yetangitu/ghidra
1
0
Fork 0
mirror of https://github.com/NationalSecurityAgency/ghidra.git synced 2025-10-05 19:42:36 +02:00
Code Issues Releases Wiki Activity

GP-4666 Fix for deindirect with multiple output pieces

Browse source
This commit is contained in:
caheckman 2024-06-11 18:09:47 +00:00
parent e6112ce481
commit ad3210bd1c
4 changed files with 164 additions and 107 deletions
Download patch file Download diff file Expand all files Collapse all files

1
Ghidra/Features/Decompiler/certification.manifest
View file

@ -18,6 +18,7 @@ src/decompile/datatests/condmulti.xml||GHIDRA||||END|
src/decompile/datatests/convert.xml||GHIDRA||||END| src/decompile/datatests/convert.xml||GHIDRA||||END|
src/decompile/datatests/deadvolatile.xml||GHIDRA||||END| src/decompile/datatests/deadvolatile.xml||GHIDRA||||END|
src/decompile/datatests/deindirect.xml||GHIDRA||||END| src/decompile/datatests/deindirect.xml||GHIDRA||||END|
src/decompile/datatests/deindirect2.xml||GHIDRA||||END|
src/decompile/datatests/displayformat.xml||GHIDRA||||END| src/decompile/datatests/displayformat.xml||GHIDRA||||END|
src/decompile/datatests/divopt.xml||GHIDRA||||END| src/decompile/datatests/divopt.xml||GHIDRA||||END|
src/decompile/datatests/dupptr.xml||GHIDRA||||END| src/decompile/datatests/dupptr.xml||GHIDRA||||END|

234
Ghidra/Features/Decompiler/src/decompile/cpp/fspec.cc
View file

@ -4984,38 +4984,37 @@ int4 FuncCallSpecs::transferLockedInputParam(ProtoParameter *param)
return 0; return 0;
} }
/// Return the p-code op whose output Varnode corresponds to the given parameter (return value) /// \brief Return any outputs of \b this CALL that contain or are contained by the given return value parameter
/// ///
/// The Varnode may be attached to the base CALL or CALLIND, but it also may be /// The output Varnodes may be attached to the base CALL or CALLIND, but also may be
/// attached to an INDIRECT preceding the CALL. The output Varnode may not exactly match /// attached to an INDIRECT preceding the CALL. The output Varnodes may not exactly match
/// the dimensions of the given parameter. We return non-null if either: /// the dimensions of the given parameter. We pass back a Varnode if either:
/// - The parameter contains the Varnode (the easier case) OR if /// - The parameter contains the Varnode (the easier case) OR if
/// - The Varnode properly contains the parameter /// - The Varnode properly contains the parameter
/// \param param is the given paramter (return value) /// \param param is the given paramter (return value)
/// \param newoutput will hold any overlapping output Varnodes
/// \return the matching PcodeOp or NULL /// \return the matching PcodeOp or NULL
PcodeOp *FuncCallSpecs::transferLockedOutputParam(ProtoParameter *param) void FuncCallSpecs::transferLockedOutputParam(ProtoParameter *param,vector<Varnode *> &newoutput)
{ {
Varnode *vn = op->getOut(); Varnode *vn = op->getOut();
if (vn != (Varnode *)0) { if (vn != (Varnode *)0) {
if (param->getAddress().justifiedContain(param->getSize(),vn->getAddr(),vn->getSize(),false)==0) if (param->getAddress().justifiedContain(param->getSize(),vn->getAddr(),vn->getSize(),false)>=0)
return op; newoutput.push_back(vn);
if (vn->getAddr().justifiedContain(vn->getSize(),param->getAddress(),param->getSize(),false)==0) else if (vn->getAddr().justifiedContain(vn->getSize(),param->getAddress(),param->getSize(),false)>=0)
