search

Vector35 / binaryninja-api

Public API, examples, documentation and issues for Binary Ninja
https://binary.ninja/
MIT License
897 stars 200 forks source link

Analysis fails to identify the correct amount of function arguments #5828

Open 0xricksanchez opened 1 month ago

0xricksanchez commented 1 month ago

Version and Platform (required):

Bug Description: Analysis of the mentioned aarch64 binary fails to properly resolve the correct amount of function arguments for certain functions

Steps To Reproduce:

  1. Check out #5809 for initial context (@xusheng6 knows the details, sorry for ping :D)
  2. Grab the first attached binary libckteec.so from the linked issue
  3. Navigate to ckteec_invoke_ta
  4. Find TEEC_InvokeCommand and observe the function call in MLIL and higher lifted variants → (compare 1st screenshot)

Another instance where there are too many function arguments:

  1. Same binary
  2. Navigate to ckteec_invoke_init
  3. Find TEEC_InvokeCommand again → (compare 2nd screenshot)

Expected Behavior:

Based on the OPTEE client impl the function should look like this:

TEEC_Result TEEC_InvokeCommand(TEEC_Session* session, uint32_t commandID, TEEC_Operation* operation, uint32_t* returnOrigin)

Screenshots/Video Recording: image

image

Additional Information: Related issue that contains the binary that I was testing with: #5809

The linked issue (also reported by me) was dealing with some functions not properly propagating function arguments even if the registers are clearly setting them up, esp, for external functions as it seemed. After the merged fix, this new behavior was observed on the same binary.

VisualEhrmanntraut commented 1 month ago

I have a similar issue with symbols containing debug information. Particularly with C++ functions that are non-static. For example, the following is supposed to have a this pointer, but because the symbol has no arguments, it assumes no arguments. I'm not sure if this is a different issue, I think it's the same underlying problem. I think the analyser should use this as a guide and not as definitive information.

Screenshot 2024-08-09 at 18 46 23
plafosse commented 2 weeks ago

Recovering function arguments is a fundamentally undecidable problem so there are bound to be errors especially in regard to un-typed external calls. That said there are likely ways we can improve our analysis to provide more accurate parameter recovery. We are unlikely to address this in the short term.