = 8
 206 |         elif "elf32" in _machine:
 207 |             self.SIZE_SZ = 4
 208 |         else:
 209 |             raise Exception("Retrieving the SIZE_SZ failed.")
 210 | 
 211 |     def register_callback(self, func):
 212 |         self.dlchunk_callback = func
 213 |         self.logmsg("Registered new dlchunk callback")
 214 | 
 215 |     # XXX - move to _gdb.py
 216 |     def get_arch(self):
 217 |         res = gdb.execute("maintenance info sections ?", to_string=True)
 218 |         if "elf32-i386" in res and "elf64-x86-64" in res:
 219 |             raise("get_arch: could not determine arch (1)")
 220 |         if "elf32-i386" not in res and "elf64-x86-64" not in res:
 221 |             raise("get_arch: could not determine arch (2)")
 222 |         if "elf32-i386" in res:
 223 |             return "elf32-i386"
 224 |         elif "elf64-x86-64" in res:
 225 |             return "elf64-x86-64"
 226 |         else:
 227 |             raise("get_arch: failed to find arch")
 228 | 
 229 |     # This is the 64-bit version of the macro since the 32-bit uses inline asm
 230 |     def compute_tree_index(self, sz):
 231 |         x = sz >> self.TREEBIN_SHIFT
 232 |         if x == 0:
 233 |             return 0
 234 |         elif x > 0xffff:
 235 |             return self.NTREEBINS-1
 236 |         else:
 237 |             y = x
 238 |             n = ((y - 0x100) >> 16) & 8
 239 |             k = (((y << n) - 0x1000) >> 16) & 4
 240 |             n += k
 241 |             y <<= k
 242 |             k = ((y - 0x4000) >> 16) & 2
 243 |             n += k
 244 |             y <<= k
 245 |             k = 14 - n + (y >> 15)
 246 |             return (k << 1) + ((sz >> (k + (self.TREEBIN_SHIFT-1)) & 1))
 247 | 
 248 |     def chunk2mem(self, p):
 249 |         "conversion from malloc header to user pointer"
 250 |         return (p.address + (2 * self.SIZE_SZ))
 251 | 
 252 |     def mem2chunk(self, mem):
 253 |         "conversion from user pointer to malloc header"
 254 |         return (mem - (2 * self.SIZE_SZ))
 255 | 
 256 |     def request2size(self, req):
 257 |         "pad request bytes into a usable size"
 258 | 
 259 |         if (req + self.SIZE_SZ + self.MALLOC_ALIGN_MASK < self.MINSIZE):
 260 |             return self.MINSIZE
 261 |         else:
 262 |             return (int(req + self.SIZE_SZ + self.MALLOC_ALIGN_MASK) & \
 263 |                     ~self.MALLOC_ALIGN_MASK)
 264 | 
 265 |     def pinuse(self, p):
 266 |         "extract inuse bit of previous chunk"
 267 |         return (p.head & self.PINUSE_BIT)
 268 | 
 269 |     def chunksize(self, p):
 270 |         "Get size, ignoring use bits"
 271 |         return (p.head & ~self.INUSE_BITS)
 272 | 
 273 |     def ptr_from_chunk(self, p):
 274 |         return (p.address + p.hdr_size)
 275 | 
 276 |     def next_chunk(self, p):
 277 |         "Ptr to next physical malloc_chunk."
 278 |         return (p.address + (p.size & ~self.INUSE_BITS))
 279 | 
 280 |     def prev_chunk(self, p):
 281 |         "Ptr to previous physical malloc_chunk"
 282 |         return (p.address - p.prev_foot)
 283 | 
 284 |     def next_pinuse(self, p):
 285 |         "extract next chunk's pinuse bit"
 286 |         chunk = dl_chunk(self, self.next_chunk(p), inuse=False)
 287 |         return self.pinuse(chunk)
 288 | 
 289 |     def chunk_plus_offset(self, p, s):
 290 |         "Treat space at ptr + offset as a chunk"
 291 |         return dl_chunk(self, p.address + s, inuse=False)
 292 | 
 293 |     def chunk_minus_offset(self, p, s):
 294 |         "Treat space at ptr - offset as a chunk"
 295 |         return dl_chunk(self, p.address - s, inuse=False)
 296 | 
 297 |     def cinuse(self, p):
 298 |         "extract p's inuse bit"
 299 |         return (p.head & self.CINUSE_BIT)
 300 | 
 301 |     def set_cinuse(self, p):
 302 |         "set chunk as being inuse without otherwise disturbing"
 303 |         chunk = dl_chunk(self, (p.address + (p.size & ~self.INUSE_BITS)),
 304 |                             inuse=False)
 305 |         chunk.size |= self, self.CINUSE_BIT
 306 |         chunk.write()
 307 | 
 308 |     def clear_cinuse(self, p):
 309 |         "clear chunk as being inuse without otherwise disturbing"
 310 |         chunk = dl_chunk(self, (p.address + (p.size & ~self.INUSE_BITS)), 
 311 |                             inuse=False)
 312 |         chunk.size &= ~self.CINUSE_BIT
 313 |         chunk.write()
 314 | 
 315 |     def pinuse(self, p):
 316 |         "extract p's inuse bit"
 317 |         return (p.head & self.PINUSE_BIT)
 318 | 
 319 |     def set_pinuse(self, p):
 320 |         "set chunk as having prev_inuse without otherwise disturbing"
 321 |         chunk = dl_chunk(self, (p.address + (p.size & ~self.INUSE_BITS)), 
 322 |                             inuse=False)
 323 |         chunk.size |= self.PINUSE_BIT
 324 |         chunk.write()
 325 | 
 326 |     def clear_pinuse(self, p):
 327 |         "clear chunk as not having pre_inuse without otherwise disturbing"
 328 |         chunk = dl_chunk(self, (p.address + (p.size & ~self.INUSE_BITS)), 
 329 |                              inuse=False)
 330 |         chunk.size &= ~self.PINUSE_BIT
 331 |         chunk.write()
 332 | 
 333 |     def is_small(self, sz):
 334 |         "check if size is in smallbin range"
 335 |         return (sz < self.MIN_LARGE_SIZE)
 336 | 
 337 |     def small_index(self, sz):
 338 |         "return the smallbin index"
 339 | 
 340 |         if self.SMALLBIN_WIDTH == 16:
 341 |             return (sz >> 4)
 342 |         else:
 343 |             return (sz >> 3)
 344 | 
 345 |     # The very last chunk in a segment is free but does not have the PINUSE
 346 |     # flag set. This should never normally happen, because coalescing should
 347 |     # always force a free chunk to be adjacent to an inuse chunk. So we can
 348 |     # detect it. Size might always be 0x30 on 32-bit too? Not sure
 349 |     def is_end_chunk(self, p):
 350 |         if not self.cinuse(p) and not self.pinuse(p):
 351 |             return True
 352 |         return False
 353 | 
 354 |     def top(self, mstate):
 355 |         return mstate.top
 356 | 
 357 |     # XXX - This should decode the footer if it exists
 358 |     def mstate_for_ptr(self, ptr):
 359 |         "find the heap and corresponding mstate for a given ptr"
 360 |         return (ptr & ~(self.HEAP_MAX_SIZE-1))
 361 | 
 362 |     # XXX - move to _gdb.py
 363 |     def hexdump(self, p, maxlen=0, off=0):
 364 |         data = self.ptr_from_chunk(p) + off
 365 |         size = p.real_size - p.hdr_size - off
 366 |         if size < 0:
 367 |             self.logmsg("[!] Chunk corrupt? Bad size")
 368 |             return
 369 |         elif size == 0:
 370 |             self.logmsg("[!] Empty chunk?")
 371 |             return
 372 |         if maxlen != 0:
 373 |             if size > maxlen:
 374 |                 size = maxlen
 375 |         print("0x%x bytes of chunk data:" % size)
 376 |         cmd = "x/%dwx 0x%x\n" % (size/4, data)
 377 |         gdb.execute(cmd, True)
 378 |         return
 379 | 
 380 |     def chunk_info(self, p):
 381 |         info = []
 382 |         info.append("0x%lx " % p.address)
 383 |         if self.cinuse(p):
 384 |             info.append("M ")
 385 |         else:
 386 |             info.append("F ")
 387 |         sz = self.chunksize(p)
 388 |         if sz == 0:
 389 |             self.logmsg("[!] Chunk at address 0x%.x invalid or corrupt?" % p.address)
 390 |         if self.terse:
 391 |             info.append("sz:0x%.05x " % sz)
 392 |         else:
 393 |             info.append("sz:0x%.08x " % sz)
 394 |         flag_str = ""
 395 |         if self.terse:
 396 |             info.append("fl:")
 397 |             if self.cinuse(p):
 398 |                 flag_str += "C"
 399 |             else:
 400 |                 flag_str += "-"
 401 | 
 402 |             if self.pinuse(p):
 403 |                 flag_str += "P"
 404 |             else:
 405 |                 flag_str += "-"
 406 |             info.append("%2s" % flag_str)
 407 | 
 408 |         else:
 409 |             info.append("flags: ")
 410 | 
 411 |             if self.cinuse(p):
 412 |                 flag_str += "CINUSE"
 413 |             else:
 414 |                 flag_str += "------"
 415 | 
 416 |             flag_str += "|"
 417 |             if self.pinuse(p):
 418 |                 flag_str += "PINUSE"
 419 |             else:
 420 |                 flag_str += "------"
 421 |             info.append("%13s" % flag_str)
 422 | 
 423 |         if self.dlchunk_callback != None:
 424 |             size = self.chunksize(p) - p.hdr_size
 425 |             cbinfo = {}
 426 |             cbinfo["caller"] = "dlchunk" # This is a lie but shouldn't matter
 427 |             cbinfo["allocator"] = "dlmalloc"
 428 |             cbinfo["version"] = self.DLMALLOC_VERSION
 429 |             cbinfo["addr"] = p.data_address
 430 |             cbinfo["hdr_sz"] = p.hdr_size
 431 |             cbinfo["chunksz"] = self.chunksize(p)
 432 |             cbinfo["min_hdr_sz"] = self.INUSE_HDR_SZ
 433 |             cbinfo["data_size"] = size
 434 |             cbinfo["inuse"] = p.inuse
 435 |             cbinfo["chunk_info"] = True
 436 |             cbinfo["size_sz"] = self.SIZE_SZ
 437 |             if p.from_mem:
 438 |                 cbinfo["mem"] = p.mem[p.hdr_size:]
 439 | 
 440 |             extra = self.dlchunk_callback(cbinfo)
 441 |             if extra:
 442 |                 info.append(" " + extra)
 443 | 
 444 |         return ''.join(info)
 445 | 
 446 |     def print_segment_chunks(self, seg=None, show_free=True, show_inuse=True, 
 447 |             sz=0, min_sz=0, max_sz=0):
 448 |         addr = seg.base
 449 |         while addr < (seg.base + seg.size):
 450 |             chunk = dl_chunk(self.dl, addr)
 451 |             chunksz = self.dl.chunksize(chunk)
 452 |             if min_sz != 0:
 453 |                 if chunksz > min_sz:
 454 |                     continue
 455 |             if max_sz != 0:
 456 |                 if chunksz > max_sz:
 457 |                     continue
 458 |             if sz != 0:
 459 |                 if chunksz != sz:
 460 |                     continue
 461 |             if show_free != True and not self.dl.cinuse(chunk):
 462 |                 continue
 463 |             if show_inuse != True and self.dl.cinuse(chunk):
 464 |                 continue
 465 | 
 466 |             print(self.dl.chunk_info(chunk))
 467 |             addr += self.dl.chunksize(chunk)
 468 |         # Walk from the start showing each chunk, but only printing an 
 469 |         # abbreviated version.
 470 | 
 471 |     def print_mstate_chunks(self, addr=None, mstate=None, seg=None):
 472 |         cur_seg = mstate.seg
 473 |         while True:
 474 |             self.print_segment_chunks(cur_seg)
 475 |             if cur_seg.next == 0:
 476 |                 break
 477 |             cur_seg = dl_msegment(self.dl, cur_seg.next)
 478 | 
 479 |     # XXX - anything that walks segments is redundant so should be done with
 480 |     # callbacks maybe?
 481 |     def print_mstate_segments(self, addr=None, mstate=None, seg=None):
 482 |         cur_seg = mstate.seg
 483 |         while True:
 484 |             print(cur_seg)
 485 |             if cur_seg.next == 0:
 486 |                 break
 487 |             cur_seg = dl_msegment(self.dl, cur_seg.next)
 488 | 
 489 |     # XXX - This is broken atm.
 490 |     def search_heap(self, seg, search_for, min_size, max_size):
 491 |         "walk chunks searching for value starting from the seg address"
 492 |         results = []
 493 | 
 494 |         # XXX - Use global constants for 0x440 and 0x868
 495 |         if self.SIZE_SZ == 4:
 496 |             p = dl_chunk(seg) # need to fix
 497 |         elif self.SIZE_SZ == 8:
 498 |             # empiric offset: chunks start after the dl_mstate + offset
 499 |             p = dl_chunk(seg)
 500 | #        heap_size = heap_info(mstate_for_ptr(ar_ptr))
 501 | 
 502 |         while True:
 503 |             if self.chunksize(p) == 0x0:
 504 |                 self.logmsg("sz=0x0 detected at 0x%x, assuming end of heap" 
 505 |                         % p.address)
 506 |                 break
 507 |             if max_size == 0 or self.chunksize(p) <= max_size:
 508 |                 if self.chunksize(p) >= min_size:
 509 |                     print(self.chunk_info(p)) # debug
 510 |                     if self.search_chunk(p, search_for):
 511 |                         results.append(p.address)
 512 |             p = dl_chunk(self.dl, addr=(p.address + self.chunksize(p)))
 513 |         return results
 514 | 
 515 |     def search_chunk(self, p, search_for, depth=0):
 516 |         "searches a chunk. includes the chunk header in the search"
 517 | 
 518 |         if depth == 0 or depth > self.chunksize(p):
 519 |             depth = self.chunksize(p)
 520 | 
 521 |         try:
 522 |             out_str = gdb.execute('find /1w 0x%x, 0x%x, %s' % \
 523 |                 (p.address, p.address + depth, search_for), \
 524 |                 to_string = True)
 525 |         except Exception:
 526 |             #print(sys.exc_info()[0])
 527 |             #print("[libdlmalloc] failed to execute 'find'")
 528 |             return False
 529 | 
 530 |         str_results = out_str.split('\n')
 531 | 
 532 |         for str_result in str_results:
 533 |             if str_result.startswith('0x'):
 534 |                 return True
 535 | 
 536 |         return False
 537 | 
 538 |     # Assumes caller checked for cached mstate...
 539 |     def is_smallbin_empty(self, bidx):
 540 |         mstate = self.cached_mstate
 541 |         if mstate.smallmap & (1 << bidx):
 542 |             return False
 543 |         return True
 544 | 
 545 |     # Assumes caller checked for cached mstate...
 546 |     def is_treebin_empty(self, bidx):
 547 |         mstate = self.cached_mstate
 548 |         if mstate.treemap & (1 << bidx):
 549 |             return False
 550 |         return True
 551 | 
 552 |     # Count the number of entries in a smallbin
 553 |     # XXX - We could speed this up significantly by just reading the fd instead
 554 |     # of creating new chunks each time. Quite slow over serial
 555 |     def smallbin_count(self, bidx, depth=0, get_sz_set=False):
 556 |         sz_set = []
 557 |         if self.cached_mstate == None:
 558 |             print("Can't currently count bins without cached mstate")
 559 |             return None
 560 |         mstate = self.cached_mstate
 561 |         if bidx > len(mstate.smallbins):
 562 |             print("idx %d is outside of smallbin range")
 563 |             return None
 564 | 
 565 |         if not self.is_smallbin_empty(bidx):
 566 |             bins_addr = mstate.address + mstate.small_bins_off
 567 |             # Each index holds an fd and bck pointer
 568 |             bin_addr = bins_addr + (2*self.SIZE_SZ) * bidx
 569 |             # Due to trickery, the chunk address points to the "prev_size"
 570 |             # of the chunk which doesn't, actually exist. But we need to use
 571 |             # that address
 572 |             bin_addr -= 2*self.SIZE_SZ
 573 | 
 574 |             count = 1
 575 |             cur = dl_chunk(dl=self, addr=bin_addr)
 576 |             while cur.fd != bin_addr:
 577 |                 count += 1
 578 |                 if depth != 0 and count > depth:
 579 |                     return count
 580 |                 cur = dl_chunk(dl=self, addr=cur.fd)
 581 |                 if get_sz_set:
 582 |                     sz_set.append(self.chunksize(cur))
 583 |             if get_sz_set:
 584 |                 print(sz_set)
 585 |             return count
 586 |         return 0
 587 | 
 588 |     def treebin_count_children(self, p, depth=0, sz_set=None):
 589 |         count = 0
 590 |         if sz_set != None:
 591 |             sz_set.append(self.chunksize(p))
 592 |         if p.left != 0:
 593 |             count += 1
 594 |             if depth != 0 and count > depth:
 595 |                 return count
 596 |             chunk = dl_chunk(dl=self, addr=p.left)
 597 |             count += self.treebin_count_children(chunk, depth, sz_set)
 598 |         if p.right != 0:
 599 |             count += 1
 600 |             if depth != 0 and count > depth:
 601 |                 return count
 602 |             chunk = dl_chunk(dl=self, addr=p.right)
 603 |             count += self.treebin_count_children(chunk, depth, sz_set)
 604 |         return count
 605 | 
 606 |     # Count the number of entries in a treebin
 607 |     def treebin_count(self, bidx, depth=0, get_sz_set=False):
 608 |         if get_sz_set:
 609 |             sz_set = []
 610 |         else:
 611 |             sz_set = None
 612 |         if self.cached_mstate == None:
 613 |             print("Can't currently count bins without cached mstate")
 614 |             return None
 615 |         mstate = self.cached_mstate
 616 |         if bidx > len(mstate.treebins):
 617 |             print("idx %d is outside of treebin range")
 618 |             return None
 619 |         if not self.is_treebin_empty(bidx):
 620 |             count = 1
 621 |             cur = dl_chunk(dl=self, addr=mstate.treebins[bidx])
 622 |             count += self.treebin_count_children(cur, depth, sz_set)
 623 |             if get_sz_set:
 624 |                 print("bin sizes: " + ", ".join(("0x{:02x}".format(s) \
 625 |                                 for s in sz_set)))
 626 |             return count
 627 | 
 628 |         return 0
 629 | 
 630 |     # XXX - fixme
 631 |     def print_smallbins(self, inferior, mstate=None):
 632 |         "walk and print the small bins"
 633 | 
 634 |         print("Smallbins")
 635 | 
 636 |         pad_width = 33
 637 | 
 638 |         if mstate == None and self.cached_mstate == None:
 639 |             self.logmsg("Don't know where mstate is and no address specified")
 640 |             return
 641 | 
 642 |         if mstate == None:
 643 |             mstate = self.cached_mstate
 644 |         else:
 645 |             mstate = dl_mstate(mstate)
 646 |             if mstate == None:
 647 |                 self.logmsg("Can't print bins from bad mstate")
 648 |                 return
 649 |             else:
 650 |                 cached_mstate = mstate
 651 | 
 652 |         # XXX - This doesn't properly print everything
 653 |         for i in range(2, (self.NSMALLBINS+1), 2):
 654 | 
 655 |             print("")
 656 |             print("[ sb {:02} ] ".format(int(i/2)))
 657 |     #        print("{:#x}{:>{width}}".format(int(), "-> ", width=5), end="")
 658 |             print("[ {:#x} | {:#x} ] ".format(int(mstate.smallbins[i]), int(mstate.smallbins[i+1])))
 659 |             print("")
 660 | 
 661 |             nextc = dl_chunk(mstate.smallbins[i])
 662 |             while (1):
 663 |                 if nextc.fd == mstate.smallbins[i]:
 664 |                     break
 665 |                 print(self.chunk_info(nextc))
 666 |                 nextc = dl_chunk(nextc.fd)
 667 |     #            print("")
 668 |     #            print("{:>{width}}{:#x} | {:#x} ] ".format("[ ", int(chunk.fd), int(chunk.bk), width=pad_width))
