search

rizinorg / rizin

UNIX-like reverse engineering framework and command-line toolset.
https://rizin.re
GNU Lesser General Public License v3.0
2.65k stars 355 forks source link

Unrealistic Type Propagation Test #1132

Open thestr4ng3r opened 3 years ago

thestr4ng3r commented 3 years ago

The test "jni and SoP" in test/db/cmd/types, which tests type/offset propagation from a global variable is quite funny, see the comment here:

NAME=jni and SoP
FILE=bins/elf/libverifyPass.so
CMDS=<<EOF
e analysis.vars.stackname=true
e asm.bytes=true
e asm.lines.bb=false
aa
s sym.Java_com_app_ndh_NDHActivity_print
to bins/headers/jni.h

# This is actually quite wrong, regarding what this function actually does :-)
# We are manually crafting the canary value such that it looks like a pointer
# and say that at this pointer there is a JNINativeInterface object, in order
# to test propagation from a global variable.
# Do not hesitate to edit this test if you find a better case for testing this.
e io.cache=1
wx 37133713 @ reloc.target.__stack_chk_guard
tl JNINativeInterface 0x13371337
tl JNINativeInterface 0x464c457f # \x7fELF, the "pointer" when dereferencing addr 0

pdf~JNINativeInterface
pdr~JNI?
EOF
EXPECT=<<EOF
| ; var struct JNINativeInterface @ sp+0x12c
| 0x00000f74      4b93           str   r3, [JNINativeInterface]
| 0x00000f76      039b           ldr   r3, [var_134h]                  ; JNINativeInterface.reserved0
| 0x00000f7e      d358           ldr   r3, [r2, r3]                    ; JNINativeInterface.GetStringUTFChars
| 0x00000f82      019a           ldr   r2, [var_13ch]                  ; JNINativeInterface.reserved0
| 0x0000100e      d358           ldr   r3, [r2, r3]                    ; JNINativeInterface.GetStringLength
| 0x00001012      019a           ldr   r2, [var_13ch]                  ; JNINativeInterface.reserved0
| 0x00001066      d258           ldr   r2, [r2, r3]                    ; JNINativeInterface.NewStringUTF
| 0x00001114      d258           ldr   r2, [r2, r3]                    ; JNINativeInterface.NewStringUTF
| 0x0000112e      d258           ldr   r2, [r2, r3]                    ; JNINativeInterface.NewStringUTF
| 0x00001144      4b9a           ldr   r2, [JNINativeInterface]
| 0x00001148      9a42           cmp   r2, r3                          ; JNINativeInterface.reserved0
12
EOF
RUN

But the test is somewhat valuable to test these specific features. It should be replaced by something else that tests actually correct global variables.

Also this is testing for type propagation that happens automatically in the tl command. Imo something like tl should really just assign the type and not analyze anything.

XVilka commented 3 years ago

Non-Fungible Issue.