make sure all blocks are valid after the execution

angrop/gadget_finder/gadget_analyzer.py

@@ -64,7 +64,7 @@ def analyze_gadget(self, addr):
 
             init_state, final_state = self._reach_unconstrained_or_syscall(addr)
 
-            if self._change_arch_state(init_state, final_state):
+            if not self._valid_state(init_state, final_state):
                 return None
 
             ctrl_type = self._check_for_control_type(init_state, final_state)
@@ -101,6 +101,15 @@ def analyze_gadget(self, addr):
         l.debug("... Appending gadget!")
         return gadget
 
+    def _valid_state(self, init_state, final_state):
+        if self._change_arch_state(init_state, final_state):
+            return False
+        for addr in final_state.history.bbl_addrs:
+            b = final_state.project.factory.block(addr)
+            if not self.arch.block_make_sense(b):
+                return False
+        return True
+
     def _change_arch_state(self, init_state, final_state):
         if isinstance(self.arch, X86):
             for reg in self.arch.segment_regs:

tests/test_find_gadgets.py

@@ -153,6 +153,30 @@ def test_shift_gadget():
     assert all(not gadget_exists(rop, x) for x in [0x438a91, 0x516fb2])
     assert all(gadget_exists(rop, x) for x in [0x454e75, 0x5622d5, 0x490058])
 
+def test_i386_syscall():
+    proj = angr.Project(os.path.join(tests_dir, "i386", "angrop_syscall_test"), auto_load_libs=False)
+
+    rop = proj.analyses.ROP()
+    """
+    804918c  int     0x80
+    """
+    """
+    8049195  mov     esp, 0x804c038
+    804919a  ret
+    """
+
+    assert all(gadget_exists(rop, x) for x in [0x804918c, 0x8049195])
+
+    """
+    8049189  syscall
+    """
+
+    """
+    804918f  mov     esp, 0x804c020
+    8049194  ret
+    """
+    assert all(not gadget_exists(rop, x) for x in [0x8049189, 0x804918f])
+
 def run_all():
     functions = globals()
     all_functions = {x:y for x, y in functions.items() if x.startswith('test_')}