Description
Version and Platform (required):
- Binary Ninja Version: 4.2.6455
- OS: Debian
- OS Version: 12
- CPU Architecture: x64
Bug Description:
Binary Ninja fails to detect parameter for a function in a simple ELF binary (compiled with gcc version 12.2.0 with -Wall -O3).
The function in question is execute_cgi_command, and here is a call to it from the binary:
22 @ 00001311 rdi_1#3 = rbx_1#1 <---------------
23 @ 00001314 [rbx_1#1 + rax_1#3].b = 0 @ mem#3 -> mem#6
24 @ 00001318 mem#7 = execute_cgi_command() @ mem#6
We observe that the parameter rdi is prepared just before the function call.
Moreover, within the function, this parameter is immediately utilized:
000012a0 char* execute_cgi_command()
0 @ 000012a8 result#1, mem#1 = strstr(rdi#0, "/cgi-bin/") @ mem#0 <---------------
1 @ 000012b0 if (result#1 == 0) then 2 else 3 @ 0x12b2
Initially, I thought it failed to detect the calling convention, but I can see that it is detected correctly:
Could the zero-byte write before the call (mov byte [rbx+rax], 0x0) be confusing Binary Ninja?
Compiling with -O0 resolves the issue, and the call no longer includes this instruction:
7 @ 0000138f rax_4 = var_10
8 @ 00001393 rdi_2 = rax_4
9 @ 00001396 execute_cgi_command(rdi_2)
Compiling with clang exhibits the same behavior, whereas compiling with arm-linux-gcc results in the parameter being detected. I tested an older stable version (4.0) to verify it was not a regression and I had the same issue.
Steps To Reproduce:
Please provide all steps required to reproduce the behavior:
- Open
recv-01.elfcontained inexample.zip - Navigate to
execute_cgi_command()function
Expected Behavior:
Function should take a parameter (char *)
Binary:
example.zip