CFGFast: Fix a bug that causes fakeret edges being confirmed prematur…

…ely. (angr#3257)
jomanchu-twosix · Mar 30, 2022 · b6988b0 · b6988b0
1 parent 93f402d
commit b6988b0
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 4 deletions.
diff --git a/angr/analyses/cfg/cfg_base.py b/angr/analyses/cfg/cfg_base.py
@@ -2191,11 +2191,13 @@ def _graph_traversal_handler(self, g, src, dst, data, blockaddr_to_function, kno
             # We may have determined that this does not happen, since the time this path
             # was scheduled for exploration
             called_function = None
+            called_function_addr = None
             # Try to find the call that this fakeret goes with
             for _, d, e in all_edges:
                 if e['jumpkind'] == 'Ijk_Call':
                     if d.addr in blockaddr_to_function:
                         called_function = blockaddr_to_function[d.addr]
+                        called_function_addr = d.addr
                         break
             # We may have since figured out that the called function doesn't ret.
             # It's important to assume that all unresolved targets do return
@@ -2205,9 +2207,9 @@ def _graph_traversal_handler(self, g, src, dst, data, blockaddr_to_function, kno
 
             to_outside = not target_function is src_function
 
-            # FIXME: Not sure we should confirm this fakeret or not.
-            self.kb.functions._add_fakeret_to(src_function.addr, src_node, dst_node, confirmed=True,
-                                              to_outside=to_outside, to_function_addr=target_function.addr
+            confirmed = called_function is None or called_function.returning is True
+            self.kb.functions._add_fakeret_to(src_function.addr, src_node, dst_node, confirmed=confirmed,
+                                              to_outside=to_outside, to_function_addr=called_function_addr
                                               )
 
         else:

diff --git a/angr/analyses/cfg/cfg_fast.py b/angr/analyses/cfg/cfg_fast.py
@@ -1451,7 +1451,7 @@ def _post_analysis(self):
             edges_to_remove = [ ]
             for src, dst, data in all_edges:
                 if 'type' in data:
-                    if data['type'] == 'fake_return' and 'confirmed' not in data:
+                    if data['type'] == 'fake_return' and data.get('confirmed', False) is False:
 
                         # Get all possible functions being called here
                         target_funcs = [ self.functions.function(addr=func_addr)