Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Indexing into arrays in structures with multiple structure members may target the wrong member array #6450

Open
galenbwill opened this issue Feb 25, 2025 · 0 comments
Open

Indexing into arrays in structures with multiple structure members may target the wrong member array #6450

galenbwill opened this issue Feb 25, 2025 · 0 comments
Labels
Component: Core Issue needs changes to the core Core: HLIL Issue involves High Level IL Core: MLIL Issue involves Medium Level IL IL Optimization Issue involving optimization of representation (not correctness) State: Awaiting Triage Issue is waiting for more in-depth triage from a developer Type: Bug Issue is a non-crashing bug with repro steps
Milestone
Gallifrey

Comments

@galenbwill
Copy link
Contributor

galenbwill commented Feb 25, 2025
edited
Loading

Version and Platform (required):

  • Binary Ninja Version: 4.3.6921-dev

Bug Description:
If a structure contains two array members one after another, attempts to index into the second array member may decompile as indexing into the first array.

Screenshot from original slack post:
Image

From minimal repro:
Image

Steps To Reproduce:

  1. Open attached BNDB
  2. Observe HLIL at 0x00000014 shows arg1->fw[arg2+0x15] which is beyond the bounds of the fw member.

Expected Behavior:
HLIL at 0x00000014 should show arg1->fwHandles[arg2].

Screenshots/Video Recording:
If applicable, please add screenshots/video recording here to help explain your problem.

Binary:
Repro.bndb.txt

Additional Information:
From pubslack user @VisualEhrmanntraut
https://binaryninja.slack.com/archives/C0CV88A83/p1739906675594239

Initial Analysis
It appears the problem is in part due to MLIL typing/valuing an intermediate value (in r12) as a pointer to the first member array, so that when r12 is reused to index into the second member array, it is still considered as a pointer to the first array:

Image
@galenbwill galenbwill added Component: Core Issue needs changes to the core Core: HLIL Issue involves High Level IL State: Awaiting Triage Issue is waiting for more in-depth triage from a developer Type: Bug Issue is a non-crashing bug with repro steps labels Feb 25, 2025
@galenbwill galenbwill added this to the Gallifrey milestone Feb 25, 2025
@galenbwill galenbwill added Core: MLIL Issue involves Medium Level IL IL Optimization Issue involving optimization of representation (not correctness) labels Feb 25, 2025
@galenbwill galenbwill mentioned this issue Feb 26, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Component: Core Issue needs changes to the core Core: HLIL Issue involves High Level IL Core: MLIL Issue involves Medium Level IL IL Optimization Issue involving optimization of representation (not correctness) State: Awaiting Triage Issue is waiting for more in-depth triage from a developer Type: Bug Issue is a non-crashing bug with repro steps
Projects
None yet
Milestone
Gallifrey
Development

No branches or pull requests
1 participant
@galenbwill