return op; newoutput.push_back(vn);
return (PcodeOp *)0;
} }
PcodeOp *indop = op->previousOp(); PcodeOp *indop = op->previousOp();
while((indop!=(PcodeOp *)0)&&(indop->code()==CPUI_INDIRECT)) { while((indop!=(PcodeOp *)0)&&(indop->code()==CPUI_INDIRECT)) {
if (indop->isIndirectCreation()) { if (indop->isIndirectCreation()) {
vn = indop->getOut(); vn = indop->getOut();
if (param->getAddress().justifiedContain(param->getSize(),vn->getAddr(),vn->getSize(),false)==0) if (param->getAddress().justifiedContain(param->getSize(),vn->getAddr(),vn->getSize(),false)>=0)
return indop; newoutput.push_back(vn);
if (vn->getAddr().justifiedContain(vn->getSize(),param->getAddress(),param->getSize(),false)==0) else if (vn->getAddr().justifiedContain(vn->getSize(),param->getAddress(),param->getSize(),false)>=0)
return indop; newoutput.push_back(vn);
} }
indop = indop->previousOp(); indop = indop->previousOp();
} }
return (PcodeOp *)0;
} }
/// \brief List and/or create a Varnode for each input parameter of matching a source prototype /// \brief List and/or create a Varnode for each input parameter of matching a source prototype
@ -5057,19 +5056,14 @@ bool FuncCallSpecs::transferLockedInput(vector<Varnode *> &newinput,const FuncPr
/// \param newoutput will hold the passed back Varnode /// \param newoutput will hold the passed back Varnode
/// \param source is the source prototype /// \param source is the source prototype
/// \return \b true if the passed back value is accurate /// \return \b true if the passed back value is accurate
bool FuncCallSpecs::transferLockedOutput(Varnode *&newoutput,const FuncProto &source) bool FuncCallSpecs::transferLockedOutput(vector<Varnode *> &newoutput,const FuncProto &source)
{ {
ProtoParameter *param = source.getOutput(); ProtoParameter *param = source.getOutput();
if (param->getType()->getMetatype() == TYPE_VOID) { if (param->getType()->getMetatype() == TYPE_VOID) {
newoutput = (Varnode *)0;
return true; return true;
} }
PcodeOp *outop = transferLockedOutputParam(param); transferLockedOutputParam(param,newoutput);
if (outop == (PcodeOp *)0)
newoutput = (Varnode *)0;
else
newoutput = outop->getOut();
return true; return true;
} }
@ -5126,103 +5120,136 @@ void FuncCallSpecs::commitNewInputs(Funcdata &data,vector<Varnode *> &newinput)
/// \brief Update output Varnode to \b this CALL to reflect the formal return value /// \brief Update output Varnode to \b this CALL to reflect the formal return value
/// ///
/// The current return value must be locked and is presumably out of date /// The current return value must be locked and is presumably out of date with the current CALL output.
/// with the current CALL output. Unless the return value is \e void, the /// Unless the return value is \e void, the output Varnode must exist and must be provided.
/// output Varnode must exist and must be provided. /// The Varnode is created/updated to reflect the return value and is set as the CALL output.
/// The Varnode is updated to reflect the return value, /// Any other intersecting outputs are updated to be either truncations or extensions of this.
/// which may involve truncating or extending. Any active trials are updated, /// Any active trials are updated,
/// and the new Varnode is set as the CALL output.
