search

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset
https://www.radare.org/
GNU Lesser General Public License v3.0
19.71k stars 2.94k forks source link

r2ghidra: SBORROW4 wrongly used in condition #22854

Closed yangzao closed 3 weeks ago

yangzao commented 3 weeks ago

Environment

[0x00001060]> date
Thu Apr 18 19:45:06 2024
[0x00001060]> r2 -v
radare2 5.8.9 31711 @ linux-x86-64
birth: git.5.8.8-1074-gbe75b2d9ee 2024-02-13__17:26:56
commit: be75b2d9ee0701582aae047c2a717c4a64d6503e
options: gpl -O1 cs:5 cl:2 make
[0x00001060]> uname -ms
x86

Description

when using R2Ghidra, decompiled for loop condition incorrectly uses SBORROW4 to represent < Original code:

loop < 111

Decompiled code:

iStack_24 == 0x6e || SBORROW4(iStack_24, 0x6e) != iStack_24 + -0x6e < 0

the original condition can be met when loop is less than 111, but the decompiled condition is always false.

If iStack_24 is less than 0x6e (110), a signed borrow occurs, so both the left (SBORROW4(iStack_24, 0x6e)) and right (iStack_28 + -2 < 0) parts are true and the condition is false. So the loop body is not reachable in decompiled code.

Test

Files: 2.zip

command used:

r2 orig_exec
aaa
pdg @ sym.func_1

the issue is at the last for loop near the end of the function

trufae commented 3 weeks ago

Please, Reopen the ticket in the r2ghidra repo