+
Skip to content

With auto_load_libs enabled, the CFG analysis varies between versions #5643

New issue
New issue
Open
Open
With auto_load_libs enabled, the CFG analysis varies between versions#5643
Labels
needs-triageIssue has yet to be looked at by a maintainerquestionIssues that do not require code changes
@i-Corner

Description

@i-Corner
i-Corner
opened on Sep 4, 2025

Question

Hi angr team, Thanks for all your great work on angr!(Pardon my English)

I'm running into an issue recently and was hoping for some help.

I'm backtracking from sinks (e.g., system) using CFG analysis. The goal is to get the predecessors to find the functions calling the sink.

Behavior without auto_load_libs:
The predecessor results have only minor differences, which is understandable.

Behavior with auto_load_libs:
The results differ significantly across angr versions.

Assuming sink=system:

Version 9.2.44:

Outputs calls from both local functions and within library functions.

This is the ideal behavior.

Version 9.2.94:

Outputs only calls within library functions, but it can still trace back to the local functions.

So, it still works.

Version 9.2.173:

Only traces back to mips.stubs (PLT).

It's impossible to trace back any further from there.

Question:

How can I achieve the same results in the new version as I did in the previous ones?

import angr
binary_path = './httpd'
ld_path = './lib'


# project = angr.Project(binary_path, auto_load_libs=False)

project = angr.Project(binary_path,
                       auto_load_libs=True,
                       load_options={"ld_path":ld_path,"skip_libs":["libc.so.0"]})

cfg = project.analyses.CFGFast(
            normalize=True,
            data_references=True,
            show_progressbar=True
        )
# r_ = project.analyses.CompleteCallingConventions(recover_variables=True, analyze_callsites=True)
print(f"CFG: {len(cfg.graph.nodes())} nodes, {len(cfg.graph.edges())} edges")
sink_func = project.kb.functions.function(name='system')
sink_node = cfg.model.get_node(sink_func.addr)
fn_pred_sink_nodes = sink_node.predecessors
print(len(fn_pred_sink_nodes))
# print(sink_func.name)
import ipdb;
ipdb.set_trace()
pass

# 9.2.44
# ipdb> fn_pred_sink_nodes
# [<CFGNode _system+0x3c [24]>, <CFGNode do_restart_cgi+0x13c [28]>, <CFGNode return_internet_connect_type+0x120 [20]>, <CFGNode return_internet_connect_type+0x224 [20]>, <CFGNode rc_action+0x1a0 [16]>, <CFGNode get_5g_stalist+0x228 [20]>, <CFGNode get_5g_stalist+0xc0 [20]>, <CFGNode get_5g_stalist+0x72c [20]>, <CFGNode get_5g_stalist+0x7ac [20]>, <CFGNode get_5g_stalist+0x284 [20]>, <CFGNode get_stalist+0x738 [20]>, <CFGNode get_stalist+0x718 [20]>, <CFGNode send_pure_response+0xfc [20]>, <CFGNode display_ifconfig_info+0x644 [20]>, <CFGNode _system+0x3c [24]>, <CFGNode return_ipv6_client_list_table+0xcc [28]>, <CFGNode do_customer_00_cgi+0x88 [28]>, <CFGNode 0x45cea0[28]>, <CFGNode do_pure_action+0x15a8 [24]>, <CFGNode 0x410948[8]>, <CFGNode 0x410c84[28]>, <CFGNode 0x410d58[28]>, <CFGNode 0x411108[24]>, <CFGNode 0x4115b0[28]>, <CFGNode 0x4115e8[28]>, <CFGNode 0x411a78[8]>, <CFGNode 0x411f98[24]>, <CFGNode 0x411fb0[28]>, <CFGNode 0x4124d8[20]>, <CFGNode 0x4124ec[28]>, <CFGNode 0x412624[28]>, <CFGNode 0x412730[28]>, <CFGNode 0x4132ac[20]>, <CFGNode 0x41338c[20]>, <CFGNode 0x413488[20]>, <CFGNode 0x41349c[28]>, <CFGNode 0x413530[44]>, <CFGNode 0x413574[44]>, <CFGNode 0x413628[28]>, <CFGNode 0x413758[12]>, <CFGNode 0x413ee8[24]>, <CFGNode 0x413f2c[24]>, <CFGNode 0x414470[12]>, <CFGNode 0x41447c[28]>, <CFGNode 0x4144bc[28]>, <CFGNode 0x415058[20]>, <CFGNode 0x4155ac[20]>, <CFGNode 0x416260[28]>, <CFGNode 0x418050[28]>, <CFGNode 0x41824c[28]>, <CFGNode check_file_exist+0x80 [28]>, <CFGNode nvram_restore_default+0x194 [28]>, <CFGNode 0x411134[8]>]
# ipdb> len(fn_pred_sink_nodes)
# 53

