I'm investigating on a CVE concerning a well known library that
is part of our dependency tree at $dayjob.
Anything calling the vulnerable function is to be considered
vulnerable, so I wanted to obtain a call graph of the function.
An IDE would probably be able to figure that out for me, but I
don't use one. On the other hand I'm learning Radare2 these
days, so why not using it?
Visualize global call graph: agC
ag supports a number of graph visualization options.
graphviz dot visualized from within r2:
[...]> agCd | xdot -
same but from shell:
$ r2 -Aqc agCd ./package/usr/lib/lib....so | xdot -
Visualize xref graph: agx @ addr
The displayed xrefs are addresses because r2 will not list
the name of the calling function, but the address of the
calling site within functions.
This is not very useful for our needs, so the global call
graph mentioned above is more practical.
While figuring out the call graph from the source code might be
more natural, the binary analysis approach has the advantage of
taking in account the compile-time configuration.
This is effective In many software packages such as Busybox,
U-Boot, Linux (kernel) and mbedTLS many features can be disabled
in the build system.