/// \param data is the calling function /// \param data is the calling function
/// \param newout is the provided old output Varnode (or NULL) /// \param newout is the list of intersecting outputs
void FuncCallSpecs::commitNewOutputs(Funcdata &data,Varnode *newout) void FuncCallSpecs::commitNewOutputs(Funcdata &data,vector<Varnode *> &newoutput)
{ {
if (!isOutputLocked()) return; if (!isOutputLocked()) return;
activeoutput.clear(); activeoutput.clear();
if (newout != (Varnode *)0) { if (!newoutput.empty()) {
ProtoParameter *param = getOutput(); ProtoParameter *param = getOutput();
// We could conceivably truncate the output to the correct size to match the parameter // We could conceivably truncate the output to the correct size to match the parameter
activeoutput.registerTrial(param->getAddress(),param->getSize()); activeoutput.registerTrial(param->getAddress(),param->getSize());
PcodeOp *indop = newout->getDef(); if (param->getSize() == 1 && param->getType()->getMetatype() == TYPE_BOOL && data.isTypeRecoveryOn())
if (newout->getSize() == 1 && param->getType()->getMetatype() == TYPE_BOOL && data.isTypeRecoveryOn())
data.opMarkCalculatedBool(op); data.opMarkCalculatedBool(op);
if (newout->getSize() == param->getSize()) { Varnode *exactMatch = (Varnode *)0;
if (indop != op) { for(int4 i=0;i<newoutput.size();++i) {
data.opUnsetOutput(indop); if (newoutput[i]->getSize() == param->getSize()) {
data.opUnlink(indop); // We know this is an indirect creation which is no longer used exactMatch = newoutput[i];
break;
}
}
Varnode *realOut;
PcodeOp *indOp;
if (exactMatch != (Varnode *)0) {
// If we have a Varnode that exactly matches param, make sure it is the output of the CALL
indOp = exactMatch->getDef();
if (op != indOp) {
// If we reach here, we know -op- must have no output // If we reach here, we know -op- must have no output
data.opSetOutput(op,newout); data.opSetOutput(op,exactMatch);
data.opUnlink(indOp); // We know this is an indirect creation which is no longer used
} }
realOut = exactMatch;
} }
else if (newout->getSize() < param->getSize()) { else {
// We know newout is properly justified within param // Otherwise, we create a Varnode matching param
if (indop != op) { data.opUnsetOutput(op);
data.opUninsert(indop); realOut = data.newVarnodeOut(param->getSize(),param->getAddress(),op);
data.opSetOpcode(indop,CPUI_SUBPIECE);
}
else {
indop = data.newOp(2,op->getAddr());
data.opSetOpcode(indop,CPUI_SUBPIECE);
data.opSetOutput(indop,newout); // Move -newout- from -op- to -indop-
}
Varnode *realout = data.newVarnodeOut(param->getSize(),param->getAddress(),op);
data.opSetInput(indop,realout,0);
data.opSetInput(indop,data.newConstant(4,0),1);
data.opInsertAfter(indop,op);
} }
else { // param->getSize() < newout->getSize()
// We know param is justified contained in newout for(int4 i=0;i<newoutput.size();++i) {
VarnodeData vardata; Varnode *oldOut = newoutput[i];
// Test whether the new prototype naturally extends its output if (oldOut == exactMatch) continue;
OpCode opc = assumedOutputExtension(param->getAddress(),param->getSize(),vardata); indOp = oldOut->getDef();
Address hiaddr = newout->getAddr(); if (indOp == op)
if (opc != CPUI_COPY) { indOp = (PcodeOp *)0;
// If -newout- looks like a natural extension of the true output type, create the extension op if (oldOut->getSize() < param->getSize()) {
if (opc == CPUI_PIECE) { // Extend based on the datatype if (indOp != (PcodeOp *)0) {
