LR Register Not Handled Well in Arm

[astewart-bah]

Description

Take the following chain for example:

chain1 = rop.func_call("realloc", [0xcafebabe, 0xa])
print(chain1)

code_base = 0x0
chain = b""
chain += p32(code_base + 0x93be8)       # pop {r0, r1, ip, lr, pc}
chain += p32(0xcafebabe)
chain += p32(0xa)
chain += p32(0x0)
chain += p32(0x0)
chain += p32(code_base + 0x1a540)

This chain calls realloc(0xcafebabe, 0xa) Note how 0 is popped into LR. When the program begins executing realloc(), it will push the contents of LR onto the stack. When the program finishes execututing realloc(), the 0 value from LR is popped into PC and this will SEGFAULT.

Steps to reproduce the bug

Attached is a zip file. Unzip and run start.sh to reproduce the problem chain. angrop_RL_issue.zip

Environment

No response

Additional context

No response

[Kyle-Kyle]

should be fixed by https://github.com/angr/angrop/pull/82 notice that this PR also adds two more APIs:

rop.shift
rop.retsled

[Kyle-Kyle]

this CI testcase chains two different function calls into one chain and works: https://github.com/angr/angrop/pull/82/files#diff-add18372f722092ba56ec70ef9cd474a14e028d17b2ee6b84e01e86fb3971783R60

[Kyle-Kyle]

this issue is fixed. let me know if the issue persists

[Kyle-Kyle]

sorry for closing the issue early before the PR was merged. But now the PR is merged. It is able to generate clean function invocation chain on ARM