angr 9.2.138__py3-none-win_amd64.whl → 9.2.140__py3-none-win_amd64.whl

angr/__init__.py

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
 
-__version__ = "9.2.138"
+__version__ = "9.2.140"
 
 if bytes is str:
     raise Exception(

angr/analyses/calling_convention/calling_convention.py

@@ -150,6 +150,8 @@ class CallingConventionAnalysis(Analysis):
         The major analysis routine.
         """
 
+        assert self._function is not None
+
         if self._function.is_simprocedure:
             hooker = self.project.hooked_by(self._function.addr)
             if isinstance(
@@ -200,8 +202,8 @@ class CallingConventionAnalysis(Analysis):
                         )
                         if prototype.args:
                             break
-                self.cc = cc
-                self.prototype = prototype
+                self.cc = cc  # type: ignore
+                self.prototype = prototype  # type: ignore
             return
         if self._function.is_plt:
             r = self._analyze_plt()
@@ -218,23 +220,33 @@ class CallingConventionAnalysis(Analysis):
             if self.analyze_callsites:
                 # only take the first 3 because running reaching definition analysis on all functions is costly
                 callsite_facts = self._extract_and_analyze_callsites(max_analyzing_callsites=3)
-                prototype = self._adjust_prototype(
-                    prototype, callsite_facts, update_arguments=UpdateArgumentsOption.UpdateWhenCCHasNoArgs
+                prototype = (
+                    self._adjust_prototype(
+                        prototype, callsite_facts, update_arguments=UpdateArgumentsOption.UpdateWhenCCHasNoArgs
+                    )
+                    if prototype is not None
+                    else None
                 )
 
             self.cc = cc
             self.prototype = prototype
 
     def _analyze_callsite_only(self):
+        assert self.caller_func_addr is not None
+        assert self.callsite_block_addr is not None
+        assert self.callsite_insn_addr is not None
+        cc, prototype = None, None
+
         for include_callsite_preds in [False, True]:
-            callsite_facts = [
-                self._analyze_callsite(
-                    self.caller_func_addr,
-                    self.callsite_block_addr,
-                    self.callsite_insn_addr,
-                    include_preds=include_callsite_preds,
-                )
-            ]
+            fact = self._analyze_callsite(
+                self.caller_func_addr,
+                self.callsite_block_addr,
+                self.callsite_insn_addr,
+                include_preds=include_callsite_preds,
+            )
+            if fact is None:
+                continue
+            callsite_facts = [fact]
             cc_cls = default_cc(
                 self.project.arch.name,
                 platform=(
@@ -258,6 +270,7 @@ class CallingConventionAnalysis(Analysis):
 
         :return:    A calling convention.
         """
+        assert self._function is not None
 
         if len(self._function.jumpout_sites) != 1:
             l.warning(
@@ -314,6 +327,7 @@ class CallingConventionAnalysis(Analysis):
         Go over the variable information in variable manager for this function, and return all uninitialized
         register/stack variables.
         """
+        assert self._function is not None
 
         if self._function.is_simprocedure or self._function.is_plt:
             # we do not analyze SimProcedures or PLT stubs
@@ -403,6 +417,8 @@ class CallingConventionAnalysis(Analysis):
         returns anything or not.
         """
 
+        assert self._function is not None
+
         if self._cfg is None:
             l.warning("CFG is not provided. Skip calling convention analysis at call sites.")
             return []
@@ -656,13 +672,10 @@ class CallingConventionAnalysis(Analysis):
 
     def _adjust_prototype(
         self,
-        proto: SimTypeFunction | None,
+        proto: SimTypeFunction,
         facts: list[CallSiteFact],
         update_arguments: int = UpdateArgumentsOption.DoNotUpdate,
-    ) -> SimTypeFunction | None:
-        if proto is None:
-            return None
-
+    ) -> SimTypeFunction:
         # is the return value used anywhere?
         if facts:
             if all(fact.return_value_used is False for fact in facts):
@@ -691,6 +704,8 @@ class CallingConventionAnalysis(Analysis):
         :return:
         """
 
+        assert self._function is not None
+
         args = set()
         ret_addr_offset = 0 if not self.project.arch.call_pushes_ret else self.project.arch.bytes
 
