Version and Platform (required):
- Binary Ninja Version: 5.3.9203-dev Ultimate
- OS: macos
- OS Version: 26.2.0
- CPU Architecture: arm64
Bug Description:
When binding a symbol with an ordinal of BIND_SPECIAL_DYLIB_WEAK_LOOKUP, the symbol is looked up in the internal namespace first.
|
// In cases where we are the primary executable, flat lookup should find us first, |
|
// it seems like our best course of action is to try and find internally first on |
|
// executables, and externally on libraries. |
|
if (header.ident.filetype == MH_EXECUTE) |
|
{ |
|
if (auto symbol = GetSymbolByRawName(name, GetInternalNameSpace()); symbol) |
|
{ |
|
DefineRelocation(m_arch, relocation, symbol, relocation.address); |
|
if (objcProcessor) |
|
objcProcessor->AddRelocatedPointer(relocation.address, symbol->GetAddress()); |
|
handled = true; |
|
} |
|
else if (auto symbol = GetSymbolByRawName(name, GetExternalNameSpace()); symbol) |
|
{ |
|
DefineRelocation(m_arch, relocation, symbol, relocation.address); |
|
handled = true; |
|
} |
|
} |
|
else |
This means we run into the same issue where we'll find an ImportAddressSymbol of the same name rather than a symbol of a more suitable type. This was fixed in #7783 for BIND_SPECIAL_DYLIB_SELF, but I missed that this other codepath also searches the internal namespace.
Steps To Reproduce:
- Open the
x86_64 slice of safe pine stops smoothly in a build that has the fix for d92b368.
- Navigate to
0x100003000.
- Double-click on any of the symbols named
_encrypt or _do_stuff.
Expected Behavior:
It should take you to the function of that name that is defined within the binary. Instead it takes you to the import table entry.
In most cases this doesn't matter since you can click through the import table back to the symbol definition. But it really matters when the bind has an addend. In that case you end up with the addend being applied to the wrong symbol, and so end up at entirely the wrong address.
Binary:
safe pine stops smoothly
Version and Platform (required):
Bug Description:
When binding a symbol with an ordinal of
BIND_SPECIAL_DYLIB_WEAK_LOOKUP, the symbol is looked up in the internal namespace first.binaryninja-api/view/macho/machoview.cpp
Lines 2304 to 2322 in d92b368
This means we run into the same issue where we'll find an
ImportAddressSymbolof the same name rather than a symbol of a more suitable type. This was fixed in #7783 forBIND_SPECIAL_DYLIB_SELF, but I missed that this other codepath also searches the internal namespace.Steps To Reproduce:
x86_64slice ofsafe pine stops smoothlyin a build that has the fix for d92b368.0x100003000._encryptor_do_stuff.Expected Behavior:
It should take you to the function of that name that is defined within the binary. Instead it takes you to the import table entry.
In most cases this doesn't matter since you can click through the import table back to the symbol definition. But it really matters when the bind has an addend. In that case you end up with the addend being applied to the wrong symbol, and so end up at entirely the wrong address.
Binary:
safe pine stops smoothly