 669 |     #            print("({})".format(int(chunksize(chunk))), end="")
 670 |     #            fd = chunk.fd
 671 |     #
 672 |     #        if sb_num != None: #only print one smallbin
 673 |     #            return
 674 |     # XXX - this currently assumes p is a chunk vs mstate
 675 |     def dispatch_callback(self, p, debug=False, caller="dlchunk"):
 676 |         if self.dlchunk_callback != None:
 677 |             size = self.chunksize(p) - p.hdr_size
 678 |             if p.data_address != None:
 679 |                 # We can provide an excess of information and the callback can
 680 |                 # choose what to use
 681 |                 cbinfo = {}
 682 |                 cbinfo["caller"] = caller
 683 |                 cbinfo["allocator"] = "dlmalloc"
 684 |                 cbinfo["version"] = self.DLMALLOC_VERSION
 685 |                 cbinfo["addr"] = p.data_address
 686 |                 if p.from_mem:
 687 |                     cbinfo["mem"] = p.mem[p.hdr_size:]
 688 |                 cbinfo["hdr_sz"] = p.hdr_size
 689 |                 cbinfo["chunksz"] = self.chunksize(p)
 690 |                 cbinfo["min_hdr_sz"] = self.INUSE_HDR_SZ
 691 |                 cbinfo["data_size"] = size
 692 |                 cbinfo["inuse"] = p.inuse
 693 |                 cbinfo["size_sz"] = self.SIZE_SZ
 694 |                 if debug:
 695 |                     cbinfo["debug"] = True
 696 |                 # We expect callback to tell us how much data it
 697 |                 # 'consumed' in printing out info
 698 |                 return self.dlchunk_callback(cbinfo)
 699 |         return 0
 700 | 
 701 | 
 702 | ################################################################################
 703 | # STRUCTURES
 704 | ################################################################################
 705 | 
 706 | class dl_structure(object):
 707 | 
 708 |     def __init__(self, dl, inferior=None):
 709 |         self.dl     = dl
 710 |         self.is_x86 = dl.SIZE_SZ == 4
 711 |         self.address = None
 712 |         self.initOK = True
 713 | 
 714 |         if inferior == None:
 715 |             self.inferior = get_inferior()
 716 |             if self.inferior == -1:
 717 |                 self.dl.logmsg("Error obtaining gdb inferior")
 718 |                 self.initOK = False
 719 |                 return
 720 |         else:
 721 |             self.inferior = inferior
 722 | 
 723 |     # XXX - move this to _gdb.py
 724 |     def _get_cpu_register(self, reg):
 725 |         """
 726 |         Get the value holded by a CPU register
 727 |         """
 728 | 
 729 |         expr = ''
 730 |         if reg[0] == '$':
 731 |             expr = reg
 732 |         else:
 733 |             expr = '$' + reg
 734 | 
 735 |         try:
 736 |             val = self._normalize_long(long(gdb.parse_and_eval(expr)))
 737 |         except Exception:
 738 |             self.dl.logmsg("[!] Did you run a process? Can't retrieve registers")
 739 |             return None
 740 |         return val
 741 | 
 742 |     def _normalize_long(self, l):
 743 |         return (0xffffffff if self.is_x86 else 0xffffffffffffffff) & l
 744 | 
 745 |     def _is_register(self, s):
 746 |         """
 747 |         Is it a valid register ?
 748 |         """
 749 |         x86_reg = ['eax', 'ebx', 'ecx', 'edx', 'esi',
 750 |                     'edi', 'esp', 'ebp', 'eip']
 751 |         x64_reg = ['rax', 'rbx', 'rcx', 'rdx', 'rsi',
 752 |                     'rdi', 'rsp', 'rbp', 'rip'] + \
 753 |                         ['r%d' % i for i in range(8, 16)]
 754 | 
 755 |         if s[0] == '$':
 756 |             s = s[1:]
 757 | 
 758 |         if s in (x86_reg if self.is_x86 else x64_reg):
 759 |             return True
 760 |         return False
 761 | 
 762 |     def _parse_base_offset(self, r):
 763 |         base = r
 764 |         offset = 0
 765 |         if "+" in r:
 766 |             # we assume it is a register or address + a hex value
 767 |             tmp = r.split("+")
 768 |             base = tmp[0]
 769 |             offset = int(tmp[1], 16)
 770 |         if "-" in r:
 771 |             # we assume it is a register or address - a hex value
 772 |             tmp = r.split("-")
 773 |             base = tmp[0]
 774 |             offset = int(tmp[1], 16)*-1
 775 |         if self._is_register(base):
 776 |             base = self._get_cpu_register(base)
 777 |             if not base:
 778 |                 return None
 779 |         else:
 780 |             try:
 781 |                 # we assume it's an address
 782 |                 base = int(base, 16)
 783 |             except Exception:
 784 |                 print('Error: not an address')
 785 |                 return None
 786 |         return base, offset
 787 | 
 788 |     def validate_addr(self, addr):
 789 |         if addr == None or addr == 0:
 790 |             self.initOK = False
 791 |             self.address = None
 792 |             return False
 793 | 
 794 |         elif type(addr) == str:
 795 |             res = self._parse_base_offset(addr)
 796 |             if res == None:
 797 |                 self.dl.logmsg('[!] first arg MUST be an addr or a register (+ optional offset)"')
 798 |                 self.initOK = False
 799 |                 return False
 800 |             self.address = res[0] + res[1]
 801 |         else:
 802 |             self.address = addr
 803 |         return True
 804 | 
 805 | 
 806 | ################################################################################
 807 | class dl_chunk(dl_structure):
 808 |     "python representation of a struct malloc_chunk {} (malloc-2.8.3.c)"
 809 | 
 810 |     def __init__(self, dl, addr=None, mem=None, size=None, inferior=None, 
 811 |             inuse=None):
 812 |         # sets self.dl, self.inferior, and self.initOK
 813 |         dl_structure.__init__(self, dl, inferior)
 814 |         if not self.initOK:
 815 |             return
 816 | 
 817 |         self.prev_foot   = 0
 818 |         self.head        = 0
 819 |         self.data        = None
 820 |         self.fd          = None
 821 |         self.bk          = None
 822 | 
 823 |         # Tree chunk specific
 824 |         self.left        = None
 825 |         self.right       = None
 826 |         self.parent      = None
 827 |         self.bindex      = None
 828 | 
 829 |         # Actual chunk flags
 830 |         self.cinuse_bit  = 0
 831 |         self.pinuse_bit  = 0
 832 |         self.mmapped_bit = 0
 833 | 
 834 |         # General indicator if we are inuse
 835 |         self.inuse       = inuse
 836 |         self.istree      = False
 837 | 
 838 |         self.data_address = None
 839 |         self.hdr_size = 0
 840 | 
 841 |         self.mem = mem
 842 |         self.from_mem = False
 843 | 
 844 |         # setup self.address
 845 |         if not self.validate_addr(addr):
 846 |             return
 847 | 
 848 |         if mem == None:
 849 |             # a string of raw memory was not provided
 850 |             try:
 851 |                 # TREE_HDR_SZ is based on SIZE_SZ already
 852 |                 mem = self.inferior.read_memory(self.address, self.dl.TREE_HDR_SZ)
 853 |                 # XXX - Technically if the last chunk is only 0x10 bytes, and
 854 |                 # we read it as a TREE_HDR it will fail. Better way to do the
 855 |                 # above
 856 |             except TypeError:
 857 |                 self.dl.logmsg("Invalid address specified.")
 858 |                 self.initOK = False
 859 |                 return
 860 |             except RuntimeError:
 861 |                 self.dl.logmsg("Could not read address {0:#x}".format(self.address))
 862 |                 self.initOK = False
 863 |                 return
 864 |         else:
 865 |             self.from_mem = True
 866 |             # a string of raw memory was provided
 867 |             if self.inuse:
 868 |                 if (len(mem) != self.dl.MIN_HDR_SZ) and \
 869 |                                 (len(mem) < self.dl.FREE_HDR_SZ):
 870 |                     self.dl.logmsg("Insufficient memory provided for a dl_chunk.")
 871 |                     self.initOK = False
 872 |                     return
 873 |             else:
 874 |                 # XXX - This should test for FREE_HDR_SZ as well
 875 |                 if (len(mem) != self.dl.TREE_HDR_SZ) and \
 876 |                                 (len(mem) < self.dl.TREE_HDR_SZ):
 877 |                     self.dl.logmsg("Insufficient memory provided for a free chunk.")
 878 |                     self.initOK = False
 879 |                     return
 880 | 
 881 |         # First we just read the header
 882 |         if self.dl.SIZE_SZ == 4:
 883 |             (self.prev_foot,
 884 |             self.head) = struct.unpack_from("<II", mem, 0x0)
 885 |         elif self.dl.SIZE_SZ == 8:
 886 |             (self.prev_foot,
 887 |             self.head) = struct.unpack_from("<QQ", mem, 0x0)
 888 | 
 889 |         if size == None:
 890 |             self.real_size = (self.head & ~self.dl.INUSE_BITS)
 891 |             self.cinuse_bit = ((self.head & self.dl.CINUSE_BIT) >> 1)
 892 |             self.pinuse_bit = self.head & self.dl.PINUSE_BIT
 893 |         else:
 894 |             self.dl.logmsg("Warning: a size was provided (for a malformed chunk with an invalid size)")
 895 |             self.real_size = size & ~self.dl.INUSE_BITS
 896 |             self.cinuse_bit = ((size & self.dl.CINUSE_BIT) >> 1)
 897 |             self.pinuse_bit = size & self.dl.PINUSE_BIT
 898 | 
 899 |         if inuse == None:
 900 |             if self.cinuse_bit:
 901 |                 self.inuse = True
 902 |                 self.hdr_size = self.dl.INUSE_HDR_SZ
 903 |             else:
 904 |                 self.inuse = False
 905 |         else:
 906 |             # Trust the caller is right
 907 |             self.inuse = inuse
 908 |             self.hdr_size = self.dl.INUSE_HDR_SZ
 909 | 
 910 |         if not self.inuse:
 911 |             # We sometimes provide an address to use for reference, even when
 912 |             # we pass in mem. So can't just check for self.address != None
 913 |             if self.address != None and mem == None:
 914 |                 # a string of raw memory was not provided
 915 |                 if self.inferior != None:
 916 |                     if self.dl.SIZE_SZ == 4:
 917 |                         mem = self.inferior.read_memory(self.address, self.dl.TREE_HDR_SZ)
 918 |                     elif self.dl.SIZE_SZ == 8:
 919 |                         mem = self.inferior.read_memory(self.address, self.dl.TREE_HDR_SZ)
 920 | 
 921 |             # We either need to read a regular free chunk or a tree chunk
 922 |             if self.dl.SIZE_SZ == 4:
 923 |                 (self.fd, \
 924 |                 self.bk  ) = struct.unpack_from("<II", mem, self.dl.INUSE_HDR_SZ)
 925 |             elif self.dl.SIZE_SZ == 8:
 926 |                 (self.fd, \
 927 |                 self.bk  ) = struct.unpack_from("<QQ", mem, self.dl.INUSE_HDR_SZ)
 928 |             # Is it a tree chunk?
 929 |             if self.real_size > self.dl.MAX_SMALL_SIZE:
 930 |                 self.istree = True
 931 |                 self.hdr_size = self.dl.TREE_HDR_SZ
 932 |                 if self.dl.SIZE_SZ == 4:
 933 |                     (self.left, \
 934 |                     self.right, \
 935 |                     self.parent,\
 936 |                     self.bindex) = struct.unpack_from("<4I", mem, self.dl.FREE_HDR_SZ)
 937 |                 elif self.dl.SIZE_SZ == 8:
 938 |                     (self.left,  \
 939 |                     self.right,  \
 940 |                     self.parent, \
 941 |                     self.bindex ) = struct.unpack_from("<4Q", mem, self.dl.FREE_HDR_SZ)
 942 |             else:
 943 |                 self.hdr_size = self.dl.FREE_HDR_SZ
 944 | 
 945 |         if self.address != None:
 946 |             self.data_address = self.address + self.hdr_size
 947 | 
 948 |     def __str__(self):
 949 |         if self.prev_foot == 0 and self.head == 0:
 950 |             return ""
 951 |         # CINUSE chunk
 952 |         elif self.inuse:
 953 |             mc = "struct malloc_chunk @ "
 954 |             mc += "{:#x} ".format(self.address)
 955 |             mc += "{"
 956 |             mc += "\n{:11} = ".format("prev_foot")
 957 |             mc += "{:#x}".format(self.prev_foot)
 958 |             mc += "\n{:11} = ".format("size")
 959 |             mc += "{:#x}".format(self.head & ~self.dl.INUSE_BITS)
 960 |             if self.cinuse_bit == 1 or self.pinuse_bit == 1:
 961 |                 mc += " ("
 962 |                 if self.cinuse_bit == 1:
 963 |                     mc += "CINUSE|"
 964 |                 if self.pinuse_bit == 1:
 965 |                     mc += "PINUSE|"
 966 |                 mc += "\b)"
 967 |             return mc
 968 |         else:
 969 |             if self.istree:
 970 |                 mc = "struct malloc_tree_chunk @ "
 971 |             else:
 972 |                 mc = "struct malloc_chunk @ "
 973 |             mc += "{:#x} ".format(self.address)
 974 |             mc += "{"
 975 |             mc += "\n{:11} = ".format("prev_foot")
 976 |             mc += "{:#x}".format(self.prev_foot)
 977 |             mc += "\n{:11} = ".format("head")
 978 |             mc += "{:#x}".format(self.dl.chunksize(self))
 979 |             if self.cinuse_bit == 1 or self.pinuse_bit == 1:
 980 |                 mc += " ("
 981 |                 if self.cinuse_bit == 1:
 982 |                     mc += "CINUSE|"
 983 |                 if self.pinuse_bit == 1:
 984 |                     mc += "PINUSE|"
 985 |                 mc += "\b)"
 986 |             mc += "\n{:11} = ".format("fd")
 987 |             mc += "{:#x}".format(self.fd)
 988 |             mc += "\n{:11} = ".format("bk")
 989 |             mc += "{:#x}".format(self.bk)
 990 |             if self.istree:
 991 |                 mc += "\n{:11} = ".format("left")
 992 |                 mc += "{:#x}".format(self.left)
 993 |                 mc += "\n{:11} = ".format("right")
 994 |                 mc += "{:#x}".format(self.right)
 995 |                 mc += "\n{:11} = ".format("parent")
 996 |                 mc += "{:#x}".format(self.parent)
 997 |                 mc += "\n{:11} = ".format("bindex")
 998 |                 mc += "{:#x}".format(self.bindex)
 999 |             return mc
1000 | 
1001 | ################################################################################
1002 | class dl_msegment(dl_structure):
1003 |     "python representation of a struct malloc_segment"
1004 | 
1005 |     def __init__(self, dl, addr=None, mem=None, inferior=None):
1006 |         dl_structure.__init__(self, dl)
1007 |         #super(dl_msegment, self).__init__()
1008 |         self.dl     = dl
1009 | 
1010 |         self.base   = 0
1011 |         self.size   = 0
1012 |         self.next   = 0
1013 |         self.sflags = 0
1014 | 
1015 |         if addr == None or addr == 0:
1016 |             if mem == None:
1017 |                 self.dl.logmsg("Please specify a valid struct dl_chunk address.")
1018 |                 self.initOK = False
1019 |                 return
1020 | 
1021 |             self.address = None
1022 |         elif type(addr) == str:
1023 |             res = self._parse_base_offset(addr)
1024 |             if res == None:
1025 |                 print('The first argument MUST be either an address or a register (+ optional offset)"')
1026 |                 self.initOK = False
1027 |                 return
1028 |             self.address = res[0] + res[1]
1029 |         else:
1030 |             self.address = addr
1031 | 
1032 |         if inferior == None and mem == None:
1033 |             inferior = get_inferior()
1034 |             if inferior == -1:
1035 |                 return None
1036 | 
1037 |         if self.address != None:
1038 |             # a string of raw memory was not provided
1039 |             if inferior != None:
1040 |                 mem = inferior.read_memory(self.address, self.dl.MSEGMENT_SZ)
1041 | 
1042 |         if mem == None:
1043 |             # a string of raw memory was not provided
1044 |             try:
1045 |                 mem = inferior.read_memory(self.address, self.dl.MSEGMENT_SZ)
1046 |             except TypeError:
1047 |                 self.dl.logmsg("Invalid address specified.")
1048 |                 self.initOK = False
1049 |                 return
1050 |             except RuntimeError:
1051 |                 self.dl.logmsg("Could not read address {0:#x}".format(self.address))
1052 |                 self.initOK = False
1053 |                 return
1054 | 
1055 |         # We either need to read a regular free chunk or a tree chunk
1056 |         if self.dl.SIZE_SZ == 4:
1057 |             (self.base,
1058 |             self.size,
1059 |             self.next,
1060 |             self.sflags) = struct.unpack_from("<4I", mem, 0)
1061 |         elif self.dl.SIZE_SZ == 8:
1062 |             (self.base, \
1063 |             self.size,
1064 |             self.next,
1065 |             self.sflags) = struct.unpack_from("<4Q", mem, 0)
1066 | 
1067 |     def __str__(self):
1068 |         mc = "struct malloc_segment @ "
1069 |         mc += "{:#x} ".format(self.address)
1070 |         mc += "{"
1071 |         mc += "\n{:11} = ".format("base")
1072 |         mc += "{:#x}".format(self.base)
1073 |         mc += "\n{:11} = ".format("size")
1074 |         mc += "{:#x}".format(self.size)
1075 |         mc += "\n{:11} = ".format("next")
1076 |         mc += "{:#x}".format(self.next)
1077 |         mc += "\n{:11} = ".format("sflags")
1078 |         mc += "{:#x}".format(self.sflags)
1079 |         return mc
1080 | 
1081 | ################################################################################
1082 | # XXX: make it inherit from dl_structure
1083 | class dl_mstate:
1084 |     "python representation of a struct malloc_state {} (malloc-2.8.3.c)"
1085 | 
1086 |     def __init__(self, dl, addr=None, mem=None, inferior=None):
1087 |         self.initOK        = False
1088 |         self.dl            = dl
1089 | 
1090 |         # mstate structure members
1091 |         self.smallmap      = 0
1092 |         self.treemap       = 0
1093 |         self.dvsize        = 0
1094 |         self.topsize       = 0
1095 |         self.least_addr    = 0
1096 |         self.dv            = 0
1097 |         self.top           = 0
1098 |         self.trim_check    = 0
1099 |         self.magic         = 0
1100 |         self.smallbins     = None
1101 |         self.treebins      = None
1102 |         self.footprint     = 0
1103 |         self.max_footprint = 0
1104 |         self.mflags        = 0
1105 |         self.mutex         = [] # We rely on being able to use len on this so
1106 |                                 # want it to be something like an empty list
1107 |         self.seg           = None # dl_msegment
1108 |         self.size = self.dl.MSTATE_SZ
1109 | 
1110 |         # printing options
1111 |         self.prefix_address = False # show address of each member when printed
1112 | 
1113 |         if addr == None or addr == 0:
1114 |             if mem == None:
1115 |                 self.dl.logmsg("Please specify a valid struct dl_mstate address.")
