binaryninja-api
binaryninja-api copied to clipboard
Vector35
Regression: memcpy returning 8 values
Version and Platform (required):
- Binary Ninja Version: 4.1.5272-dev, 3a057a87
- OS: macos
- OS Version: 14.4
- CPU Architecture: arm64
Internal binary major dine favor.
00065f34 v0_1, v1_1, v2_1, v3_1, v4_1, v5_1, v6_1, v7_1 = memcpy(&USER_INFO, arg1, 0x297)
'Y' on memcpy says
int64_t memcpy(int64_t arg1, int64_t arg2, uint64_t arg3)
and confirming (accept button) doesn't change anything.
This seems to be a regression as my code is all screwed up now
0006815c int64_t* DjiError_GetErrorMsgElements(int64_t arg1, int128_t arg2 @ v0, int128_t arg3 @ v1, int128_t arg4 @ v2,
0006815c int128_t arg5 @ v3, int128_t arg6 @ v4, int128_t arg7 @ v5, int128_t arg8 @ v6, int128_t arg9 @ v7, int64_t* arg10 @ x8)
00068178 int64_t var_28_1
00068178 __builtin_memset(&var_28_1, 0, 0x20)
0006818c void* var_10
0006818c int64_t x0_1
0006818c int128_t v0
0006818c int128_t v1
0006818c int128_t v2
0006818c int128_t v3
0006818c int128_t v4
0006818c int128_t v5
0006818c int128_t v6
0006818c int128_t v7
0006818c x0_1, v0, v1, v2, v3, v4, v5, v6, v7 = DjiError_SearchObject(arg1, &var_10, arg2, arg3, arg4, arg5, arg6, arg7, arg8, arg9)
000681a4 uint32_t x0_6 = zx.d(DjiError_IsSuccess(x0_1) ^ 1)
000681ac int128_t v0_1
000681ac int128_t v1_1
000681ac int128_t v2_1
000681ac int128_t v3_1
000681ac int128_t v4_1
000681ac int128_t v5_1
000681ac int128_t v6_1
000681ac int128_t v7_1
000681ac if (x0_6 != 0)
going back to BN version 4.0.4958, ddff9339 fixes things, although this function is blacklisted from auto-analysis.
0006815c struct ErrObj* DjiError_GetErrorMsgElements(int64_t err_code, struct ErrDesc* err_desc @ x8)
00068178 char* description
00068178 __builtin_memset(s: &description, c: 0, n: 0x20)
000681a4 struct ErrObj* err_obj
000681a4 uint32_t err = zx.d(DjiError_IsSuccess(DjiError_SearchObject(err_code, err_obj: &err_obj)) ^ 1)
000681ac if (err != 0)
000681d8 DjiLogger_Output("errno", 0, "[%s:%d) Search error object fail…", "DjiError_GetErrorMsgElements", 0x55)
000681ec if (err == 0 && err_obj->description == 0)
00068218 DjiLogger_Output("errno", 0, "[%s:%d) Error description is nul…", "DjiError_GetErrorMsgElements", 0x5a)
000681ec if (err != 0 || (err == 0 && err_obj->description == 0))
000682b0 DjiLogger_Output("errno", 0, "[%s:%d) Print error message fail…", "DjiError_GetErrorMsgElements", 0x66, err_code)
000681ec char* suggestion_1
000681ec char* recovery_1
000681ec if (err == 0 && err_obj->description != 0)
00068228 description = err_obj->description
00068238 char* suggestion
00068238 if (err_obj->recovery == 0)
00068250 suggestion = &ERR_EMPTY
00068238 else
00068244 suggestion = ERR_SUGGESTION
