Fix invalid variable delta analysis when using aaef in arm32 binary #…

…#anal
radareorg · Feb 14, 2023 · 310a32b · 310a32b
1 parent 6ae9ae1
commit 310a32b
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 8 deletions.
diff --git a/libr/core/canal.c b/libr/core/canal.c
@@ -4925,9 +4925,9 @@ static ut64 delta_for_access(RAnalOp *op, RAnalVarAccessType type) {
 	RAnalValue *src0 = r_vector_at (&op->srcs, 0);
 	RAnalValue *src1 = r_vector_at (&op->srcs, 1);
 	if (type == R_ANAL_VAR_ACCESS_TYPE_WRITE) {
-		if (dst) {
-			return dst->imm + dst->delta;
-		}
+		// XXX fix invalid var analysis when using esil
+		return 0;
+		// if (dst) { return dst->imm + dst->delta; }
 	} else {
 		if (src1 && (src1->imm || src1->delta)) {
 			return src1->imm + src1->delta;
@@ -4947,17 +4947,20 @@ static void handle_var_stack_access(REsil *esil, ut64 addr, RAnalVarAccessType t
 	const char *regname = reg_name_for_access (ctx->op, type);
 	if (ctx->fcn && regname) {
 		ut64 spaddr = r_reg_getv (esil->anal->reg, ctx->spname);
+		// XXX the delte computed here is incorrect because in esil that state can be inconsistent with the function boundaries
+		// XXX and that causes some var names to be incorrectly identified
 		if (addr >= spaddr && addr < ctx->initial_sp) {
 			int stack_off = addr - ctx->initial_sp;
 			// int stack_off = ctx->initial_sp - addr; // R2STACK
 			// eprintf (" (%llx) %llx = %d\n", ctx->initial_sp, addr, stack_off);
 			RAnalVar *var = r_anal_function_get_var (ctx->fcn, R_ANAL_VAR_KIND_SPV, stack_off);
-			if (!var) {
-				var = r_anal_function_get_var (ctx->fcn, R_ANAL_VAR_KIND_BPV, stack_off);
+			if (var) {
+				R_LOG_DEBUG ("Do not reanalyze an already defined variable");
+				return;
 			}
+			var = r_anal_function_get_var (ctx->fcn, R_ANAL_VAR_KIND_BPV, stack_off);
 			if (!var && stack_off >= -ctx->fcn->maxstack) {
-				char *varname;
-				varname = ctx->fcn->anal->opt.varname_stack
+				char *varname = ctx->fcn->anal->opt.varname_stack
 					? r_str_newf (VARPREFIX"_%xh", R_ABS (stack_off))
 					: r_anal_function_autoname_var (ctx->fcn, R_ANAL_VAR_KIND_SPV, VARPREFIX, delta_for_access (ctx->op, type));
 				var = r_anal_function_set_var (ctx->fcn, stack_off, R_ANAL_VAR_KIND_SPV, NULL, len, false, varname);
@@ -4981,6 +4984,7 @@ static bool is_stack(RIO *io, ut64 addr) {
 }
 
 static bool esilbreak_mem_write(REsil *esil, ut64 addr, const ut8 *buf, int len) {
+	// XXX causes invalid var names
 	handle_var_stack_access (esil, addr, R_ANAL_VAR_ACCESS_TYPE_WRITE, len);
 	// ignore writes in stack
 	if (myvalid (mycore->io, addr) && r_io_read_at (mycore->io, addr, (ut8*)buf, len)) {
@@ -5383,7 +5387,7 @@ R_API void r_core_anal_esil(RCore *core, const char *str /* len */, const char *
 		return;
 	}
 	iend = end - start;
-	if (iend < 0) {
+	if (iend < 1) {
 		return;
 	}
 	if (iend > MAX_SCAN_SIZE) {
@@ -5689,6 +5693,9 @@ R_API void r_core_anal_esil(RCore *core, const char *str /* len */, const char *
 				}
 			}
 			break;
+		case R_ANAL_OP_TYPE_STORE:
+			// TODO: the same as we do for load imho
+			break;
 		case R_ANAL_OP_TYPE_LOAD:
 			{
 				ut64 dst = esilbreak_last_read;

diff --git a/test/db/anal/arm b/test/db/anal/arm
@@ -1155,3 +1155,40 @@ EXPECT=<<EOF
             0x00008470      10482de9       push {r4, fp, lr}
 EOF
 RUN
+
+
+NAME=invalid varname after esil
+FILE=bins/elf/blah.bin
+CMDS=<<EOF
+s main
+af
+aaef
+pd 12
+EOF
+EXPECT=<<EOF
+            ;-- pc:
+            ;-- r15:
+/ 484: int main (int argc, char **argv);
+|           ; arg int argc @ r0
+|           ; arg char **argv @ r1
+|           ; var int32_t var_10h @ fp-0x10
+|           ; var int32_t var_14h @ fp-0x14
+|           ; var int32_t var_18h @ fp-0x18
+|           ; var int32_t var_1ch @ fp-0x1c
+|           ; var int32_t var_20h @ fp-0x20
+|           ; var int32_t var_24h @ fp-0x24
+|           ; var int32_t var_8h @ sp+0x18
+|           0x00008470      10482de9       push {r4, fp, lr}
+|           0x00008474      08b08de2       add fp, var_8h
+|           0x00008478      1cd04de2       sub sp, sp, 0x1c
+|           0x0000847c      20000be5       str r0, [var_20h]           ; 0x20 ; 32 ; argc
+|           0x00008480      24100be5       str r1, [var_24h]           ; 0x24 ; 36 ; argv
+|           0x00008484      0630a0e3       mov r3, 6
+|           0x00008488      10300be5       str r3, [var_10h]           ; 0x10 ; 16
+|           0x0000848c      0030a0e3       mov r3, 0
+|           0x00008490      14300be5       str r3, [var_14h]           ; 0x14 ; 20
+|           0x00008494      20301be5       ldr r3, [var_20h]           ; 0x20 ; 32
+|           0x00008498      020053e3       cmp r3, 2                   ; 2
+|       ,=< 0x0000849c      0300000a       beq 0x84b0
+EOF
+RUN