1116 |                 return None
1117 |             self.address = None
1118 |         else:
1119 |             self.address = addr
1120 | 
1121 |         if inferior == None and mem == None:
1122 |             inferior = get_inferior()
1123 |             if inferior == -1:
1124 |                 return None
1125 | 
1126 |         if mem == None:
1127 |             # a string of raw memory was not provided
1128 |             try:
1129 |                 # read more bytes to support the segment size bruteforce below?
1130 |                 mem = inferior.read_memory(addr, self.dl.MSTATE_SZ) #+0x30)
1131 |             except TypeError:
1132 |                 self.dl.logmsg("Invalid address specified.")
1133 |                 self.initOK = False
1134 |                 return None
1135 |             except RuntimeError:
1136 |                 self.dl.logmsg("Could not read address {0:#x}".format(addr))
1137 |                 self.initOK = False
1138 |                 return
1139 |         else:
1140 |             if len(mem) != self.dl.MSTATE_SZ:
1141 |                 self.dl.logmsg("Insufficient memory provided for a struct dl_mstate")
1142 |                 self.initOK = False
1143 |                 return None
1144 | 
1145 |         # The offset values can likely be the same for both SIZE_SZ
1146 |         if self.dl.SIZE_SZ == 4:
1147 |             # I do the 2 * explicitly to denote the unused part which is
1148 |             # technically part of smallbins in the source, but not actually
1149 |             # used
1150 |             self.small_bins_off = (9 * self.dl.SIZE_SZ) + (2 * self.dl.SIZE_SZ)
1151 |             nsbins = (self.dl.NSMALLBINS * 2) # in src is (NSMALLINBS+1)*2
1152 |             self.tree_bins_off = self.small_bins_off + \
1153 |                                  (nsbins * self.dl.SIZE_SZ)
1154 |             self.footprint_off = self.tree_bins_off + \
1155 |                                  (self.dl.NTREEBINS * self.dl.SIZE_SZ)
1156 | 
1157 |             (self.smallmap,
1158 |              self.treemap,
1159 |              self.dvsize,
1160 |              self.topsize,
1161 |              self.least_addr,
1162 |              self.dv,
1163 |              self.top,
1164 |              self.trim_check,
1165 |              self.magic) = struct.unpack_from("<9I", mem, 0x0)
1166 |             self.unused = struct.unpack_from("<2I", mem, self.small_bins_off)
1167 |             self.smallbins = struct.unpack_from("<%dI" % nsbins, mem, 
1168 |                     self.small_bins_off)
1169 |             self.treebins = struct.unpack_from("<%dI" % self.dl.NTREEBINS, mem, 
1170 |                     self.tree_bins_off)
1171 |             (self.footprint,
1172 |              self.max_footprint,
1173 |              self.mflags) = struct.unpack_from("<3I", mem, self.footprint_off)
1174 | 
1175 |             # NOTE: This is only present of USE_LOCKS is defined, which for
1176 |             # now we assume is true. However, not only that, but the
1177 |             # pthread_mutex_t structure can change. We have observed
1178 |             # 0x10 and 0x14 bytes. We don't want to hardcode this, so we rely
1179 |             # on the fact that the dl_msegment structure should have an address
1180 |             # value that matches the self.least_addr if our sizeof(mutex) guess 
1181 |             # is right.
1182 |             # If it is wrong, we adjust the size and try again
1183 |             # For general ref of a 0x14-byte mutex see:
1184 |             # http://www.jbox.dk/sanos/source/include/pthread.h.html
1185 |             mutex_off = self.footprint_off + (3*self.dl.SIZE_SZ)
1186 |             mutex_dwords = 5
1187 |             while mutex_dwords > 0:
1188 |                 seg_off =  mutex_off + (mutex_dwords * self.dl.SIZE_SZ)
1189 |                 self.mutex = struct.unpack_from("<%dI" % mutex_dwords, mem, 
1190 |                         mutex_off)
1191 |                 self.seg = dl_msegment(self.dl, self.address + seg_off, 
1192 |                         mem[seg_off:])
1193 |                 if self.seg.base != self.least_addr:
1194 |                     mutex_dwords -= 1
1195 |                 else:
1196 |                     break
1197 | 
1198 |             if mutex_dwords == 0:
1199 |                 self.seg = dl_msegment(self.dl, self.address + mutex_off,
1200 |                         mem[mutex_off:])
1201 |                 if self.seg.base != self.least_addr:
1202 |                     self.dl.logmsg("Problem reading dlsegment")
1203 |                     return
1204 | 
1205 |         elif self.dl.SIZE_SZ == 8:
1206 |             # See 32-bit comments for the explicit 2*SIZE_SZ
1207 |             self.small_bins_off = 2*4 + 7*self.dl.SIZE_SZ + (2*self.dl.SIZE_SZ)
1208 |             nsbins = (self.dl.NSMALLBINS * 2)
1209 |             self.tree_bins_off = self.small_bins_off + \
1210 |                                     (nsbins * self.dl.SIZE_SZ)
1211 |             self.footprint_off = self.tree_bins_off + \
1212 |                                     (self.dl.NTREEBINS * self.dl.SIZE_SZ)
1213 |             mutex_off = self.footprint_off + 0x14
1214 |             seg_off =  mutex_off + 0x2C
1215 |             (self.smallmap,
1216 |              self.treemap,
1217 |              self.dvsize,
1218 |              self.topsize,
1219 |              self.least_addr,
1220 |              self.dv,
1221 |              self.top,
1222 |              self.trim_check,
1223 |              self.magic) = struct.unpack_from("<2I7Q", mem, 0x0)
1224 |             # XXX - since the very base index isn't used due to some 
1225 |             # quirks, it would simplify code elsewhere to unpack it into some
1226 |             # unused/unprinted location
1227 |             # This is missing self.unused and instead calculates exact
1228 |             # small_bins_off
1229 |             self.smallbins = struct.unpack_from("<%dQ" % nsbins, mem, 
1230 |                     self.small_bins_off)
1231 |             self.treebins = struct.unpack_from("<%dQ" % self.dl.NTREEBINS, mem,
1232 |                     self.tree_bins_off)
1233 |             (self.footprint,
1234 |              self.max_footprint,
1235 |              self.mflags) = struct.unpack_from("<2QI", mem, self.footprint_off)
1236 | 
1237 |             mutex_dwords = 5
1238 |             while mutex_dwords > 0:
1239 |                 seg_off =  mutex_off + 4 + (mutex_dwords * self.dl.SIZE_SZ)
1240 |                 self.mutex = struct.unpack_from("<I%dQ" % mutex_dwords, mem, 
1241 |                         mutex_off)
1242 |                 self.seg = dl_msegment(self.dl, self.address + seg_off, 
1243 |                         mem[seg_off:])
1244 |                 if self.seg.base != self.least_addr:
1245 |                     mutex_dwords -= 1
1246 |                 else:
1247 |                     break
1248 | 
1249 |             if mutex_dwords == 0:
1250 |                 self.seg = dl_msegment(self.dl, self.address + mutex_off, 
1251 |                         mem[mutex_off:])
1252 |                 if self.seg.base != self.least_addr:
1253 |                     self.dl.logmsg("Problem reading dlsegment")
1254 |                     return
1255 | 
1256 |         # XXX - why 5?
