ESP handling for external calls

[XVilka]

For example we want to run CGC example with Primus:

bap ./CGC_Image_Parser --run --run-entry-points=main \
--rooter=ida --symbolizer=ida --x86-abi=cdecl \
--primus-lisp-load=posix,memcheck-malloc

This is how BIL looks like for the function cgc_putc():

This is the actual diassembly (cgc_transmit is an imported function):

┌ (fcn) sym.imp.cgc_transmit 6                                                                                                                                                                                                               
│   sym.imp.cgc_transmit ();                                                                                                                                                                                                                 
│ ⁝⁝⁝⁝⁝⁝⁝   ; CALL XREF from sym.cgc_puts (0x804a76f)                                                                                                                                                                                        
│ ⁝⁝⁝⁝⁝⁝⁝   ; CALL XREF from sym.cgc_putc (0x804a7b2)                                                                                                                                                                                        
└ ⁝⁝⁝⁝⁝⁝⁝   0x08049650      ff2598230508   jmp dword [reloc.cgc_transmit]       ; 0x8052398 ; "V\x96\x04\bf\x96\x04\bv\x96\x04\b\x86\x96\x04\b\x96\x96\x04\b\xa6\x96\x04\b\xb6\x96\x04\b"                                                    
  ⁝⁝⁝⁝⁝⁝⁝   0x08049656      6818000000     push 0x18                   ; 24                                                                                                                                                                  
  └───────< 0x0804965b      e9b0ffffff     jmp 0x8049610               ;[1]   

So the function do not call return in the end, just a simple jump. Thus the ESP value is not corrected back, which messes the execution.

Example: CGC_Image_Parser.zip

[ivg]

OK, so this is an interesting situation. The problem is totally ABI specific and is due to the asymmetry of the function calling (the caller allocates the the stack slot for the return address, while it is the callee responsibility to clear it).

Since it is indeed the callee responsibility (which in fact might not be fulfilled) we can't do anything about it on the Primus side. Basically, the stub writer shall take care of updating the stack.

We even have a nice mechanism of function advice, that allows you extend (possibly in the abi-specific way) the behavior of a function.

But there are two problems:

1. we do not know whether the function, say strcmp is called as an external function from a program, or it is called from other lisp functions. So, fixing all calls would result in the dual program, which is even worse (we will increment the stack pointer when it wasn't decremented)

2. we can advice only specific functions by name, while in our case we want to advice all stubs (but not all function calls).

I'm currently thinking of how we can approach this problem in general (I'm thinking of introducing some extra layer of indirection, trampoline, to handle this), but so far the workaround would be to manually update the stack pointer in your stubs (you can advice the __primus_linker_unresolved_call function that is called when there is a call to a function that is not stubbed and is definitely not called directly from any other place).

Otherwise, suggestions and ideas are welcome, and thanks for bringing our attention to this.

[XVilka]

So, do you think it is possible to solve properly somehow (without a temporary workarounds)?

[ivg]

The simplest of the ideas that came to my mind so far, is to define two observations (we need only one of them, but let's keep the symmetry), something like lisp-stub-call, lisp-stub-call-returned, which will be invoked every time an externally linked primus stub is called and returns. The latter could be used by an abi-specific module (which could be implemented in pure Primus Lisp) to enable the stack tear-down. Those observations could also be useful to track values which were modeled vs. values that were faithfully computed by the system under the test.

Implementation-wise, it is quite simple, the first observation should be made just after the call is entered and the second just before the call is left. The observations should be of the same type as call_entered and call_returned and basically should be called the same, e.g.,

notify_when is_external lisp_call_entered name args

The change is rather trivial, but since I'm currently working with Primus 2.0 and BAP 2.0 it would require me to switch to the master branch and recompile everything from scratch which will take hours, so a PR will be very welcome. Especially, since we will soon close the feature window of BAP 1.6, which we're going to release before the end of the month (Feb 2019).