dewolf icon indicating copy to clipboard operation
dewolf copied to clipboard

Published 20 hours ago verified publisher icon fkie-cad

[Restructuring] Side effects

Open ebehner opened this issue 3 years ago • 2 comments

What happened?

When we restructure a CFG into an AST, we transform each condition into a symbol. Now, each node of a region gets its reaching condition assigned, thus a reaching condition can occur multiple times.

Consider the following example: rc-Problem-126

The putout is incorrect because the value of a changes and afterward, we have a check with the old value.

An correct output would, for example be:

cond_b1 = (a == 0)
if(cond_b1){
    a = 1;
}
if(! cond_b1 && b < 10){
    b = b*a;
}else{
    b = b-a;
}
return b;

How to reproduce?

A binary where this problem also occurs is test_switch.zip test18. The C-code is:

int test18()
{
    int week;
    //Non sequential case constants
    
    /* Input week number from user */
    printf("Enter week number(1-7): ");
    scanf("%d", &week);
    
    switch(week)
    {
        case 1: 
            printf("Monday");
            week +=500 ;
        case 12: 
            printf("Tuesday");
            break;
        case 500: 
            printf("Friday");
            // break;
        default: 
            printf("Invalid input! Please enter week number between 1-7.");
    }
    printf("the number is %d", week);
    return 0;

}

and the output is:

int test18() {
    int var_0;
    int * var_1;
    printf("Enter week number(1-7): ");
    var_1 = &var_0;
    __isoc99_scanf(0x804c025, var_1);
    switch(var_0) {
    case 1:
        printf("Monday");
        var_0 += 0x1f4; // <-------- var_0 is changed here, but the old value should be used for the comparison in the if-statement
        break;
    case 0x1f4:
        printf("Friday");
        break;
    }
    if ((var_0 != 1) && (var_0 != 12)) { // <----------- If var_0 was 1 when reaching the switch, it is now != 1
        printf("Invalid input! Please enter week number between 1-7.");
    }
    else {
        printf("Tuesday");
    }
    printf("the number is %d", var_0);
    return 0;
}

When entering the number 1, the function prints "Monday", "Tuesday", and "the number is 501". But the decompiled function, with input 1 prints "Monday", "Invalid input! Please enter week number between 1-7.", and "the number is 501".

Affected Binary Ninja Version(s)

Version 2.4.2846

ebehner avatar Jan 12 '22 15:01 ebehner

/cib

ebehner avatar Jul 04 '22 11:07 ebehner

Branch issue-19-_Restructuring_Wrong_Value_in_Condition created!

github-actions[bot] avatar Jul 04 '22 11:07 github-actions[bot]