binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

Outlined rep movsd instruction that clobbers existing variable causes incorrect data flow

Open D0ntPanic opened this issue 1 year ago • 0 comments

Version and Platform (required):

  • Binary Ninja Version: 4.0.4896-dev
  • OS: macOS
  • OS Version: 14.3.1
  • CPU Architecture: M3

Bug Description: This binary writes a value to offset 0x20 on the stack, then memsets the entire region, including the variable just written, to zero using a rep movsd instruction. It then returns the value at offset 0x20 on the stack. This will return zero, but Binary Ninja loses track of the data flow and says the function returns 0x20.

This bug does not occur if an actual call to memset is emitted. In that case, Binary Ninja sees the alias and prevents the data flow system from assuming the variable hasn't been clobbered.

Screenshot 2024-02-21 at 2 40 06 PM

repmovsd.zip

D0ntPanic avatar Feb 21 '24 20:02 D0ntPanic