Fix some code versus data issues

bminor · Jan 30, 2017 · ae43242 · ae43242
1 parent 3ee6ad7
commit ae43242
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 3 deletions.
diff --git a/bb.h b/bb.h
@@ -26,6 +26,7 @@ class BB {
   void set(uint64_t start, uint64_t end) { reset(); this->start = start; this->end = end; }
 
   bool is_addrtaken () { return addrtaken; }
+  bool is_invalid   () { return invalid; }
   bool is_padding   () { return padding; }
   bool is_trap      () { return trap; }
   bool is_called    ();

diff --git a/cfg.cc b/cfg.cc
@@ -81,6 +81,27 @@ CFG::analyze_addrtaken()
 }
 
 
+void
+CFG::mark_jmptab_as_data(uint64_t start, uint64_t end)
+{
+  uint64_t addr;
+  BB *bb, *cc;
+
+  bb = NULL;
+  cc = NULL;
+  for(addr = start; addr < end; addr++) {
+    bb = this->get_bb(addr, NULL);
+    if(!bb) continue;
+    if(bb != cc) {
+      bb->invalid = true;
+      unlink_bb(bb);
+      bad_bbs[bb->start] = bb;
+      cc = bb;
+    }
+  }
+}
+
+
 void
 CFG::find_switches_x86()
 {
@@ -90,7 +111,7 @@ CFG::find_switches_x86()
   Operand *op_target, *op_reg, *op_mem;
   int scale;
   unsigned offset;
-  uint64_t jmptab_addr, jmptab_idx, case_addr;
+  uint64_t jmptab_addr, jmptab_idx, jmptab_end, case_addr;
   uint8_t *jmptab8;
   uint16_t *jmptab16;
   uint32_t *jmptab32;
@@ -145,17 +166,20 @@ CFG::find_switches_x86()
     }
 
     if(jmptab_addr) {
+      jmptab_end = 0;
       for(auto &sec: this->binary->sections) {
         if(sec.contains(jmptab_addr)) {
           verbose(4, "parsing jump table at 0x%016jx (jump at 0x%016jx)", 
                      jmptab_addr, bb->insns.back().start);
           jmptab_idx = jmptab_addr-sec.vma;
+          jmptab_end = jmptab_addr;
           jmptab8  = (uint8_t*) &sec.bytes[jmptab_idx];
           jmptab16 = (uint16_t*)&sec.bytes[jmptab_idx];
           jmptab32 = (uint32_t*)&sec.bytes[jmptab_idx];
           jmptab64 = (uint64_t*)&sec.bytes[jmptab_idx];
           while(1) {
             if((jmptab_idx+scale) >= sec.size) break;
+            jmptab_end += scale;
             jmptab_idx += scale;
             switch(scale) {
               case 1:
@@ -203,6 +227,10 @@ CFG::find_switches_x86()
           break;
         }
       }
+
+      if(jmptab_addr && jmptab_end) {
+        mark_jmptab_as_data(jmptab_addr, jmptab_end);
+      }
     }
   }
 }
@@ -232,7 +260,7 @@ CFG::expand_function(Function *f, BB *bb)
   if(!bb) {
     bb = f->BBs.front();
   } else {
-    if(bb->section->is_import_table()) {
+    if(bb->section->is_import_table() || bb->is_invalid()) {
       return;
     } else if(bb->function) {
       return;
@@ -295,7 +323,7 @@ CFG::find_functions()
   /* Detect functions for remaining BBs through connected-component analysis */
   for(auto &kv: this->start2bb) {
     bb = kv.second;
-    if(bb->section->is_import_table() || bb->is_padding()) {
+    if(bb->section->is_import_table() || bb->is_padding() || bb->is_invalid()) {
       continue;
     } else if(bb->function) {
       continue;

diff --git a/cfg.h b/cfg.h
@@ -33,6 +33,7 @@ class CFG {
 private:
   void analyze_addrtaken_x86 ();
   void analyze_addrtaken     ();
+  void mark_jmptab_as_data   (uint64_t start, uint64_t end);
   void find_switches_x86     ();
   void find_switches         ();
   void expand_function       (Function *f, BB *bb);