1257 |         self.size = self.size - (5 - mutex_dwords)*self.dl.SIZE_SZ
1258 |         self.initOK = True
1259 |         self.dl.cached_mstate = self
1260 | 
1261 |     def __str__(self):
1262 |             mc = "struct dl_mstate @ "
1263 |             mc += "{:#x} ".format(self.address)
1264 |             mc += "{"
1265 |             mc += "\n{:11} = ".format("smallmap")
1266 |             mc += "{:#032b}".format(self.smallmap, '032b')
1267 |             mc += "\n{:11} = ".format("treemap")
1268 |             mc += "{:#032b}".format(self.treemap)
1269 |             mc += "\n{:11} = ".format("dvsize")
1270 |             mc += "{:#x}".format(self.dvsize)
1271 |             mc += "\n{:11} = ".format("topsize")
1272 |             mc += "{:#x}".format(self.topsize)
1273 |             mc += "\n{:11} = ".format("least_addr")
1274 |             mc += "{:#x}".format(self.least_addr)
1275 |             mc += "\n{:11} = ".format("dv")
1276 |             mc += "{:#x}".format(self.dv)
1277 |             mc += "\n{:11} = ".format("top")
1278 |             mc += "{:#x}".format(self.top)
1279 |             mc += "\n{:11} = ".format("trim_check")
1280 |             mc += "{:#x}".format(self.trim_check)
1281 |             mc += "\n{:11} = ".format("magic")
1282 |             mc += "{:#x}".format(self.magic)
1283 |             # NOTE: We don't print self.unused because it has no purpose
1284 |             # We rely on self.unused to keep the code below simpler though
1285 |             i = 0
1286 |             while i < len(self.smallbins):
1287 |                 bidx = int(i/2)
1288 |                 maxsz = (bidx * 8)
1289 |                 mc += "\n{:12} ".format("smallbin[%02d]" % bidx)
1290 |                 mc += "{:10} = ".format("(sz 0x%x)" % maxsz)
1291 |                 mc += "{:#10x}, ".format(self.smallbins[i])
1292 |                 mc += "{:#10x}".format(self.smallbins[i+1])
1293 |                 if self.smallmap & (1 << bidx) == 0:
1294 |                     mc += " [EMPTY]"
1295 |                 i += 2
1296 |             # XXX - make this look nicer in output
1297 |             i = 0
1298 |             while i < len(self.treebins):
1299 |                 maxsz = self.dl.treebin_sz[i]
1300 |                 mc += "\n{:10} ".format("treebin[%02d]" % i)
1301 |                 mc += "{:15} = ".format("(sz 0x%x)" % maxsz)
1302 |                 mc += "{:#10x}".format(self.treebins[i])
1303 |                 if self.treemap & (1 << i) == 0:
1304 |                     mc += " [EMPTY]"
1305 |                 i += 1
1306 |             mc += "\n{:11} = ".format("footprint")
1307 |             mc += "{:#x}".format(self.footprint)
1308 |             mc += "\n{:11} = ".format("max_footprint")
1309 |             mc += "{:#x}".format(self.max_footprint)
1310 |             mc += "\n{:11} = ".format("mflags")
1311 |             mc += "{:#x}".format(self.mflags)
1312 |             i = 0
1313 |             mc += "\n{:11} = ".format("mutex")
1314 |             while i < len(self.mutex):
1315 |                 mc += "{:#x},".format(self.mutex[i])
1316 |                 i += 1
1317 |             i = 0
1318 |             mc += "\nseg = %s" % self.seg
1319 |             return mc
1320 | 
1321 | ################################################################################
1322 | class malloc_params:
1323 |     "python representation of a struct malloc_params"
1324 | 
1325 |     def __init__(self, dl, addr=None, mem=None, inferior=None):
1326 |         self.dl = dl
1327 |         self.magic = 0
1328 |         self.page_size = 0
1329 |         self.granularity = 0
1330 |         self.mmap_threshold   = 0
1331 |         self.trim_threshold   = 0
1332 |         self.default_mflags = 0
1333 | 
1334 |         if addr == None:
1335 |             if mem == None:
1336 |                 self.dl.logmsg("Please specify a struct malloc_par address.")
1337 |                 return None
1338 | 
1339 |             self.address = None
1340 |         else:
1341 |             self.address = addr
1342 | 
1343 |         if inferior == None and mem == None:
1344 |             inferior = get_inferior()
1345 |             if inferior == -1:
1346 |                 return None
1347 | 
1348 |         if mem == None:
1349 |             # a string of raw memory was not provided
1350 |             try:
1351 |                 mem = inferior.read_memory(addr, self.dl.MALLOC_PARAM_SZ)
1352 |             except TypeError:
1353 |                 self.dl.logmsg("Invalid address specified.")
1354 |                 return None
1355 |             except RuntimeError:
1356 |                 self.dl.logmsg("Could not read address {0:#x}".format(addr))
1357 |                 return
1358 | 
1359 |         if self.dl.SIZE_SZ == 4:
1360 |             (self.magic, \
1361 |             self.page_size, \
1362 |             self.granularity, \
1363 |             self.mmap_threshold  , \
1364 |             self.trim_threshold  , \
1365 |             self.default_mflags) = struct.unpack("<6I", mem)
1366 |         elif self.dl.SIZE_SZ == 8:
1367 |             (self.magic, \
1368 |             self.page_size, \
1369 |             self.granularity, \
1370 |             self.mmap_threshold  , \
1371 |             self.trim_threshold  , \
1372 |             self.default_mflags) = struct.unpack("<5QI", mem)
1373 | 
1374 |     def __str__(self):
1375 |         mp = "struct malloc_params {"
1376 |         mp += "\n{:16} = ".format("magic")
1377 |         mp += "{:#x}".format(self.magic)
1378 |         mp += "\n{:16} = ".format("page_size")
1379 |         mp += "{:#x}".format(self.page_size)
1380 |         mp += "\n{:16} = ".format("granularity")
1381 |         mp += "{:#x}".format(self.granularity)
1382 |         mp += "\n{:16} = ".format("mmap_threshold")
1383 |         mp += "{:#x}".format(self.mmap_threshold)
1384 |         mp += "\n{:16} = ".format("trim_threshold")
1385 |         mp += "{:#x}".format(self.trim_threshold)
1386 |         mp += "\n{:16} = ".format("default_mflags")
1387 |         mp += "{:#x}".format(self.default_mflags)
1388 |         return mp
1389 | 
1390 | # XXX import this stuff from a separate file
1391 | if is_gdb:
1392 | ################################################################################
1393 | # GDB COMMANDS
1394 | ################################################################################
1395 | 
1396 | # This is a super class with few convenience methods to let all the cmds parse
1397 | # gdb variables easily
1398 |     class dlcmd(gdb.Command):
1399 | 
1400 |         def __init__(self, dl, name):
1401 |             self.dl = dl
1402 |             super(dlcmd, self).__init__(name, gdb.COMMAND_DATA, gdb.COMPLETE_NONE)
1403 | 
1404 |         def parse_var(self, var):
1405 |             if self.dl.SIZE_SZ == 4:
1406 |                 p = self.tohex(int(gdb.parse_and_eval(var)), 32)
1407 |             elif self.dl.SIZE_SZ == 8:
1408 |                 p = self.tohex(int(gdb.parse_and_eval(var)), 64)
1409 |             return int(p, 16)
1410 | 
1411 |         # Because python is incapable of turning a negative integer into a hex value
1412 |         # easily apparently...
1413 |         def tohex(self, val, nbits):
1414 |             result = hex((val + (1 << nbits)) % (1 << nbits))
1415 |             # -1 because hex() only sometimes tacks on a L to hex values...
1416 |             if result[-1] == 'L':
1417 |                 return result[:-1]
1418 |             else:
1419 |                 return result
1420 | 
1421 | ################################################################################
1422 |     class dlhelp(dlcmd):
1423 |         "Details about all libdlmalloc gdb commands"
1424 | 
1425 |         def __init__(self, dl, help_extra=None):
1426 |             self.help_extra = help_extra
1427 |             dlcmd.__init__(self, dl, "dlhelp")
1428 | 
1429 |         def invoke(self, arg, from_tty):
1430 |             self.dl.logmsg('dlmalloc commands for gdb')
1431 |             if self.help_extra != None:
1432 |                 self.dl.logmsg(self.help_extra)
1433 |             self.dl.logmsg('dlchunk    : show one or more chunks metadata and contents')
1434 |             self.dl.logmsg('dlmstate   : print mstate structure information. caches address after first use')
1435 |             self.dl.logmsg('dlcallback : register a callback or query/modify callback status')
1436 |             self.dl.logmsg('dlhelp     : this help message')
1437 |             self.dl.logmsg('NOTE: Pass -h to any of these commands for more extensive usage. Eg: dlchunk -h')
1438 | 
1439 |     class dlcallback(dlcmd):
1440 |         "Manage callbacks"
1441 | 
1442 |         def __init__(self, dl):
1443 |             dlcmd.__init__(self, dl, "dlcallback")
1444 | #        super(dlcallback, self).__init__("dlcallback", gdb.COMMAND_DATA, gdb.COMPLETE_NONE)
1445 |             self.dl = dl
1446 | 
1447 |         def help(self):
1448 |             self.dl.logmsg('usage: dlcallback <option>')
1449 |             self.dl.logmsg(' disable                  temporarily disable the registered callback')
1450 |             self.dl.logmsg(' enable                   enable the registered callback')
1451 |             self.dl.logmsg(' status                   check if a callback is registered')
1452 |             self.dl.logmsg(' clear                    forget the registered callback')
1453 |             self.dl.logmsg(' register <name> <module> use a global function <name> as callback from <module>')
1454 |             self.dl.logmsg('                          ex: register mpcallback libmempool/libmempool')
1455 | 
1456 |         def invoke(self, arg, from_tty):
1457 |             if arg == '':
1458 |                 self.help()
1459 |                 return
1460 | 
1461 |             arg = arg.lower()
1462 |             if arg.find("enable") != -1:
1463 |                 self.dl.dlchunk_callback = self.dl.dlchunk_callback_cached
1464 |                 self.dl.logmsg('callback enabled')
1465 |                 if self.dl.dlchunk_callback == None:
1466 |                     self.dl.logmsg('NOTE: callback was enabled, but is unset')
1467 |             elif arg.find("disable") != -1:
1468 |                 self.dl.dlchunk_callback_cached = self.dl.dlchunk_callback
1469 |                 self.dl.dlchunk_callback = None
1470 |                 self.dl.logmsg('callback disabled')
1471 |             elif arg.find("clear") != -1:
1472 |                 self.dl.dlchunk_callback = None
1473 |                 self.dl.dlchunk_callback_cached = None
1474 |                 self.dl.logmsg('callback cleared')
1475 |             elif arg.find("status") != -1:
1476 |                 if self.dl.dlchunk_callback:
1477 |                     self.dl.logmsg('a callback is registered and enabled')
1478 |                 elif self.dl.dlchunk_callback == None and \
1479 |                          self.dl.dlchunk_callback_cached:
1480 |                     self.dl.logmsg('a callback is registered and disabled')
1481 |                 else:
1482 |                     self.dl.logmsg('a callback is not registered')
1483 |             elif arg.find("register") != -1:
1484 |                 args = arg.split(' ')
1485 |                 if len(args) < 2:
1486 |                     self.dl.logmsg('[!] Must specify object name')
1487 |                     self.help()
1488 |                     return
1489 |                 if args[1] not in globals():
1490 |                     if len(args) == 3:
1491 |                         try:
1492 |                             modpath = os.path.dirname(args[2])
1493 |                             modname = os.path.basename(args[2])
1494 |                             if modpath != "": 
1495 |                                 if modpath[0] == '/':
1496 |                                     sys.path.insert(0, modpath)
1497 |                                 else:
1498 |                                     sys.path.insert(0, os.path.join(os.getcwd(), 
1499 |                                                 modpath))
1500 |                             mod  = importlib.import_module(modname)
1501 |                             importlib.reload(mod)
1502 |                             if args[1] in dir(mod):
1503 |                                 self.dl.dlchunk_callback = getattr(mod, args[1])
1504 |                                 self.dl.dlchunk_callback_cached = None
1505 |                         except Exception as e:
1506 |                             self.dl.logmsg("[!] Couldn't load module: %s" % args[2])
1507 |                             print(e)
1508 |                     else:
1509 |                         self.dl.logmsg("[!] Couldn't find object %s. Specify module" % 
1510 |                                 args[1])
1511 |                         self.help()
1512 |                 else:
1513 |                     self.dl.dlchunk_callback = globals()[args[1]]
1514 |                     self.dl.dlchunk_callback_cached = None
1515 |                 self.dl.logmsg('%s registered as callback' % args[1])
1516 |             else:
1517 |                 self.help()
1518 | 
1519 | ################################################################################
1520 |     class dlchunk(dlcmd):
1521 |         "print a comprehensive view of a dlchunk"
1522 | 
1523 |         def __init__(self, dl):
1524 | #        dlcmd.__init__(self, dl)
1525 |             dlcmd.__init__(self, dl, "dlchunk")
1526 | #        super(dlchunk, self).__init__("dlchunk", gdb.COMMAND_DATA, gdb.COMPLETE_NONE)
1527 |             self.dl = dl
1528 | 
1529 |         def help(self):
1530 |             self.dl.logmsg('usage: dlchunk [-v] [-f] [-x] [-c <count>] <addr>')
1531 |             self.dl.logmsg(' <addr>  a dlmalloc chunk header')
1532 |             self.dl.logmsg(' -v      use verbose output (multiples for more verbosity)')
1533 |             self.dl.logmsg(' -f      use <addr> explicitly, rather than be smart')
1534 |             self.dl.logmsg(' -x      hexdump the chunk contents')
1535 |             self.dl.logmsg(' -m      max bytes to dump with -x')
1536 |             self.dl.logmsg(' -c      number of chunks to print')
1537 |             # I suspect we want this to be a different command?
1538 |             self.dl.logmsg(' -s      search pattern when print chunks')
1539 |             self.dl.logmsg(' -S      size to override chunk size (e.g. if corrupted)')
1540 |             self.dl.logmsg(' --depth depth to search inside chunk')
1541 |             self.dl.logmsg(' -d      debug and force printing stuff')
1542 |             self.dl.logmsg(' -p      print data inside at given offset (summary representation)')
1543 |             self.dl.logmsg(' -n      do not output the trailing newline (summary representation)')
1544 |             self.dl.logmsg("Flag legend: C=CINUSE, P=PINUSE")
1545 |             return
1546 | 
1547 |         @has_inferior
1548 |         def invoke(self, arg, from_tty):
1549 |             "Usage can be obtained via dlmalloc -h"
1550 |             try:
1551 |                 if arg == '':
1552 |                     self.help()
1553 |                     return
1554 | 
1555 |                 verbose = 0
1556 |                 force = False
1557 |                 hexdump = False
1558 |                 no_newline = False
1559 |                 maxbytes = 0
1560 | 
1561 |                 s_found = False
1562 |                 c_found = False
1563 |                 m_found = False
1564 |                 S_found = False
1565 |                 p_found = False
1566 |                 depth_found = False
1567 |                 debug = False
1568 |                 count_ = 1
1569 |                 search_val = None
1570 |                 search_depth = 0
1571 |                 print_offset = None
1572 |                 addresses = []
1573 |                 size = None
1574 |                 for item in arg.split():
1575 |                     if m_found:
1576 |                         if item.find("0x") != -1:
1577 |                             maxbytes = int(item, 16)
1578 |                         else:
1579 |                             maxbytes = int(item)
1580 |                         m_found = False
1581 |                     elif depth_found:
1582 |                         if item.find("0x") != -1:
1583 |                             search_depth = int(item, 16)
1584 |                         else:
1585 |                             search_depth = int(item)
1586 |                         depth_found = False
1587 |                     elif s_found:
1588 |                         if item.find("0x") != -1:
1589 |                             search_val = item
1590 |                         s_found = False
1591 |                     elif c_found:
1592 |                         count_ = int(item)
1593 |                         c_found = False
1594 |                     elif p_found:
1595 |                         try:
1596 |                             print_offset = int(item)
1597 |                         except ValueError:
1598 |                             print_offset = int(item, 16)
1599 |                         p_found = False
1600 |                     elif S_found:
1601 |                         if item.find("0x") != -1:
1602 |                             size = int(item, 16)
1603 |                         else:
1604 |                             size = int(item)
1605 |                         S_found = False
1606 |                     elif item.find("-v") != -1:
1607 |                         verbose += 1
1608 |                     elif item.find("-f") != -1:
1609 |                         force = True
1610 |                     elif item.find("-n") != -1:
1611 |                         no_newline = True
1612 |                     elif item.find("-x") != -1:
1613 |                         hexdump = True
1614 |                     elif item.find("-m") != -1:
1615 |                         m_found = True
1616 |                     elif item.find("-p") != -1:
1617 |                         p_found = True
1618 |                     elif item.find("-s") != -1:
1619 |                         s_found = True
1620 |                     elif item.find("-S") != -1:
1621 |                         S_found = True
1622 |                     elif item.find("--depth") != -1:
1623 |                         depth_found = True 
1624 |                     elif item.find("-c") != -1:
1625 |                         c_found = True
1626 |                     # XXX Probably make this a helper
1627 |                     elif item.find("0x") != -1:
1628 |                         if item.find("-") != -1 or item.find("+") != -1:
1629 |                             p = self.parse_var(item)
1630 |                         else:
1631 |                             try:
1632 |                                 p = int(item, 16)
1633 |                             except ValueError:
1634 |                                 p = self.parse_var(item)
1635 |                         addresses.append(p)
1636 |                     elif item.find("$") != -1:
1637 |                         p = self.parse_var(item)
1638 |                         addresses.append(p)
1639 |                     elif item.find("-d") != -1:
1640 |                         debug = True # This is an undocumented dev option
1641 |                     elif item.find("-h") != -1:
1642 |                         self.help()
1643 |                         return
1644 | 
1645 |                 if not addresses or None in addresses:
1646 |                     print("WARNING: No address supplied?")
1647 |                     self.help()
1648 |                     return
1649 | 
1650 |                 bFirst = True
1651 |                 for addr in addresses:
1652 |                     if bFirst:
1653 |                         bFirst = False
1654 |                     else:
1655 |                         print("-"*60)
1656 |                     count = count_
1657 |                     p = dl_chunk(self.dl, addr, size=size)
1658 |                     dump_offset = 0
1659 |                     while True:
1660 |                         suffix = ""
1661 |                         if search_val != None:
1662 |                             # Don't print if the chunk doesn't have the pattern
1663 |                             if not self.dl.search_chunk(p, search_val, 
1664 |                                     depth=search_depth):
1665 |                                 suffix = " [NO MATCH]"
1666 |                             else:
1667 |                                 suffix = " [MATCH]"
1668 |                         # XXX - this is hardcoded for x64 dlmalloc as we have been testing it on asa912-smp for now
1669 |                         #print_offset = 0x54
1670 |                         i_spi_offset = 0x30
1671 |                         # XXX - the current representation is not really generic as we print the first short
1672 |                         # as an ID and the second 2 bytes as 2 characters. We may want to support passing the
1673 |                         # format string as an argument but this is already useful
1674 |                         #if print_offset != None:
1675 |                         #    mem = get_inferior().read_memory(p.data_address + print_offset, 4)
1676 |                         #    (id_, desc) = struct.unpack_from("<H2s", mem, 0x0)
1677 |                         #    if is_ascii(desc):
1678 |                         #        suffix += " 0x%04x %s" % (id_, str(desc, encoding="utf-8"))
1679 |                         #    else:
1680 |                         #        suffix += " 0x%04x hex(%s)" % (id_, str(binascii.hexlify(desc), encoding="utf-8"))
1681 |                         if print_offset != None:
1682 |                             mem = get_inferior().read_memory(p.data_address, print_offset+0x10)
1683 |                             mem_off = mem[print_offset: print_offset + 6]
1684 |                             (id_, desc) = struct.unpack_from("<H4s", mem_off, 0x0)
1685 |                             not_match = False
1686 |                             if is_ascii(desc):
1687 |                                 c = desc[0]
1688 |                                 for c2 in desc:
1689 |                                     if c2 != c:
1690 |                                         not_match = True
1691 |                                         break
1692 |                                 if not not_match:
1693 |                                     mem_spi = mem[i_spi_offset: i_spi_offset + 8]
1694 |                                     i_spi = struct.unpack_from("8s", mem_spi, 0x0)[0]
1695 |                                     try:
1696 |                                         i_spi = str(i_spi, encoding="utf-8")
1697 |                                     except UnicodeDecodeError:
1698 |                                         i_spi = "UNKNOWNX"
1699 |                                     suffix += " %s %s %d" % (i_spi, str(desc, encoding="utf-8"), id_)
1700 |                             # if not ascii, probably not interesting anyway?
