[MachO] Fix relocations from chained fixups not respecting addends

bdash · bdash · commit 4bf13779d751 · 2026-02-27T19:17:53.000-08:00
The addends were correctly stored in the relocation info and displayed
as offsets in linear view, but the relocation handlers never applied
them. Reading from an address containing such a relocation would give an
incorrect value.
diff --git a/arch/arm64/arch_arm64.cpp b/arch/arm64/arch_arm64.cpp
@@ -2787,8 +2787,8 @@ class Arm64MachoRelocationHandler : public RelocationHandler
 		// printf("reloc->GetAddress(): 0x%llX\n", reloc->GetAddress());
 
 		if (info.nativeType == BINARYNINJA_MANUAL_RELOCATION)
-		{  // Magic number defined in MachOView.cpp for tagged pointers
-			*(uint64_t*)dest = info.target;
+		{  // Magic number defined in MachOView.cpp for chained fixups
+			*(uint64_t*)dest = info.target + info.addend;
 		}
 		else if (info.nativeType == ARM64_RELOC_PAGE21)
 		{
diff --git a/arch/armv7/arch_armv7.cpp b/arch/armv7/arch_armv7.cpp
@@ -2684,8 +2684,8 @@ class ArmMachORelocationHandler: public RelocationHandler
 	{
 		auto info = reloc->GetInfo();
 		if (info.nativeType == BINARYNINJA_MANUAL_RELOCATION)
-		{  // Magic number defined in MachOView.cpp for tagged pointers
-			*(uint32_t*)dest = (uint32_t)info.target;
+		{  // Magic number defined in MachOView.cpp for chained fixups
+			*(uint32_t*)dest = (uint32_t)(info.target + info.addend);
 		}
 
 		return true;
diff --git a/arch/x86/arch_x86.cpp b/arch/x86/arch_x86.cpp
@@ -4117,10 +4117,10 @@ class x86MachoRelocationHandler: public RelocationHandler
 		case (uint64_t)-1: // Magic number defined in MachOView.cpp
 			// We need to write a jump absolute `jmp target`
 			dest[0] = '\xe9';
-			((uint32_t*)&dest[1])[0] = target - (uint32_t)reloc->GetAddress() - 5;
+			((uint32_t*)&dest[1])[0] = target + (uint32_t)info.addend - (uint32_t)reloc->GetAddress() - 5;
 			break;
 		case (uint64_t)-2: // Magic number defined in MachOView.cpp
-			dest32[0] = target;
+			dest32[0] = target + (uint32_t)info.addend;
 			break;
 		case GENERIC_RELOC_VANILLA:
 			switch (info.size)
@@ -4307,7 +4307,7 @@ class x64MachoRelocationHandler: public RelocationHandler
 			dest64[0] = dest64[0] + info.next->target - target;
 			break;
 		case (uint64_t) -2:
-			dest64[0] = reloc->GetTarget();
+			dest64[0] = info.target + info.addend;
 			break;
 		}
 		return true;

Original file line number	Diff line number	Diff line change
`@@ -2787,8 +2787,8 @@ class Arm64MachoRelocationHandler : public RelocationHandler`
`2787`	`2787`	`// printf("reloc->GetAddress(): 0x%llX\n", reloc->GetAddress());`
`2788`	`2788`
`2789`	`2789`	`if (info.nativeType == BINARYNINJA_MANUAL_RELOCATION)`
`2790`		`- { // Magic number defined in MachOView.cpp for tagged pointers`
`2791`		`- (uint64_t)dest = info.target;`
	`2790`	`+ { // Magic number defined in MachOView.cpp for chained fixups`
	`2791`	`+ (uint64_t)dest = info.target + info.addend;`
`2792`	`2792`	`}`
`2793`	`2793`	`else if (info.nativeType == ARM64_RELOC_PAGE21)`
`2794`	`2794`	`{`
Original file line number	Diff line number	Diff line change
`@@ -2684,8 +2684,8 @@ class ArmMachORelocationHandler: public RelocationHandler`
`2684`	`2684`	`{`
`2685`	`2685`	`auto info = reloc->GetInfo();`
`2686`	`2686`	`if (info.nativeType == BINARYNINJA_MANUAL_RELOCATION)`
`2687`		`- { // Magic number defined in MachOView.cpp for tagged pointers`
`2688`		`- (uint32_t)dest = (uint32_t)info.target;`
	`2687`	`+ { // Magic number defined in MachOView.cpp for chained fixups`
	`2688`	`+ (uint32_t)dest = (uint32_t)(info.target + info.addend);`
`2689`	`2689`	`}`
`2690`	`2690`
`2691`	`2691`	`return true;`