Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to detect function parameter if the parameter is used by a subroutine implicitly #6308

Open
wizche opened this issue Jan 10, 2025 · 1 comment
Open

Failed to detect function parameter if the parameter is used by a subroutine implicitly #6308

wizche opened this issue Jan 10, 2025 · 1 comment
Labels
Component: Core Issue needs changes to the core Effort: Medium Issue should take < 1 month Impact: Medium Issue is impactful with a bad, or no, workaround Type: Bug Issue is a non-crashing bug with repro steps

Comments

@wizche
Copy link

wizche commented Jan 10, 2025
edited
Loading

Version and Platform (required):

  • Binary Ninja Version: 4.2.6455
  • OS: Debian
  • OS Version: 12
  • CPU Architecture: x64

Bug Description:
Binary Ninja fails to detect parameter for a function in a simple ELF binary (compiled with gcc version 12.2.0 with -Wall -O3).
The function in question is execute_cgi_command, and here is a call to it from the binary:

  22 @ 00001311  rdi_1#3 = rbx_1#1   <---------------
  23 @ 00001314  [rbx_1#1 + rax_1#3].b = 0 @ mem#3 -> mem#6
  24 @ 00001318  mem#7 = execute_cgi_command() @ mem#6

We observe that the parameter rdi is prepared just before the function call.
Moreover, within the function, this parameter is immediately utilized:

000012a0    char* execute_cgi_command()
0 @ 000012a8  result#1, mem#1 = strstr(rdi#0, "/cgi-bin/") @ mem#0 <---------------
1 @ 000012b0  if (result#1 == 0) then 2 else 3 @ 0x12b2

Initially, I thought it failed to detect the calling convention, but I can see that it is detected correctly:
2025-01-10-190505

Could the zero-byte write before the call (mov byte [rbx+rax], 0x0) be confusing Binary Ninja?
Compiling with -O0 resolves the issue, and the call no longer includes this instruction:

   7 @ 0000138f  rax_4 = var_10
   8 @ 00001393  rdi_2 = rax_4
   9 @ 00001396  execute_cgi_command(rdi_2)

Compiling with clang exhibits the same behavior, whereas compiling with arm-linux-gcc results in the parameter being detected. I tested an older stable version (4.0) to verify it was not a regression and I had the same issue.

Steps To Reproduce:
Please provide all steps required to reproduce the behavior:

  1. Open recv-01.elf contained in example.zip
  2. Navigate to execute_cgi_command() function

Expected Behavior:
Function should take a parameter (char *)

Binary:
example.zip
@xusheng6
Copy link
Member

I guess the reason for this issue is that at the top of execute_cgi_command, the rdi register is used as a parameter for strstr implicitly.

execute_cgi_command:
000012a0  push    rbx {__saved_rbx}
000012a1  lea     rsi, [rel data_2004]  {"/cgi-bin/"}
000012a8  call    strstr

We will need to see how to resolve it

@xusheng6 xusheng6 added Type: Bug Issue is a non-crashing bug with repro steps Component: Core Issue needs changes to the core Effort: Medium Issue should take < 1 month Impact: Medium Issue is impactful with a bad, or no, workaround labels Jan 14, 2025
@xusheng6 xusheng6 changed the title Failed to detect function parameter for x86_64 linux ELF binary Failed to detect function parameter if the parameter is used by a subroutine implicitly Jan 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Component: Core Issue needs changes to the core Effort: Medium Issue should take < 1 month Impact: Medium Issue is impactful with a bad, or no, workaround Type: Bug Issue is a non-crashing bug with repro steps
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wizche @xusheng6