Remove hack to copy function body

wtdcode · wtdcode · commit 088c066c598a · 2025-03-05T16:49:25.000+08:00
diff --git a/tests/unit/test_ctl.c b/tests/unit/test_ctl.c
@@ -262,8 +262,6 @@ static void test_uc_ctl_arm_cpu(void)
 static void test_uc_hook_cached_cb(uc_engine *uc, uint64_t addr, size_t size,
                                    void *user_data)
 {
-    // Don't add any TEST_CHECK here since we can't refer to the global variable
-    // here.
     uint64_t *p = (uint64_t *)user_data;
     (*p)++;
     return;
@@ -276,26 +274,10 @@ static void test_uc_hook_cached_uaf(void)
     char code[] = "\x41\x4a\xeb\x00\x90";
     uc_hook h;
     uint64_t count = 0;
-#ifndef _WIN32
-    // Apple Silicon does not allow RWX pages.
-    void *callback = mmap(NULL, 4096, PROT_READ | PROT_WRITE,
-                          MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
-    TEST_CHECK(callback != (void *)-1);
-#else
-    void *callback = VirtualAlloc(NULL, 4096, MEM_RESERVE | MEM_COMMIT,
-                                  PAGE_EXECUTE_READWRITE);
-    TEST_CHECK(callback != NULL);
-#endif
-
-    memcpy(callback, (void *)test_uc_hook_cached_cb, 4096);
-
-#ifndef _WIN32
-    TEST_CHECK(mprotect(callback, 4096, PROT_READ | PROT_EXEC) == 0);
-#endif
 
     uc_common_setup(&uc, UC_ARCH_X86, UC_MODE_32, code, sizeof(code) - 1);
 
-    OK(uc_hook_add(uc, &h, UC_HOOK_CODE, (void *)callback, (void *)&count, 1,
+    OK(uc_hook_add(uc, &h, UC_HOOK_CODE, (void *)test_uc_hook_cached_cb, (void *)&count, 1,
                    0));
 
     OK(uc_emu_start(uc, code_start, code_start + sizeof(code) - 1, 0, 0));
@@ -306,28 +288,15 @@ static void test_uc_hook_cached_uaf(void)
     // This will clear deleted hooks and SHOULD clear cache.
     OK(uc_emu_start(uc, code_start, code_start + sizeof(code) - 1, 0, 0));
 
-#ifndef _WIN32
-    TEST_CHECK(mprotect(callback, 4096, PROT_READ | PROT_WRITE) == 0);
-#endif
-
-    memset(callback, 0, 4096);
-
-#ifndef _WIN32
-    TEST_CHECK(mprotect(callback, 4096, PROT_READ | PROT_EXEC) == 0);
-#endif
-
-    // Now hooks are deleted and thus this will trigger a UAF
+    // Now hooks are deleted and thus this _should not_ call test_uc_hook_cached_cb anymore.
+    // If the hook is allocated like from malloc, and the code region is free-ed, this call _shall not_
+    // call the hook anymore to avoid UAF.
     OK(uc_emu_start(uc, code_start, code_start + sizeof(code) - 1, 0, 0));
 
+    // Only 4 calls
     TEST_CHECK(count == 4);
 
     OK(uc_close(uc));
-
-#ifndef _WIN32
-    munmap(callback, 4096);
-#else
-    VirtualFree(callback, 0, MEM_RELEASE);
-#endif
 }
 
 static void test_uc_emu_stop_set_ip_callback(uc_engine *uc, uint64_t address,
