search

Vector35 / binaryninja-api

Public API, examples, documentation and issues for Binary Ninja
https://binary.ninja/
MIT License
934 stars 211 forks source link

Cyclic infinite loop in analysis on armv7 #3609

Open mkrasnitski-tst opened 2 years ago

mkrasnitski-tst commented 2 years ago

Version and Platform (required):

Bug Description: Analysis of certain functions in the VxWorks armv7 binary linked below gets stuck in a cyclic infinite loop, never resolving.

Steps To Reproduce: Please provide all steps required to reproduce the behavior:

  1. Download the binary at https://github.com/PAGalaxyLab/vxhunter/blob/master/example_firmware/image_vx6_arm_little_endian.bin
  2. Open it in Binary Ninja, setting the Image Base Address to 0xf2003fe4
  3. Make an armv7 function at one of the addresses in the list below
  4. Note that analysis exceeds analysis.limits.maxFunctionUpdateCount
  5. Force analysis of the function
  6. Note that analysis starts looping forever in a cyclic manner

Here is the list of addresses which cause this problem. A few of these are false positives, because they contain calls into functions which are true positives, which ends up causing problems for them too:

0xf214e8d8
0xf21806d8
0xf2189d88
0xf219353c
0xf2199dd8
0xf219a08c
0xf21a1c8c
0xf21a6674
0xf21a85d4
0xf21a87f4
0xf21af234
0xf21b08f4
0xf21b0b40
0xf21b0e40
0xf21b5270
0xf21b874c
0xf21c58f0
0xf21c699c
0xf21c6b24
0xf21cfc54
0xf21f2f9c
0xf21f67a0
0xf21f784c
0xf21f7b64
0xf221a5e8
0xf22280ac
0xf2228220
0xf2234a18
0xf2234d68
0xf223561c
0xf22358d8
0xf225d870
0xf225db78
0xf225dd60
0xf225dfc0

Expected Behavior: Analysis should resolve and not cycle.

Screenshots: image

rssor commented 2 years ago

Have a tentative fix for this in https://github.com/Vector35/arch-armv7/commit/3be5c43acf64301cf709aefc269d8081cdb6b1c1 but I'd like to look at a way to add the plumbing to make it unnecessary to lie about instruction lengths.