search

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset
https://www.radare.org/
GNU Lesser General Public License v3.0
20.65k stars 3k forks source link

Call xrefs from relocation section #9975

Open Toizi opened 6 years ago

Toizi commented 6 years ago

Work environment

Questions Answers
OS/arch/bits (mandatory) Xubuntu amd64
File format of the file you reverse (mandatory) ELF
Architecture/bits of the file (mandatory) x86/64
r2 -v full output, not truncated (mandatory) radare2 2.6.0-git 17914 @ linux-x86-64 git.2.5.0-59-g6bff6b758 commit: 6bff6b758aec9e6655101ead1b9f4351e52e8d86 build: 2018-04-15__17:46:43

Expected behavior

r2 radare2-regressions/bins/jmptbl/ls_amd64 -A
> s 0x004020a8
> pd 1
            0x004020a8      e8e2610000     call fcn.0040828f
> axf
>

There are no call xrefs

Actual behavior

r2 radare2-regressions/bins/jmptbl/ls_amd64 -A
> s 0x004020a8
> pd 1
            0x004020a8      e8e2610000     call fcn.0040828f
> axf
 0x4020a8 call fcn.0040828f
C 0x4020a8 call fcn.0040828f

There is a call xref into the middle of a function, messing up disassembly

> s 0x00408283
> pdf
...
0x00408283      488b5dc8       mov rbx, qword [local_38h]
0x00408287      64             invalid
0x00408288      48             invalid
0x00408289      33             invalid
0x0040828a      1c25           sbb al, 0x25
0x0040828c      2800           sub byte [rax], al
0x0040828e      00             invalid

0x0040828f   <--- call xref from reloc section

Steps to reproduce the behavior

The binary is in the r2 regression repo radare2-regressions/bins/jmptbl/ls_amd64

I have looked into the code already and the issue is probably somewhere in libr/core/canal.c r_core_anal_search_xrefs, where it disassembles anything looking for jumps/calls

@sivaramaaa

radare commented 5 years ago

can you share this binary? is the bug still there after so much time?

Toizi commented 5 years ago 
radare2 3.6.0-git 22086 @ linux-x86-64 git.3.5.1-263-g762b8e2d5
commit: 762b8e2d50ffff49354511dab0203cdf8187c84f build: 2019-06-17__09:16:05

This version (should be current master) still has this issue.

As I said in the bug report, the binary can be found in the r2 regression repo radare2-regressions/bins/jmptbl/ls_amd64

radare commented 5 years ago

works fine for me

radare commented 5 years ago
Screenshot 2019-06-19 at 18 38 54
Toizi commented 5 years ago

@radare Maybe my bug report was not worded clearly enough. At address 0x004020a8 - which is part of the relocations, i.e. data - the bytes represent a call when disassembled, which makes radare create this function from your screenshot. However the relocation data should not be disassembled because it's not actually code. In this case, it is not just some wrong xref but also the function is broken because of this. To look at the broken function, pdf @ 0x00407f80 and scroll down until you can see an invalid opcode. Right after the invalid, the function from your screenshot starts, which is not actually a valid function for a compiler generated binary. Hope this clears things up