Open thestr4ng3r opened 3 years ago
@thestr4ng3r when does this happen?
What exactly do you mean? It seems like it happens in jumptable analysis.
What exactly do you mean? It seems like it happens in jumptable analysis.
Do you see this with any ELF? Just with .o files? Or with .so? Or even with executables?
The example given in the description is 0x000071e0
in our bins/elf/ls
, which is an elf executable. In theory it can happen with any ELF that has a tailjmp to an imported function without lazy binding.
Since 58433a72accfee45dce6085f49d3f7b84a56aa05, relocs in ELF are patched by default without needing
io.cache
. This has brought some issues to light since now pretty much the entire test suite runs with reloc patching. In particular when there is a tailjmp to a reloc-ed imported function, the analysis thinks the stub reloc target constructed by the ELF loader in https://github.com/rizinorg/rizin/blob/c17a23a9139be19283d288b02cb328c6939fab6d/librz/bin/p/bin_elf.inc#L768 and used for targets in https://github.com/rizinorg/rizin/blob/c17a23a9139be19283d288b02cb328c6939fab6d/librz/bin/p/bin_elf.inc#L625 which just consists of 0s, is actual code and continues to analyze there.See for example the function at
0x000071e0
afteraaa
inbins/elf/ls
:All blocks starting with
0x23de8
are garbage. Note how it even thinks this is a switch.One way to tell the analysis to stop continuing there would be to have actual
RzAnalysisFunction
s at the reloc targets, marked specifically as stubs.