binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

Tags+Comments are misaligned in high address spaces

Open CouleeApps opened this issue 3 years ago • 1 comments

Version and Platform (required):

  • Binary Ninja Version: 3.0.3233
  • OS: macOS
  • OS Version: 12.0.1

Bug Description: When you rebase an arm64 binary to a high address space, comments and tags are shifted down one instruction. This makes them appear at the wrong address and looks confusing.

Steps To Reproduce: Please provide all steps required to reproduce the behavior:

  1. Open any arm64 binary
  2. Rebase to 0xfffffff010000000
  3. Open any function
  4. One instruction before the end of the function, Add a Bookmark
  5. Observe the bookmark tag being displayed on the following instruction
  6. Rebase to 0x7ffffff010000000
  7. Observe tag is in the correct position

Expected Behavior: I expected the tag to appear on the line I created it on. It does this when not rebased to 0xfffffff010000000

Screenshots: image

Additional Information: This might be a signedness bug since the high address space has the sign bit set? A cursory look around the code shows uint64_t used everywhere, but I wouldn't be surprised if somewhere used signed ints and broke this.

CouleeApps avatar Mar 28 '22 20:03 CouleeApps

data tags don't seem to show up in memory regions either Screen Shot 2022-07-26 at 10 17 50 AM ?

verylazyguy avatar Jul 26 '22 14:07 verylazyguy

I tried to repro this issue and actually had an even worse result: The comments and tags simply don't show up, at all, ever.

The issue is actually not because of signedness. It's because we have a heuristic for trying to determine what comments should go with which addresses in ILs that requires operating on a range of addresses and we don't handle the overflow from the addition correctly, leading to the upper bit being lost. Once that upper bit is lost, any comment or tag can never be rendered because it is guaranteed to fall outside of the range of valid addresses that has been calculated.

I have a fix for this locally by switching around the operations so they shouldn't overflow. I need to clean up all of the stuff I added from debugging all day, do a little bit of extra testing to hopefully catch any regressions, and get something on dev for this soon.

fuzyll avatar Jun 20 '23 21:06 fuzyll

This should be fixed in 3.5.4344-dev, which is live as of yesterday evening.

There's a potential here for regressions and a known issue surrounding address 0xffffffffffffffff in certain circumstances. So, please feel free to toss additional feedback into this issue and I'm happy to have it reopened if there are edge cases I didn't account for. On the few test cases I tried the changes on, however, this was fixed for comments/tags in functions.

fuzyll avatar Jun 21 '23 15:06 fuzyll

Closed this slightly prematurely. I have now fixed the bug preventing tags from showing up on data, as shown in the screenshot in the second comment. This is now working its way through CI and should be live in 45-60 minutes after this post (unless I screwed up something else, of course). Builds >= 3.5.4345-dev should include both fixes.

fuzyll avatar Jun 21 '23 16:06 fuzyll