if (param->getType()->getMetatype() == TYPE_INT) data.opUninsert(indOp);
opc = CPUI_INT_SEXT; data.opSetOpcode(indOp,CPUI_SUBPIECE);
else
opc = CPUI_INT_ZEXT;
}
if (indop != op) {
data.opUninsert(indop);
data.opRemoveInput(indop,1);
data.opSetOpcode(indop,opc);
Varnode *outvn = data.newVarnodeOut(param->getSize(),param->getAddress(),op);
data.opSetInput(indop,outvn,0);
data.opInsertAfter(indop,op);
} }
else { else {
PcodeOp *extop = data.newOp(1,op->getAddr()); indOp = data.newOp(2,op->getAddr());
data.opSetOpcode(extop,opc); data.opSetOpcode(indOp,CPUI_SUBPIECE);
data.opSetOutput(extop,newout); // Move newout from -op- to -extop- data.opSetOutput(indOp,oldOut); // Move oldOut from op to indOp
Varnode *outvn = data.newVarnodeOut(param->getSize(),param->getAddress(),op);
data.opSetInput(extop,outvn,0);
data.opInsertAfter(extop,op);
} }
int4 overlap = oldOut->overlap(realOut->getAddr(),realOut->getSize());
data.opSetInput(indOp,realOut,0);
data.opSetInput(indOp,data.newConstant(4,(uintb)overlap),1);
data.opInsertAfter(indOp,op);
} }
else { // If all else fails, concatenate in extra byte from something "indirectly created" by -op- else if (param->getSize() < oldOut->getSize()) {
int4 hisz = newout->getSize() - param->getSize(); int4 overlap = oldOut->getAddr().justifiedContain(oldOut->getSize(), param->getAddress(), param->getSize(), false);
if (!newout->getAddr().getSpace()->isBigEndian()) VarnodeData vardata;
hiaddr = hiaddr + param->getSize(); // Test whether the new prototype naturally extends its output
PcodeOp *newindop = data.newIndirectCreation(op,hiaddr,hisz,true); OpCode opc = assumedOutputExtension(param->getAddress(),param->getSize(),vardata);
if (indop != op) { if (opc != CPUI_COPY && overlap == 0) {
data.opUninsert(indop); // If oldOut looks like a natural extension of the true output type, create the extension op
data.opSetOpcode(indop,CPUI_PIECE); if (opc == CPUI_PIECE) { // Extend based on the data-type
Varnode *outvn = data.newVarnodeOut(param->getSize(),param->getAddress(),op); if (param->getType()->getMetatype() == TYPE_INT)
data.opSetInput(indop,newindop->getOut(),0); opc = CPUI_INT_SEXT;
data.opSetInput(indop,outvn,1); else
data.opInsertAfter(indop,op); opc = CPUI_INT_ZEXT;
}
if (indOp != (PcodeOp *)0) {
data.opUninsert(indOp);
data.opRemoveInput(indOp,1);
data.opSetOpcode(indOp,opc);
data.opSetInput(indOp,realOut,0);
data.opInsertAfter(indOp,op);
}
else {
PcodeOp *extop = data.newOp(1,op->getAddr());
data.opSetOpcode(extop,opc);
data.opSetOutput(extop,oldOut); // Move newout from -op- to -extop-
data.opSetInput(extop,realOut,0);
data.opInsertAfter(extop,op);
}
} }
else { else { // If all else fails, concatenate in extra byte from something "indirectly created" by -op-
PcodeOp *concatop = data.newOp(2,op->getAddr()); if (indOp != (PcodeOp *)0) {
data.opSetOpcode(concatop,CPUI_PIECE); data.opUnlink(indOp);
data.opSetOutput(concatop,newout); // Move newout from -op- to -concatop- }
Varnode *outvn = data.newVarnodeOut(param->getSize(),param->getAddress(),op); int4 mostSigSize = oldOut->getSize() - overlap - realOut->getSize();
data.opSetInput(concatop,newindop->getOut(),0); PcodeOp *lastOp = op;
data.opSetInput(concatop,outvn,1); if (overlap != 0) { // We need to append less significant bytes to realOut for this oldOut
data.opInsertAfter(concatop,op); Address loAddr = oldOut->getAddr();
if (loAddr.isBigEndian())
