Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

calculate the number of arguments #6148

Open
bb33bb opened this issue Nov 17, 2024 · 0 comments
Open

calculate the number of arguments #6148

bb33bb opened this issue Nov 17, 2024 · 0 comments

Comments

@bb33bb
Copy link

bb33bb commented Nov 17, 2024
edited
Loading

  • Binary Ninja Version: 4.2.6447-dev Personal (5ca6dc49)
  • OS: manjaro
  • OS Version:

  • cat /proc/version
    Linux version 6.10.13-3-MANJARO (builduser@fv-az1246-770) (gcc (GCC) 14.2.1 20240910, GNU ld (GNU Binutils) 2.43.0) use Caches folder on OS X for download cache to prevent backups #1 SMP PREEMPT_DYNAMIC Tue Oct 8 03:24:49 UTC 2024

  • CPU Architecture: x64

Bug Description:
in Pseudo C code, when we are calculating the number of arguments, we treat the following reg of x18 as an argument:
Here is the code

ffffffc0082effb0    void audit_core_dumps(int64_t* arg1, int64_t* arg2 @ x18)

ffffffc0082effb0  5f2403d5   bti     c
ffffffc0082effb4  5e8600f8   str     x30, [x18], #0x8
ffffffc0082effb8  3f2303d5   paciasp 
ffffffc0082effbc  ff4301d1   sub     sp, sp, #0x50
ffffffc0082effc0  fd7b02a9   stp     x29, x30, [sp, #0x20] {__saved_x29} {var_28}
ffffffc0082effc4  f65703a9   stp     x22, x21, [sp, #0x30] {__saved_x22} {__saved_x21}

I think it is not a special case in the specific function, I found it in many functions.
But to be honest, the real definition of this function is

void audit_core_dumps(long signr)
{
	struct audit_buffer *ab;

	if (!audit_enabled)
		return;

	if (signr == SIGQUIT)	/* don't care for those */
		return;

	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_ANOM_ABEND);
	if (unlikely(!ab))
		return;
	audit_log_task(ab);
	audit_log_format(ab, " sig=%ld res=1", signr);
	audit_log_end(ab);
}

And also, because this assemble instruction code locates before
paciasp
as this is a Pac instruction, I don't know whether I am right. as my personal sense, Pac is added by the compiler.
So, register of x18 is not designed by normal programmer, So, it is not the arguments of the original function.
As a comparation of Ida, we get the follow code

void __fastcall audit_core_dumps(long signr)
{
  _QWORD *v1; // x18
  __int64 v2; // x30
  task_struct_26 *StatusReg; // x21
  audit_buffer *v5; // x0
  audit_buffer *v6; // x20
  size_t v7; // x0
  mm_struct *mm; // x0
  file_2 *mm_exe_file; // x0
  file *v10; // x21
  char buf[8]; // [xsp+8h] [xbp-18h] BYREF
  __int64 v12; // [xsp+18h] [xbp-8h]

  *v1 = v2;
  v12 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 0, 4, 1, 0)) + 1504);
  if ( signr != 3 )
  {
    if ( audit_enabled )

a little urgly but maybe the true result.

If we need the binary plz call me.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bb33bb