rz-ghidra icon indicating copy to clipboard operation
rz-ghidra copied to clipboard

Published 20 hours ago verified publisher icon rizinorg

Tailjmps to reloc targets are decompiled until infinity

Open dmknght opened this issue 2 years ago • 2 comments

Linux Kernel Modules has no ret in functions. Rizin is able to detect them. However, the decompiler failed to parse data of each function, causing very long function in decompiler widget which is totally wrong, or causing decompile time out Step to reprocedure (with cutter)

  1. Open kernel module (soundcore.ko in this very case)
  2. Show the function sym.register_sound_dsp
  3. See the wrong output in decompiler widget

Screenshots

  1. List of functions image
  2. Function in Graph widget image
  3. Function in Decompiler widget image

The function sym.register_sound_special is even worse image image

Click on the .text.unlikely makes Decompiler shows totally wrong function from function name image

The output is the same in rizin -> the problem is the plugin ghidra image

And other issue relates to #229. sym.register_sound_dsp showed function __fentry__ is called. However, Decompiler widget failed to show function name. image image

Tested binary issue312_ghidra_failed_to_detect_functions.zip

dmknght avatar Jan 19 '23 12:01 dmknght

Function names from reloc targets work now.

The __x86_return_thunk is handled in ghidra because it applies a flow override to the respective jmp instructions: Bildschirm­foto 2023-01-20 um 13 50 49

There are ways to address this in rizin/rz-ghidra too, but currently none that is trivial or straightforward. As a quick and dirty workaround for this bin, you can do e io.cache=1; wa ret @ reloc.target.__x86_return_thunk

thestr4ng3r avatar Jan 20 '23 12:01 thestr4ng3r

Hello! This method worked for me. Hope it will be fixed by default soon.

dmknght avatar Feb 03 '23 19:02 dmknght