00068254 suggestion_1 = suggestion
00068264 char* recovery
00068264 if (err_obj->recovery == 0)
00068278 recovery = &ERR_EMPTY
00068264 else
0006826c recovery = err_obj->recovery
0006827c recovery_1 = recovery
000682c0 err_desc->description = description
000682c0 err_desc->suggestion = suggestion_1
000682c8 err_desc->recovery = recovery_1
000682d8 return err_desc
Partial disassembly around memcpy from the stable BN version
00065eb0 T_DjiReturnCode DjiCore_Init(struct T_DjiUserInfo* userInfo)
00065eb0 ff830dd1 sub sp, sp, #0x360
00065eb4 fd7bbea9 stp x29, x30, [sp, #-0x20]! {__saved_x29} {__saved_x30}
00065eb8 fd030091 mov x29, sp {__saved_x29}
00065ebc f35301a9 stp x19, x20, [sp, #0x10] {__saved_x19} {__saved_x20}
00065ec0 ff4300d1 sub sp, sp, #0x10
00065ec4 a06701f9 str x0, [x29, #0x2c8 {var_b8}]
00065ec8 36970094 bl DjiPlatform_GetOsalHandler
00065ecc a0bf01f9 str x0, [x29, #0x378 {var_8}]
00065ed0 bf5303b9 str wzr, [x29, #0x350 {var_30}] {0x0}
00065ed4 a06741f9 ldr x0, [x29, #0x2c8 {var_b8}]
00065ed8 1f0000f1 cmp x0, #0
00065edc c1010054 b.ne 0x65f14
00065ee0 60060090 adrp x0, 0x131000
00065ee4 02802491 add x2, x0, #0x920 {__FUNCTION__.7007, "DjiCore_Init"}
00065ee8 60060090 adrp x0, 0x131000
00065eec 01e00a91 add x1, x0, #0x2b8 {data_1312b8, "[%s:%d) *userInfo is NULL."}
00065ef0 60060090 adrp x0, 0x131000
00065ef4 00600b91 add x0, x0, #0x2d8 {data_1312d8, "core"}
00065ef8 e4088052 mov w4, #0x47
00065efc e30302aa mov x3, x2 {__FUNCTION__.7007, "DjiCore_Init"}
00065f00 e20301aa mov x2, x1 {data_1312b8, "[%s:%d) *userInfo is NULL."}
00065f04 01008052 mov w1, #0
00065f08 fd6d0094 bl DjiLogger_Output
00065f0c 601c80d2 mov x0, #0xe3
00065f10 4a020014 b 0x66838
00065f14 201100d0 adrp x0, 0x28b000
00065f18 01601491 add x1, x0, #0x518 {USER_INFO}
00065f1c a06741f9 ldr x0, [x29, #0x2c8 {var_b8}]
00065f20 e30301aa mov x3, x1 {USER_INFO}
00065f24 e10300aa mov x1, x0
00065f28 e05280d2 mov x0, #0x297
00065f2c e20300aa mov x2, x0 {0x297}
00065f30 e00303aa mov x0, x3 {USER_INFO}
00065f34 83b1fe97 bl memcpy
00065f38 60060090 adrp x0, 0x131000
00065f3c 00802491 add x0, x0, #0x920 {__FUNCTION__.7007, "DjiCore_Init"}
00065f40 81098052 mov w1, #0x4c
00065f44 0b050094 bl DjiDataBuriedPoint_ApiHitRecord
00065f48 a0bf41f9 ldr x0, [x29, #0x378 {var_8}]
00065f4c 1f0000f1 cmp x0, #0
00065f50 c1010054 b.ne 0x65f88
00065f54 60060090 adrp x0, 0x131000
00065f58 02802491 add x2, x0, #0x920 {__FUNCTION__.7007, "DjiCore_Init"}
00065f5c 60060090 adrp x0, 0x131000
00065f60 01800b91 add x1, x0, #0x2e0 {data_1312e0, "[%s:%d) OsalHandler is NULL.Prob…"}
00065f64 60060090 adrp x0, 0x131000
00065f68 00600b91 add x0, x0, #0x2d8 {data_1312d8, "core"}
00065f6c 240a8052 mov w4, #0x51
00065f70 e30302aa mov x3, x2 {__FUNCTION__.7007, "DjiCore_Init"}
00065f74 e20301aa mov x2, x1 {data_1312e0, "[%s:%d) OsalHandler is NULL.Prob…"}
00065f78 01008052 mov w1, #0
00065f7c e06d0094 bl DjiLogger_Output
00065f80 801d80d2 mov x0, #0xec
00065f84 2d020014 b 0x66838
The dev version
00065eb0 T_DjiReturnCode DjiCore_Init(struct T_DjiUserInfo* userInfo)
00065eb0 ff830dd1 sub sp, sp, #0x360
00065eb4 fd7bbea9 stp x29, x30, [sp, #-0x20]! {__saved_x29} {__saved_x30}
00065eb8 fd030091 mov x29, sp {__saved_x29}
00065ebc f35301a9 stp x19, x20, [sp, #0x10] {__saved_x19} {__saved_x20}
00065ec0 ff4300d1 sub sp, sp, #0x10
00065ec4 a06701f9 str x0, [x29, #0x2c8 {var_b8}]
00065ec8 36970094 bl DjiPlatform_GetOsalHandler
00065ecc a0bf01f9 str x0, [x29, #0x378 {var_8}]
00065ed0 bf5303b9 str wzr, [x29, #0x350 {var_30}] {0x0}
00065ed4 a06741f9 ldr x0, [x29, #0x2c8 {var_b8}]
00065ed8 1f0000f1 cmp x0, #0
00065edc c1010054 b.ne 0x65f14
00065ee0 60060090 adrp x0, 0x131000
00065ee4 02802491 add x2, x0, #0x920
00065ee8 60060090 adrp x0, 0x131000
00065eec 01e00a91 add x1, x0, #0x2b8
00065ef0 60060090 adrp x0, 0x131000
00065ef4 00600b91 add x0, x0, #0x2d8 {data_1312d8, "core"}
00065ef8 e4088052 mov w4, #0x47
00065efc e30302aa mov x3, x2 {__FUNCTION__.7007, "DjiCore_Init"}
00065f00 e20301aa mov x2, x1 {data_1312b8, "[%s:%d) *userInfo is NULL."}
00065f04 01008052 mov w1, #0
00065f08 fd6d0094 bl DjiLogger_Output
00065f0c 601c80d2 mov x0, #0xe3
00065f10 4a020014 b 0x66838
00065f14 201100d0 adrp x0, 0x28b000
00065f18 01601491 add x1, x0, #0x518
00065f1c a06741f9 ldr x0, [x29, #0x2c8 {var_b8}]
00065f20 e30301aa mov x3, x1
00065f24 e10300aa mov x1, x0
00065f28 e05280d2 mov x0, #0x297
00065f2c e20300aa mov x2, x0 {0x297}
00065f30 e00303aa mov x0, x3 {USER_INFO}
00065f34 83b1fe97 bl memcpy
00065f38 60060090 adrp x0, 0x131000
00065f3c 00802491 add x0, x0, #0x920 {__FUNCTION__.7007, "DjiCore_Init"}
00065f40 81098052 mov w1, #0x4c
00065f44 0b050094 bl DjiDataBuriedPoint_ApiHitRecord
00065f48 a0bf41f9 ldr x0, [x29, #0x378 {var_8}]
00065f4c 1f0000f1 cmp x0, #0
00065f50 c1010054 b.ne 0x65f88
Problem is, I don't see the issue now. I saved the database before switching from stable to dev and the listing looks fine now.
You may be able to reproduce this with the database I sent you yesterday.
One quick fix for this would be to go to the PLT entry and edit the function and remove the "Clobbered Registers"
I will keep this in mind, thanks!
How do I go to the PLT entry, though?
Filter in the symbol list for "memcpy" and look for the one inside the .plt section (might have to make the symbo list pane wider to see that table column)
Loading the provided database in the latest dev shows the old (correct) behavior. The regression was fixed at some point in the last couple months.