# 9.2.94
# ipdb> sink_func = project.kb.functions.function(name='system')
# ipdb> sink_node=cfg.model.get_node(sink_func.addr)
# ipdb> sink_node.predecessors
# [<CFGNode _system+0x3c [24]>, <CFGNode _system+0x3c [24]>, <CFGNode check_file_exist+0x80 [28]>, <CFGNode nvram_restore_default+0x194 [28]>]
# ipdb> fn_pred_sink_node = sink_node.predecessors[0]
# ipdb> fn_pred_sink_node
# <CFGNode _system+0x3c [24]>
# ipdb> fn_pred_sink_node.predecessors
# [<CFGNode vsprintf [0]>]
# ipdb> temp_pred_sink_node = fn_pred_sink_node.predecessors[0]
# ipdb> temp_pred_sink_node.predecessors
# [<CFGNode _system [60]>, <CFGNode _system [60]>]
# ipdb> temp_pred_sink_node = temp_pred_sink_node.predecessors[0]
# ipdb>  temp_pred_sink_node.predecessors
# [<CFGNode display_collisions+0xa0 [28]>, <CFGNode read_current_wanphy_ipaddr+0x90 [24]>, <CFGNode display_wlan_frames+0x48 [28]>, <CFGNode read_current_ipaddr+0x118 [24]>, <CFGNode return_wireless_ap_scan_list+0x104 [8]>, <CFGNode set_sta_enrollee_pin+0xa4 [24]>, <CFGNode rc_action+0x1b0 [24]>, <CFGNode 0x427d2c[28]>, <CFGNode check_wlan_status_with_schedule+0x3c [32]>, <CFGNode send_log_by_smtp+0x3dc [32]>, <CFGNode send_log_by_smtp+0x1e0 [48]>, <CFGNode get_ifconfig_resetting_bytes+0x3ac [20]>, <CFGNode get_ifconfig_resetting_bytes+0x38c [20]>, <CFGNode get_ifconfig_resetting_bytes+0x2f4 [24]>, <CFGNode get_ifconfig_resetting_bytes+0x2bc [24]>, <CFGNode wan_statue+0x10c [24]>, <CFGNode get_ping6_app_test+0x54 [28]>, <CFGNode get_ping6_app_stat+0x6c [36]>, <CFGNode get_ping_app_display+0x58 [28]>, <CFGNode get_ping_app_stat+0x54 [28]>, <CFGNode get_stalist+0xb0 [28]>, <CFGNode get_if_macaddr+0x2a4 [20]>, <CFGNode get_if_macaddr+0x274 [28]>, <CFGNode display_ifconfig_info+0x140 [28]>, <CFGNode display_ifconfig_info+0x6a0 [24]>, <CFGNode display_ifconfig_info+0x598 [24]>, <CFGNode display_ifconfig_info+0x678 [28]>, <CFGNode display_ifconfig_info+0x5f4 [28]>, <CFGNode display_pkts+0xa0 [28]>, <CFGNode display_bytes+0x44 [28]>, <CFGNode update_log_table+0x8c [40]>, <CFGNode cmo_get_log+0x3f0 [28]>, <CFGNode cmo_get_log+0x498 [20]>, <CFGNode cmo_get_log+0x4dc [8]>, <CFGNode cmo_get_log+0x4e4 [28]>, <CFGNode return_online_firmware_check+0x78 [28]>, <CFGNode return_link_local_ip_l+0xa0 [28]>, <CFGNode return_link_local_ip_w+0xa0 [28]>, <CFGNode return_global_ip_l+0xa0 [28]>, <CFGNode return_ddns_status+0x3a0 [28]>, <CFGNode set_basic_api+0x424 [28]>, <CFGNode 0x45bf14[28]>, <CFGNode do_ajax_action+0x16b4 [20]>, <CFGNode do_ajax_action+0x18f8 [20]>, <CFGNode do_ajax_action+0x19cc [20]>, <CFGNode 0x411578[32]>, <CFGNode 0x411c3c[20]>, <CFGNode 0x412144[36]>, <CFGNode 0x411fe8[28]>, <CFGNode 0x41243c[20]>, <CFGNode 0x412580[28]>, <CFGNode 0x41280c[8]>, <CFGNode 0x4129e4[20]>, <CFGNode 0x412ab0[8]>, <CFGNode 0x412db4[28]>, <CFGNode 0x413850[16]>, <CFGNode 0x413840[8]>, <CFGNode 0x413c18[16]>, <CFGNode 0x4140a0[28]>, <CFGNode 0x41426c[24]>, <CFGNode 0x4165d8[8]>, <CFGNode 0x417f58[28]>, <CFGNode 0x418d58[32]>, <CFGNode 0x419530[28]>, <CFGNode 0x41995c[28]>, <CFGNode 0x419978[48]>, <CFGNode 0x4199f0[28]>, <CFGNode 0x419b84[36]>, <CFGNode 0x42ef78[52]>, <CFGNode cmd_nvram_get+0xd0 [28]>, <CFGNode cmd_nvram_get+0x150 [28]>, <CFGNode cmd_nvram_set [40]>, <CFGNode cmd_nvram_commit [32]>]
# ipdb> len(temp_pred_sink_node.predecessors)
# 73

# 9.2.173
# ipdb> sink_node = cfg.model.get_node(sink_func.addr)
# ipdb> sink_node.predecessors
# [<CFGNode 0x460c00[16]>]
# ipdb> fn_pred_sink_node = sink_node.predecessors[0]
# ipdb> fn_pred_sink_node
# <CFGNode 0x460c00[16]>
# ipdb> fn_pred_sink_node.predecessors
# []

test.zip

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs-triageIssue has yet to be looked at by a maintainerquestionIssues that do not require code changes

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载