search

rizinorg / rz-ghidra

Deep ghidra decompiler and sleigh disassembler integration for rizin
GNU Lesser General Public License v3.0
829 stars 88 forks source link

Tailjmps to reloc targets are decompiled until infinity #312

Open dmknght opened 1 year ago

dmknght commented 1 year ago

Linux Kernel Modules has no ret in functions. Rizin is able to detect them. However, the decompiler failed to parse data of each function, causing very long function in decompiler widget which is totally wrong, or causing decompile time out Step to reprocedure (with cutter)

  1. Open kernel module (soundcore.ko in this very case)
  2. Show the function sym.register_sound_dsp
  3. See the wrong output in decompiler widget

Screenshots

  1. List of functions image
  2. Function in Graph widget image
  3. Function in Decompiler widget image

The function sym.register_sound_special is even worse image image

Click on the .text.unlikely makes Decompiler shows totally wrong function from function name image

The output is the same in rizin -> the problem is the plugin ghidra image

And other issue relates to #229. sym.register_sound_dsp showed function __fentry__ is called. However, Decompiler widget failed to show function name. image image

Tested binary issue312_ghidra_failed_to_detect_functions.zip

thestr4ng3r commented 1 year ago

Function names from reloc targets work now.

The __x86_return_thunk is handled in ghidra because it applies a flow override to the respective jmp instructions: Bildschirm­foto 2023-01-20 um 13 50 49

There are ways to address this in rizin/rz-ghidra too, but currently none that is trivial or straightforward. As a quick and dirty workaround for this bin, you can do e io.cache=1; wa ret @ reloc.target.__x86_return_thunk

dmknght commented 1 year ago

Hello! This method worked for me. Hope it will be fixed by default soon.