search

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset
https://www.radare.org/
GNU Lesser General Public License v3.0
19.71k stars 2.94k forks source link

ragg2 fails to save returns of syscall #22859

Closed 3B85A591 closed 2 weeks ago

3B85A591 commented 3 weeks ago

Environment

Mon Apr 22 12:51:44 PM PDT 2024
radare2 5.8.8 0 @ linux-x86-64
birth: git.5.8.8 2024-02-05__23:36:49
commit: unknown
options: gpl release -O1 cs:5 cl:2 meson
Linux x86_64

Description

When compiling r_egg, ragg2's generated shellcode fails to save the result of the open syscall. Ragg2 works when saving the result of the read syscall. Ragg2 overwrites %rax, the return value, with 2000 too soon, before it can save it.

Test

Fails: 

read@syscall(0); 
write@syscall(1); 
open@syscall(2); 
close@syscall(3); 

exit@syscall(60);

main@global(2000, 6) {
    .var17 = open("./file", 2);
    .var25 = read(.var17, &.var33, 2000);
    write(1, &.var33, .var25);

    exit(0);
}
 mov rax, 2
 syscall
  add rsp, 16
  mov rax, 2000
  push rax
  push rbp
  mov rax, [rbp+24]
  push rax

push rax & mov rax, 2000 should be probably be swapped

Successful: 

read@syscall(0); 
write@syscall(1); 
open@syscall(2); 
close@syscall(3); 

exit@syscall(60);

main@global(2000, 6) {
    open("./file", 2);
    .var25 = read(3, &.var33, 2000);
    write(1, &.var33, .var25);

    exit(0);
}
trufae commented 2 weeks ago

as long as you have analized the issue, can you do a pr with the fix and add a test with your usecase?