@@ -839,17 +854,27 @@ class CallingConventionAnalysis(Analysis):
         return SimTypeBottom()
 
     def _guess_retval_type(self, cc: SimCC, ret_val_size: int | None) -> SimType:
+        assert self._function is not None
+
         if cc.FP_RETURN_VAL and self._function.ret_sites:
             # examine the last block of the function and see which registers are assigned to
             for ret_block in self._function.ret_sites:
+                fpretval_updated, retval_updated = False, False
+                fp_reg_size = 0
                 irsb = self.project.factory.block(ret_block.addr, size=ret_block.size).vex
                 for stmt in irsb.statements:
                     if isinstance(stmt, Put) and isinstance(stmt.data, RdTmp):
-                        reg_size = irsb.tyenv.sizeof(stmt.data.tmp) // self.project.arch.byte_width
+                        reg_size = irsb.tyenv.sizeof(stmt.data.tmp) // self.project.arch.byte_width  # type: ignore
                         reg_name = self.project.arch.translate_register_name(stmt.offset, size=reg_size)
-                        if reg_name == cc.FP_RETURN_VAL.reg_name:
-                            # possibly float
-                            return SimTypeFloat() if reg_size == 4 else SimTypeDouble()
+                        if isinstance(cc.FP_RETURN_VAL, SimRegArg) and reg_name == cc.FP_RETURN_VAL.reg_name:
+                            fpretval_updated = True
+                            fp_reg_size = reg_size
+                        elif isinstance(cc.RETURN_VAL, SimRegArg) and reg_name == cc.RETURN_VAL.reg_name:
+                            retval_updated = True
+
+                if fpretval_updated and not retval_updated:
+                    # possibly float
+                    return SimTypeFloat() if fp_reg_size == 4 else SimTypeDouble()
 
         if ret_val_size is not None:
             if ret_val_size == 1:
@@ -884,6 +909,8 @@ class CallingConventionAnalysis(Analysis):
         # TODO: Use a better pattern matching approach
         if len(func.block_addrs_set) < 3:
             return False, None
+        if func.startpoint is None:
+            return False, None
 
         head = func.startpoint
         out_edges = list(func.transition_graph.out_edges(head, data=True))

angr/analyses/calling_convention/fact_collector.py

@@ -1,3 +1,4 @@
+# pylint:disable=too-many-boolean-expressions
 from __future__ import annotations
 from typing import Any
 
@@ -332,6 +333,9 @@ class FactCollector(Analysis):
         cc_cls = default_cc(
             self.project.arch.name, platform=self.project.simos.name if self.project.simos is not None else None
         )
+        if cc_cls is None:
+            # don't know what the calling convention may be... give up
+            return
         cc = cc_cls(self.project.arch)
         if isinstance(cc.RETURN_VAL, SimRegArg):
             retreg_offset = cc.RETURN_VAL.check_offset(self.project.arch)
@@ -401,6 +405,16 @@ class FactCollector(Analysis):
         func_graph = self.function.transition_graph
         callee_restored_regs = set()
 
+        sp_masks = {
+            0xFFFFFFFE,
+            0xFFFFFFFC,
+            0xFFFFFFF8,
+            0xFFFFFFF0,
+            0xFFFFFFFF_FFFFFFFE,
+            0xFFFFFFFF_FFFFFFFC,
+            0xFFFFFFFF_FFFFFFF8,
+            0xFFFFFFFF_FFFFFFF0,
+        }
         for endpoint in self.function.endpoints:
             traversed = set()
             queue: list[tuple[int, BlockNode | HookNode]] = [(0, endpoint)]
@@ -434,17 +448,29 @@ class FactCollector(Analysis):
                             tmps[stmt.tmp] = "stack_value"
                         elif isinstance(stmt.data, pyvex.IRExpr.Const):
                             tmps[stmt.tmp] = "const"
-                        elif isinstance(stmt.data, pyvex.IRExpr.Binop) and (  # noqa:SIM102
-                            stmt.data.op.startswith("Iop_Add") or stmt.data.op.startswith("Iop_Sub")
-                        ):
-                            if (
-                                isinstance(stmt.data.args[0], pyvex.IRExpr.RdTmp)
-                                and tmps.get(stmt.data.args[0].tmp) == "sp"
-                            ) or (
-                                isinstance(stmt.data.args[1], pyvex.IRExpr.RdTmp)
-                                and tmps.get(stmt.data.args[1].tmp) == "sp"
-                            ):
-                                tmps[stmt.tmp] = "sp"
+                        elif isinstance(stmt.data, pyvex.IRExpr.Binop):
+                            if stmt.data.op.startswith("Iop_Add") or stmt.data.op.startswith("Iop_Sub"):
+                                if (
+                                    isinstance(stmt.data.args[0], pyvex.IRExpr.RdTmp)
+                                    and tmps.get(stmt.data.args[0].tmp) == "sp"
+                                ) or (
+                                    isinstance(stmt.data.args[1], pyvex.IRExpr.RdTmp)
+                                    and tmps.get(stmt.data.args[1].tmp) == "sp"
+                                ):
+                                    tmps[stmt.tmp] = "sp"
+                            elif stmt.data.op.startswith("Iop_And"):  # noqa: SIM102
+                                if (
+                                    isinstance(stmt.data.args[0], pyvex.IRExpr.RdTmp)
+                                    and tmps.get(stmt.data.args[0].tmp) == "sp"
+                                    and isinstance(stmt.data.args[1], pyvex.IRExpr.Const)
+                                    and stmt.data.args[1].con.value in sp_masks
+                                ) or (
+                                    isinstance(stmt.data.args[1], pyvex.IRExpr.RdTmp)
+                                    and tmps.get(stmt.data.args[1].tmp) == "sp"
+                                    and isinstance(stmt.data.args[0], pyvex.IRExpr.Const)
+                                    and stmt.data.args[0].con.value in sp_masks
+                                ):
+                                    tmps[stmt.tmp] = "sp"
                     if isinstance(stmt, pyvex.IRStmt.Put):
                         size = stmt.data.result_size(block.vex.tyenv) // self.project.arch.byte_width
                         # is the data loaded from the stack?
@@ -460,7 +486,28 @@ class FactCollector(Analysis):
                     if pred not in traversed and depth + 1 <= self._max_depth and edge_type == "transition":
                         queue.append((depth + 1, pred))
 