loAddr = loAddr + (oldOut->getSize() - overlap);
PcodeOp *newIndOp = data.newIndirectCreation(op,loAddr,overlap,true);
PcodeOp *concatOp = data.newOp(2,op->getAddr());
data.opSetOpcode(concatOp,CPUI_PIECE);
data.opSetInput(concatOp,realOut,0); // Most significant part
data.opSetInput(concatOp,newIndOp->getOut(),1); // Least sig
data.opInsertAfter(concatOp,op);
if (mostSigSize != 0) {
if (loAddr.isBigEndian())
data.newVarnodeOut(overlap+realOut->getSize(),realOut->getAddr(),concatOp);
else
data.newVarnodeOut(overlap+realOut->getSize(),loAddr,concatOp);
}
lastOp = concatOp;
}
if (mostSigSize != 0) { // We need to append more significant bytes to realOut for this oldOut
Address hiAddr = oldOut->getAddr();
if (!hiAddr.isBigEndian())
hiAddr = hiAddr + (realOut->getSize() + overlap);
PcodeOp *newIndOp = data.newIndirectCreation(op,hiAddr,mostSigSize,true);
PcodeOp *concatOp = data.newOp(2,op->getAddr());
data.opSetOpcode(concatOp,CPUI_PIECE);
data.opSetInput(concatOp,newIndOp->getOut(),0);
data.opSetInput(concatOp,lastOp->getOut(),1);
data.opInsertAfter(concatOp,lastOp);
lastOp = concatOp;
}
data.opSetOutput(lastOp,oldOut); // We have completed the redefinition of this oldOut
} }
} }
} }
@ -5307,7 +5334,8 @@ void FuncCallSpecs::doInputJoin(int4 slot1,bool ishislot)
/// \param newinput will hold the new list of input Varnodes for the CALL /// \param newinput will hold the new list of input Varnodes for the CALL
/// \param newoutput will hold the new output Varnode or NULL /// \param newoutput will hold the new output Varnode or NULL
/// \return \b true if \b this can be fully converted /// \return \b true if \b this can be fully converted
bool FuncCallSpecs::lateRestriction(const FuncProto &restrictedProto,vector<Varnode *> &newinput,Varnode *&newoutput) bool FuncCallSpecs::lateRestriction(const FuncProto &restrictedProto,vector<Varnode *> &newinput,
vector<Varnode *> &newoutput)
{ {
if (!hasModel()) { if (!hasModel()) {
@ -5357,7 +5385,7 @@ void FuncCallSpecs::deindirect(Funcdata &data,Funcdata *newfd)
// Try our best to merge existing prototype // Try our best to merge existing prototype
// with the one we have just been handed // with the one we have just been handed
vector<Varnode *> newinput; vector<Varnode *> newinput;
Varnode *newoutput; vector<Varnode *> newoutput;
FuncProto &newproto( newfd->getFuncProto() ); FuncProto &newproto( newfd->getFuncProto() );
if ((!newproto.isNoReturn())&&(!newproto.isInline())) { if ((!newproto.isNoReturn())&&(!newproto.isInline())) {
if (isOverride()) // If we are overridden at the call-site if (isOverride()) // If we are overridden at the call-site
@ -5387,7 +5415,7 @@ void FuncCallSpecs::forceSet(Funcdata &data,const FuncProto &fp)
{ {
vector<Varnode *> newinput; vector<Varnode *> newinput;
Varnode *newoutput; vector<Varnode *> newoutput;
// Copy the recovered prototype into the override manager so that // Copy the recovered prototype into the override manager so that
// future restarts don't have to rediscover it // future restarts don't have to rediscover it

8
Ghidra/Features/Decompiler/src/decompile/cpp/fspec.hh
View file

@ -1657,11 +1657,11 @@ class FuncCallSpecs : public FuncProto {
Varnode *getSpacebaseRelative(void) const; ///< Get the active stack-pointer Varnode at \b this call site Varnode *getSpacebaseRelative(void) const; ///< Get the active stack-pointer Varnode at \b this call site
