-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CFG party foul: B.W on thumb and ret-to-grandparent functions cause incorrect function recovery #1286
Labels
feature
Adding a new control knob to something
Comments
ltfish
added a commit
that referenced
this issue
Nov 16, 2018
I was assuming that a block can be split into at most two different blocks, and the first half only has a boring jump targeting the second half. Unfortunately, this is not the case in ARM. This bug is triggered when normalizing CFG for ARM binary "a_thingy-stripped.elf" (see angr issue #1286), function 0x8002b71. The block 0x8002b70 can be split into four small blocks.
ltfish
added a commit
that referenced
this issue
Nov 16, 2018
- Implemented a StackPointerTracker analysis. - Tail-call optimization detection is controlled by option "detect_tail_calls" in CFGFast. It is disabled by default (since tail call optimization detection is usually not important, and tracking stack pointer offets can be very costly sometimes).
Implemented (proper) tail-call optimization detection. A good evening spent. |
@subwire Can you please write a test case and provide a sharable binary (unless |
ltfish
added a commit
that referenced
this issue
Nov 17, 2018
* Fix a bug in CFG/Function normalization. I was assuming that a block can be split into at most two different blocks, and the first half only has a boring jump targeting the second half. Unfortunately, this is not the case in ARM. This bug is triggered when normalizing CFG for ARM binary "a_thingy-stripped.elf" (see angr issue #1286), function 0x8002b71. The block 0x8002b70 can be split into four small blocks. * Fix a comparison between None and addr.
ltfish
added a commit
that referenced
this issue
Nov 17, 2018
- Implemented a StackPointerTracker analysis. - Tail-call optimization detection is controlled by option "detect_tail_calls" in CFGFast. It is disabled by default (since tail call optimization detection is usually not important, and tracking stack pointer offets can be very costly sometimes).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Disclaimer: The angr suite is maintained by a small team of volunteers. While we cannot guarantee any timeliness for fixes and enhancements, we will do our best. For more real-time help with angr, from us and the community, join our Slack.
Describe the bug
In some Thumb/Cortex-M binaries, the compiler makes heavy use of the
B.W
instruction to do a frameless call. This happens a lot in various kinds of wrapper functions.In certain cases, this will cause functions to become part of other functions when they should not.
It's pretty clear, from at least the way GCC uses b.w, that this should be the boundary between one function and another. It's not a call, it's a jump-out, as the thing jumped into will do the real ret.
Here's an example. This is
fputs
in the attached binary. Note that the real fputs is at 0x08002efd, and the B.W at the bottom points to another function _fputs_r, with the real prologue there at 0x08002eb1In other words, if we jump to a real prologue (or something we already consider the start of a function) let's not try to merge them. Heck, if the program uses B.W at all, and the offset is less than 16 bits, this is very much definitely 100% for certain a jumpout. (note that if the size is more than 16 bits, it could be one of those long-jumps chosen by the compiler to jump around in a large function, but who does that??)
We can deal with this nicely when there are symbols (because CFG will just use the symbols) but when there aren't, we get it wrong.
Attached are the ELF and stripped ELF versions of the same program that triggers this.
You may want to be on fix/arm_cfg_party_2 or things will not work
Environment Information
Many common issues are caused by problems with the local Python environment.
Before submitting, double-check that your versions of all modules in the angr suite (angr, cle, pyvex, ...) are up to date.
Please include the output of
python -m angr.misc.bug_report
here.To Reproduce
a_thingy.zip
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: