binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

Analysis fails to identify the correct amount of function arguments

Open 0xricksanchez opened this issue 1 year ago • 2 comments

Version and Platform (required):

  • Binary Ninja Version: 4.2.5828-dev
  • OS: Arch Linux
  • CPU Architecture: x64

Bug Description: Analysis of the mentioned aarch64 binary fails to properly resolve the correct amount of function arguments for certain functions

Steps To Reproduce:

  1. Check out #5809 for initial context (@xusheng6 knows the details, sorry for ping :D)
  2. Grab the first attached binary libckteec.so from the linked issue
  3. Navigate to ckteec_invoke_ta
  4. Find TEEC_InvokeCommand and observe the function call in MLIL and higher lifted variants → (compare 1st screenshot)

Another instance where there are too many function arguments:

  1. Same binary
  2. Navigate to ckteec_invoke_init
  3. Find TEEC_InvokeCommand again → (compare 2nd screenshot)

Expected Behavior:

Based on the OPTEE client impl the function should look like this:

TEEC_Result TEEC_InvokeCommand(TEEC_Session* session, uint32_t commandID, TEEC_Operation* operation, uint32_t* returnOrigin)

Screenshots/Video Recording: image

image

Additional Information: Related issue that contains the binary that I was testing with: #5809

The linked issue (also reported by me) was dealing with some functions not properly propagating function arguments even if the registers are clearly setting them up, esp, for external functions as it seemed. After the merged fix, this new behavior was observed on the same binary.

0xricksanchez avatar Aug 06 '24 06:08 0xricksanchez

I have a similar issue with symbols containing debug information. Particularly with C++ functions that are non-static. For example, the following is supposed to have a this pointer, but because the symbol has no arguments, it assumes no arguments. I'm not sure if this is a different issue, I think it's the same underlying problem. I think the analyser should use this as a guide and not as definitive information.

Screenshot 2024-08-09 at 18 46 23

VisualEhrmanntraut avatar Aug 09 '24 15:08 VisualEhrmanntraut

Recovering function arguments is a fundamentally undecidable problem so there are bound to be errors especially in regard to un-typed external calls. That said there are likely ways we can improve our analysis to provide more accurate parameter recovery. We are unlikely to address this in the short term.

plafosse avatar Aug 30 '24 16:08 plafosse