-        return callee_restored_regs
+        # remove offsets of registers that may store return values from callee_restored_regs
+        ret_reg_offsets = set()
+        cc_cls = default_cc(
+            self.project.arch.name, platform=self.project.simos.name if self.project.simos is not None else None
+        )
+        if cc_cls is not None:
+            cc = cc_cls(self.project.arch)
+            if isinstance(cc.RETURN_VAL, SimRegArg):
+                retreg_offset = cc.RETURN_VAL.check_offset(self.project.arch)
+                ret_reg_offsets.add(retreg_offset)
+            if isinstance(cc.OVERFLOW_RETURN_VAL, SimRegArg):
+                retreg_offset = cc.OVERFLOW_RETURN_VAL.check_offset(self.project.arch)
+                ret_reg_offsets.add(retreg_offset)
+            if isinstance(cc.FP_RETURN_VAL, SimRegArg):
+                try:
+                    retreg_offset = cc.FP_RETURN_VAL.check_offset(self.project.arch)
+                    ret_reg_offsets.add(retreg_offset)
+                except KeyError:
+                    # register name does not exist
+                    pass
+
+        return callee_restored_regs.difference(ret_reg_offsets)
 
     def _determine_input_args(self, end_states: list[FactCollectorState], callee_restored_regs: set[int]) -> None:
         self.input_args = []

angr/analyses/calling_convention/utils.py

@@ -2,7 +2,7 @@ from __future__ import annotations
 import logging
 
 import archinfo
-from archinfo.arch_arm import is_arm_arch, ArchARMHF
+from archinfo.arch_arm import is_arm_arch, ArchARMHF, ArchARMCortexM
 
 from angr.calling_conventions import SimCC
 
@@ -37,7 +37,7 @@ def is_sane_register_variable(arch: archinfo.Arch, reg_offset: int, reg_size: in
         # 224 <= reg_offset < 480)  # xmm0-xmm7
 
     if is_arm_arch(arch):
-        if isinstance(arch, ArchARMHF):
+        if isinstance(arch, (ArchARMHF, ArchARMCortexM)):
             return 8 <= reg_offset < 24 or 128 <= reg_offset < 160  # r0 - 32  # s0 - s7, or d0 - d4
         return 8 <= reg_offset < 24  # r0-r3
 

angr/analyses/cfg/cfg_base.py

@@ -1421,6 +1421,19 @@ class CFGBase(Analysis):
                 # We gotta create a new one
                 l.error("normalize(): Please report it to Fish.")
 