1701 |                             #else:
1702 |                             #    suffix += " 0x%04x hex(%s)" % (id_, str(binascii.hexlify(desc), encoding="utf-8"))
1703 | 
1704 | 
1705 |                         if verbose == 0:
1706 |                             if no_newline:
1707 |                                 print(self.dl.chunk_info(p) + suffix, end="")
1708 |                             else:
1709 |                                 print(self.dl.chunk_info(p) + suffix)
1710 |                         elif verbose == 1:
1711 |                             print(p)
1712 |                             dump_offset = self.dl.dispatch_callback(p, debug=debug)
1713 |                         if hexdump:
1714 |                             self.dl.hexdump(p, maxbytes, dump_offset)
1715 |                         count -= 1
1716 |                         if count != 0:
1717 |                             if verbose or hexdump:
1718 |                                 print('--')
1719 |                             if self.dl.is_end_chunk(p) and force == False:
1720 |                                 print("<<< end of heap segment >>>")
1721 |                                 break
1722 |                             if self.dl.chunksize(p) == 0:
1723 |                                 print("[!] Detected chunksz 0")
1724 |                                 break
1725 |                             p = dl_chunk(self.dl, addr=(p.address + self.dl.chunksize(p)))
1726 |                             if p.initOK == False:
1727 |                                 break
1728 |                         else:
1729 |                             break
1730 |             except Exception as e:
1731 |                 show_last_exception()
1732 | 
1733 | ################################################################################
1734 |     class dlmstate(dlcmd):
1735 |         "print a comprehensive view of a dlmstate"
1736 | 
1737 |         def __init__(self, dl):
1738 |             dlcmd.__init__(self, dl, "dlmstate")
1739 | #        super(dlmstate, self).__init__("dlmstate", gdb.COMMAND_DATA, gdb.COMPLETE_NONE)
1740 |             self.dl = dl
1741 | 
1742 |         def help(self):
1743 |             self.dl.logmsg('usage: dlmstate [-v] [-f] [-x] [-c <count>] <addr>')
1744 |             self.dl.logmsg(' <addr>  a mstate struct addr. Optional if mstate cached')
1745 |             self.dl.logmsg(' -v      use verbose output (multiples for more verbosity)')
1746 |             self.dl.logmsg(' -c      print bin counts')
1747 |             self.dl.logmsg(' --depth how deep to count each bin (default 10)')
1748 |             self.dl.logmsg(' NOTE: Last defined mstate will be cached for future use')
1749 |             return
1750 | 
1751 |         # This should be in dl_helper probably
1752 |         def print_bin_counts(self, p, depth=10):
1753 |             mc = ""
1754 |             i = 0
1755 |             while i < len(p.smallbins):
1756 |                 bidx = int(i/2)
1757 |                 maxsz = (bidx * 8)
1758 |                 mc += "\n{:12} ".format("smallbin[%02d]" % bidx)
1759 |                 mc += "{:10} = ".format("(sz 0x%x)" % maxsz)
1760 |                 mc += "{:#10x}, ".format(p.smallbins[i])
1761 |                 mc += "{:#10x}".format(p.smallbins[i+1])
1762 |                 if p.smallmap & (1 << bidx) == 0:
1763 |                     mc += " [EMPTY]"
1764 |                 else:
1765 |                     count = self.dl.smallbin_count(bidx, depth)
1766 |                     if count > depth:
1767 |                         mc += " [%d+]" % depth
1768 |                     else:
1769 |                         mc += " [%d]" % count
1770 |                 i += 2
1771 |             i = 0
1772 |             while i < len(p.treebins):
1773 |                 maxsz = self.dl.treebin_sz[i]
1774 |                 mc += "\n{:10} ".format("treebin[%02d]" % i)
1775 |                 mc += "{:15} = ".format("(sz 0x%x)" % maxsz)
1776 |                 mc += "{:#10x}".format(p.treebins[i])
1777 |                 if p.treemap & (1 << i) == 0:
1778 |                     mc += " [EMPTY]"
1779 |                 else:
1780 |                     count = self.dl.treebin_count(i, depth)
1781 |                     if count > depth:
1782 |                         mc += " [%d+]" % depth
1783 |                     else:
1784 |                         mc += " [%d]" % count
1785 | 
1786 |                 i += 1
1787 |             print(mc)
1788 | 
1789 |         @has_inferior
1790 |         def invoke(self, arg, from_tty):
1791 | 
1792 |             if self.dl.cached_mstate == None and (arg == None or arg == ''):
1793 |                 self.help()
1794 |                 return
1795 | 
1796 |             verbose = 0
1797 |             bincount = False
1798 |             p = None
1799 |             count_depth = 10
1800 |             depth_found = False
1801 |             if arg != None:
1802 |                 for item in arg.split():
1803 |                     if item.find("-v") != -1:
1804 |                         verbose += 1
1805 |                     elif item.find("-c") != -1:
1806 |                         bincount = True
1807 |                     elif item.find("--depth") != -1:
1808 |                         depth_found = True 
1809 |                     elif depth_found:
1810 |                         if item.find("0x") != -1:
1811 |                             count_depth = int(item, 16)
1812 |                         else:
1813 |                             count_depth = int(item)
1814 |                         depth_found = False
1815 |                     elif item.find("0x") != -1:
1816 |                         p = int(item, 16)
1817 |                     elif item.find("$") != -1:
1818 |                         p = self.parse_var(item)
1819 |                     elif item.find("-h") != -1:
1820 |                         self.help()
1821 |                         return
1822 | 
1823 |             if p == None and self.dl.cached_mstate == None:
1824 |                 print("WARNING: No address supplied?")
1825 |                 self.help()
1826 |                 return
1827 | 
1828 |             if p != None:
1829 |                 p = dl_mstate(self.dl, p)
1830 |             else:
1831 |                 self.dl.logmsg("Using cached mstate")
1832 |                 p = self.dl.cached_mstate
1833 | 
1834 |             if p.topsize == 0 or p.least_addr == 0:
1835 |                 self.dl.logmsg("[!] doesn't appeart be a valid mstate")
1836 | 
1837 |             # Assume we couldn't read it from memory
1838 |             if p.initOK == False:
1839 |                 return
1840 | 
1841 |             if bincount:
1842 |                 self.print_bin_counts(p, count_depth)
1843 |                 return
1844 | 
1845 |             if verbose == 0:
1846 |                 print(p)
1847 |             # XXX - not sure what all verbose should show
1848 |             elif verbose == 1:
1849 |                 # XXX - Not sure this is the best way to do this :|
1850 |                 p.prefix_address = True
1851 |                 print(p)
1852 |                 p.prefix_address = False
1853 | 
1854 |             if self.dl.dlchunk_callback != None:
1855 |                 if p != None:
1856 |                     cbinfo = {}
1857 |                     cbinfo["caller"] = "dlmstate"
1858 |                     cbinfo["allocator"] = "dlmalloc"
1859 |                     cbinfo["size_sz"] = self.dl.SIZE_SZ
1860 |                     cbinfo["addr"] = p.address + p.size
1861 |                     self.dl.dlchunk_callback(cbinfo)
1862 | 
1863 | # XXX - finish me
1864 |     class dlsearch(dlcmd):
1865 |         def __init__(self):
1866 |             super(dlsearch, self).__init__("dlsearch", gdb.COMMAND_DATA, gdb.COMPLETE_NONE)
1867 | 
1868 |         def help(self):
1869 |             self.dl.logmsg('usage: dlsearch <hex> <min_size> <max_size>')
1870 | 
1871 |         def invoke(self, arg, from_tty):
1872 |             if arg == '':
1873 |                 self.help()
1874 |                 return
1875 |             arg = arg.split()
1876 |             #if arg[0].find("0x") == -1 or (len(arg[0]) != 10 and len(arg[0]) != 18):
1877 |             #    self.dl.logmsg("you need to provide a word or giant word for hex")
1878 |             #    return
1879 |             search_for = arg[0]
1880 |             if len(arg) > 3:
1881 |                 self.help()
1882 |                 return
1883 |             if len(arg) >= 2:
1884 |                 max_size = int(arg[1], 16)
1885 |             else:
1886 |                 max_size = 0
1887 |             if len(arg) == 3:
1888 |                 min_size = int(arg[1], 16)
1889 |             else:
1890 |                 min_size = 0
1891 | 
1892 |             # need segment parsing
1893 | #            while ar_ptr != main_arena_address:
1894 | #                self.dl.logmsg("Handling arena @ 0x%x" % dl_mstate(ar_ptr).address)
1895 | #
1896 | #                results = dl.search_heap(ar_ptr, search_for, min_size, max_size)
1897 | #
1898 | #                if len(results) == 0:
1899 | #                    self.dl.logmsg('value %s not found' % (search_for))
1900 | #                    return
1901 | #
1902 | #                for result in results:
1903 | #                    self.dl.logmsg("%s found in chunk at 0x%lx" % (search_for, int(result)))
1904 | 
1905 | if __name__ == "__main__":
1906 |     dlh = dl_helper()
1907 |     dlhelp(dlh)
1908 |     dlchunk(dlh)
1909 |     dlmstate(dlh)
1910 |     dlcallback(dlh)
1911 |     dlh.logmsg("loaded")
1912 | 


--------------------------------------------------------------------------------
/libdlmalloc_gdb.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nccgroup/libdlmalloc/9c4b5646a653e6c19b33c3507e8b7033874fbba7/libdlmalloc_gdb.py


--------------------------------------------------------------------------------
/setup.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #
 3 | # This file is part of libdlmalloc.
 4 | # Copyright (c) 2017, Aaron Adams <aaron.adams(at)nccgroup(dot)trust>
 5 | # Copyright (c) 2017, Cedric Halbronn <cedric.halbronn(at)nccgroup(dot)trust>
 6 | 
 7 | from distutils.core import setup
 8 | 
 9 | setup(name='dlmalloc',
10 |       version='0.1',
11 |       description='gdb python library for examining the dlmalloc heap',
12 |       author='NCC Group',
13 |       url='https://github.com/nccgroup/libdlmalloc',
14 |       license="MIT",
15 |       keywords="dlmalloc gdb python",
16 |       py_modules=['libdlmalloc-2.8', 'printutils', 'prettyprinters']
17 |      )
18 | 


--------------------------------------------------------------------------------