Varnode *buildParam(Funcdata &data,Varnode *vn,ProtoParameter *param,Varnode *stackref); Varnode *buildParam(Funcdata &data,Varnode *vn,ProtoParameter *param,Varnode *stackref);
int4 transferLockedInputParam(ProtoParameter *param); int4 transferLockedInputParam(ProtoParameter *param);
PcodeOp *transferLockedOutputParam(ProtoParameter *param); void transferLockedOutputParam(ProtoParameter *param,vector<Varnode *> &newoutput);
bool transferLockedInput(vector<Varnode *> &newinput,const FuncProto &source); bool transferLockedInput(vector<Varnode *> &newinput,const FuncProto &source);
bool transferLockedOutput(Varnode *&newoutput,const FuncProto &source); bool transferLockedOutput(vector<Varnode *> &newoutput,const FuncProto &source);
void commitNewInputs(Funcdata &data,vector<Varnode *> &newinput); void commitNewInputs(Funcdata &data,vector<Varnode *> &newinput);
void commitNewOutputs(Funcdata &data,Varnode *newout); void commitNewOutputs(Funcdata &data,vector<Varnode *> &newoutput);
void collectOutputTrialVarnodes(vector<Varnode *> &trialvn); void collectOutputTrialVarnodes(vector<Varnode *> &trialvn);
void setStackPlaceholderSlot(int4 slot) { stackPlaceholderSlot = slot; void setStackPlaceholderSlot(int4 slot) { stackPlaceholderSlot = slot;
if (isinputactive) activeinput.setPlaceholderSlot(); } ///< Set the slot of the stack-pointer placeholder if (isinputactive) activeinput.setPlaceholderSlot(); } ///< Set the slot of the stack-pointer placeholder
@ -1702,7 +1702,7 @@ public:
bool checkInputJoin(int4 slot1,bool ishislot,Varnode *vn1,Varnode *vn2) const; bool checkInputJoin(int4 slot1,bool ishislot,Varnode *vn1,Varnode *vn2) const;
void doInputJoin(int4 slot1,bool ishislot); void doInputJoin(int4 slot1,bool ishislot);
bool lateRestriction(const FuncProto &restrictedProto,vector<Varnode *> &newinput,Varnode *&newoutput); bool lateRestriction(const FuncProto &restrictedProto,vector<Varnode *> &newinput,vector<Varnode *> &newoutput);
void deindirect(Funcdata &data,Funcdata *newfd); void deindirect(Funcdata &data,Funcdata *newfd);
void forceSet(Funcdata &data,const FuncProto &fp); void forceSet(Funcdata &data,const FuncProto &fp);
void insertPcode(Funcdata &data); void insertPcode(Funcdata &data);

28
Ghidra/Features/Decompiler/src/decompile/datatests/deindirect2.xml Normal file
View file

@ -0,0 +1,28 @@
<decompilertest>
<binaryimage arch="x86:LE:64:default:gcc">
<!--
A contrived function with an indirect call that eventually collapses to a function
with an 8-byte return value. Prior to collapse, there are likely to be 2 separate
pieces being read as output from the function. After collapse these should get
concatenated and leave no shadow varnodes.
-->
<bytechunk space="ram" offset="0x100000" readonly="true">
554889e54883ec3048c7c34600100048
895de84889f94889f7488b5de8ffd348
8d59104889036631c0c3
</bytechunk>
<symbol space="ram" offset="0x100000" name="deind26"/>
<symbol space="ram" offset="0x100046" name="obtainPtr"/>
</binaryimage>
<script>
<com>parse line extern int2 deind26(int4 **ptr,char *nm);</com>
<com>parse line extern int4 *obtainPtr(char *nm);</com>
<com>lo fu deind26</com>
<com>decompile</com>
<com>print C</com>
<com>quit</com>
</script>
<stringmatch name="Deindirect Output #1" min="1" max="1">piVar1 = obtainPtr\(nm\);</stringmatch>
<stringmatch name="Deindirect Output #2" min="1" max="1">return 0;</stringmatch>
<stringmatch name="Deindirect Output #3" min="0" max="0">CONCAT</stringmatch>
</decompilertest>