Currently we recover type information from C++ mangled names. This information is then used to inform analysis. This is great except in one specific case. If a binary using GNU3 mangled names has a non-static class member which takes a function pointer we may create invalid functions.
What happens is we query the type of the function for function pointers, we then query the value of the function pointer, if the value is constant then we create a function at this location. This works fine for all calling conventions except thiscall since the first parameter is implicit.
We do check if the offset we are making a function at is executable, but sometimes the compiler will put rodata into an executable segment!?
TL;DR; In some rare circumstances we can create functions where there shouldn't be functions.
Currently we recover type information from C++ mangled names. This information is then used to inform analysis. This is great except in one specific case. If a binary using GNU3 mangled names has a non-static class member which takes a function pointer we may create invalid functions.
What happens is we query the type of the function for function pointers, we then query the value of the function pointer, if the value is constant then we create a function at this location. This works fine for all calling conventions except
thiscallsince the first parameter is implicit.We do check if the offset we are making a function at is executable, but sometimes the compiler will put rodata into an executable segment!?
TL;DR; In some rare circumstances we can create functions where there shouldn't be functions.