+        # update the jump tables dict and the indirect jumps dict
+        if smallest_node.addr not in self.model.jump_tables:
+            for n in other_nodes:
+                if n.addr in self.model.jump_tables:
+                    self.model.jump_tables[n.addr].addr = smallest_node.addr
+                    self.model.jump_tables[smallest_node.addr] = self.model.jump_tables[n.addr]
+                    break
+        if smallest_node.addr not in self.indirect_jumps:
+            for n in other_nodes:
+                if n.addr in self.indirect_jumps:
+                    self.indirect_jumps[n.addr].addr = smallest_node.addr
+                    self.indirect_jumps[smallest_node.addr] = self.indirect_jumps[n.addr]
+                    break
         # deal with duplicated entries in self.jump_tables and self.indirect_jumps
         if smallest_node.addr in self.model.jump_tables:
             for n in other_nodes:

angr/analyses/cfg/cfg_fast.py

@@ -1524,6 +1524,17 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 }:
                     func.info["is_rust_probestack"] = True
 
+            # determine if the function is __alloca_probe
+            if func is not None and len(func.block_addrs_set) == 4:
+                block_bytes = {func.get_block(block_addr).bytes for block_addr in func.block_addrs_set}
+                if block_bytes == {
+                    b"H\x83\xec\x10L\x89\x14$L\x89\\$\x08M3\xdbL\x8dT$\x18L+\xd0M\x0fB\xd3eL\x8b\x1c%\x10\x00\x00\x00M;\xd3s\x16",
+                    b"fA\x81\xe2\x00\xf0M\x8d\x9b\x00\xf0\xff\xffA\xc6\x03\x00M;\xd3u\xf0",
+                    b"M\x8d\x9b\x00\xf0\xff\xffA\xc6\x03\x00M;\xd3u\xf0",
+                    b"L\x8b\x14$L\x8b\\$\x08H\x83\xc4\x10\xc3",
+                }:
+                    func.info["is_alloca_probe"] = True
+
         if self._collect_data_ref and self.project is not None and ":" in self.project.arch.name:
             # this is a pcode arch - use Clinic to recover data references
 
@@ -2819,11 +2830,13 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
         if sec is not None and sec.is_readable and not sec.is_writable:
             # points to a non-writable region. read it out and see if there is another pointer!
             v = self._fast_memory_load_pointer(ref.data_addr, ref.data_size)
+            if v is None:
+                return
 
             # this value can either be a pointer or an offset from the pc... we need to try them both
             # attempt 1: a direct pointer
             sec_2nd = self.project.loader.find_section_containing(v)
-            if sec_2nd is not None and sec_2nd.is_readable and not sec_2nd.is_writable:
+            if sec_2nd is not None and sec_2nd.is_readable:
                 # found it!
                 self._add_data_reference(
                     irsb_addr,
@@ -2872,7 +2885,7 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 actual_ref_ins_addr = ref.ins_addr + 4
                 v += 8 + actual_ref_ins_addr
             sec_3rd = self.project.loader.find_section_containing(v)
-            if sec_3rd is not None and sec_3rd.is_readable and not sec_3rd.is_writable:
+            if sec_3rd is not None and sec_3rd.is_readable:
                 # found it!
                 self._add_data_reference(
                     irsb_addr, ref.stmt_idx, actual_ref_ins_addr, v, data_size=None, data_type=MemoryDataSort.Unknown
@@ -4178,7 +4191,10 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
             for segment in self.project.loader.main_object.segments:
                 if segment.is_readable and segment.memsize >= 8:
                     # the gp area is sometimes writable, so we can't test for (not segment.is_writable)
-                    content = self.project.loader.memory.load(segment.vaddr, segment.memsize)
+                    try:
+                        content = self.project.loader.memory.load(segment.vaddr, segment.memsize)
+                    except KeyError:
+                        continue
                     content_buf = pyvex.ffi.from_buffer(content)
                     self._ro_region_cdata_cache.append(content_buf)
                     pyvex.pvc.register_readonly_region(segment.vaddr, segment.memsize, content_buf)
@@ -4187,7 +4203,10 @@ class CFGFast(ForwardAnalysis[CFGNode, CFGNode, CFGJob, int], CFGBase):  # pylin
                 # also map .got
                 for section in self.project.loader.main_object.sections:
                     if section.name == ".got":
-                        content = self.project.loader.memory.load(section.vaddr, section.memsize)
+                        try:
+                            content = self.project.loader.memory.load(section.vaddr, section.memsize)
+                        except KeyError:
+                            continue
                         content_buf = pyvex.ffi.from_buffer(content)
                         self._ro_region_cdata_cache.append(content_buf)
                         pyvex.pvc.register_readonly_region(section.vaddr, section.memsize, content_buf)