// copyright notice, this list of conditions and the following disclaimer
// in the documentation and/or other materials provided with the
// distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived from
// this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// disassembler_x86.cc: simple x86 disassembler.
//
// Provides single step disassembly of x86 bytecode and flags instructions
// that utilize known bad register values.
//
// Author: Cris Neckar
#include "processor/disassembler_x86.h"
#include <string.h>
#include <unistd.h>
namespace google_breakpad {
DisassemblerX86::DisassemblerX86(const uint8_t *bytecode,
uint32_t size,
uint32_t virtual_address) :
bytecode_(bytecode),
size_(size),
virtual_address_(virtual_address),
current_byte_offset_(0),
current_inst_offset_(0),
instr_valid_(false),
register_valid_(false),
pushed_bad_value_(false),
end_of_block_(false),
flags_(0) {
libdis::x86_init(libdis::opt_none, NULL, NULL);
}
DisassemblerX86::~DisassemblerX86() {
if (instr_valid_)
libdis::x86_oplist_free(¤t_instr_);
libdis::x86_cleanup();
}
uint32_t DisassemblerX86::NextInstruction() {
if (instr_valid_)
libdis::x86_oplist_free(¤t_instr_);
if (current_byte_offset_ >= size_) {
instr_valid_ = false;
return 0;
}
uint32_t instr_size = 0;
instr_size = libdis::x86_disasm((unsigned char *)bytecode_, size_,
virtual_address_, current_byte_offset_,
¤t_instr_);
if (instr_size == 0) {
instr_valid_ = false;
return 0;
}
current_byte_offset_ += instr_size;
current_inst_offset_++;
instr_valid_ = libdis::x86_insn_is_valid(¤t_instr_);
if (!instr_valid_)
return 0;
if (current_instr_.type == libdis::insn_return)
end_of_block_ = true;
libdis::x86_op_t *src = libdis::x86_get_src_operand(¤t_instr_);
libdis::x86_op_t *dest = libdis::x86_get_dest_operand(¤t_instr_);
if (register_valid_) {
switch (current_instr_.group) {
// Flag branches based off of bad registers and calls that occur
// after pushing bad values.
case libdis::insn_controlflow:
switch (current_instr_.type) {
case libdis::insn_jmp:
case libdis::insn_jcc:
case libdis::insn_call:
case libdis::insn_callcc:
if (dest) {
switch (dest->type) {
case libdis::op_expression:
if (dest->data.expression.base.id == bad_register_.id)
flags_ |= DISX86_BAD_BRANCH_TARGET;
break;
case libdis::op_register:
if (dest->data.reg.id == bad_register_.id)
flags_ |= DISX86_BAD_BRANCH_TARGET;
break;
default:
if (pushed_bad_value_ &&
(current_instr_.type == libdis::insn_call ||
current_instr_.type == libdis::insn_callcc))
flags_ |= DISX86_BAD_ARGUMENT_PASSED;
break;
}
}
break;
default:
break;
}
break;
// Flag block data operations that use bad registers for src or dest.
case libdis::insn_string:
if (dest && dest->type == libdis::op_expression &&
dest->data.expression.base.id == bad_register_.id)
flags_ |= DISX86_BAD_BLOCK_WRITE;
if (src && src->type == libdis::op_expression &&
src->data.expression.base.id == bad_register_.id)
flags_ |= DISX86_BAD_BLOCK_READ;
break;
// Flag comparisons based on bad data.
case libdis::insn_comparison:
if ((dest && dest->type == libdis::op_expression &&
dest->data.expression.base.id == bad_register_.id) ||
(src && src->type == libdis::op_expression &&
src->data.expression.base.id == bad_register_.id) ||
(dest && dest->type == libdis::op_register &&
dest->data.reg.id == bad_register_.id) ||
(src && src->type == libdis::op_register &&
src->data.reg.id == bad_register_.id))
flags_ |= DISX86_BAD_COMPARISON;
break;
// Flag any other instruction which derefs a bad register for
// src or dest.
default:
if (dest && dest->type == libdis::op_expression &&
dest->data.expression.base.id == bad_register_.id)
flags_ |= DISX86_BAD_WRITE;
if (src && src->type == libdis::op_expression &&
src->data.expression.base.id == bad_register_.id)
flags_ |= DISX86_BAD_READ;
break;
}
}
// When a register is marked as tainted check if it is pushed.
// TODO(cdn): may also want to check for MOVs into EBP offsets.
if (register_valid_ && dest && current_instr_.type == libdis::insn_push) {
switch (dest->type) {
case libdis::op_expression:
if (dest->data.expression.base.id == bad_register_.id ||
dest->data.expression.index.id == bad_register_.id)
pushed_bad_value_ = true;
break;
case libdis::op_register:
if (dest->data.reg.id == bad_register_.id)
pushed_bad_value_ = true;
break;
default:
break;
}
}
// Check if a tainted register value is clobbered.
// For conditional MOVs and XCHGs assume that
// there is a hit.
if (register_valid_) {
switch (current_instr_.type) {
case libdis::insn_xor:
if (src && src->type == libdis::op_register &&
dest && dest->type == libdis::op_register &&
src->data.reg.id == bad_register_.id &&
src->data.reg.id == dest->data.reg.id)
register_valid_ = false;
break;
case libdis::insn_pop:
case libdis::insn_mov:
case libdis::insn_movcc:
if (dest && dest->type == libdis::op_register &&
dest->data.reg.id == bad_register_.id)
register_valid_ = false;
break;
case libdis::insn_popregs:
register_valid_ = false;
break;
case libdis::insn_xchg:
case libdis::insn_xchgcc:
if (dest && dest->type == libdis::op_register &&
src && src->type == libdis::op_register) {
if (dest->data.reg.id == bad_register_.id)
memcpy(&bad_register_, &src->data.reg, sizeof(libdis::x86_reg_t));
else if (src->data.reg.id == bad_register_.id)
memcpy(&bad_register_, &dest->data.reg, sizeof(libdis::x86_reg_t));
}
break;
default:
break;
}
}
return instr_size;
}
bool DisassemblerX86::setBadRead() {
if (!instr_valid_)
return false;
libdis::x86_op_t *operand = libdis::x86_get_src_operand(¤t_instr_);
if (!operand || operand->type != libdis::op_expression)
return false;
memcpy(&bad_register_, &operand->data.expression.base,
sizeof(libdis::x86_reg_t));
register_valid_ = true;
return true;
}
bool DisassemblerX86::setBadWrite() {
if (!instr_valid_)
return false;
libdis::x86_op_t *operand = libdis::x86_get_dest_operand(¤t_instr_);
if (!operand || operand->type != libdis::op_expression)
return false;
memcpy(&bad_register_, &operand->data.expression.base,
sizeof(libdis::x86_reg_t));
register_valid_ = true;
return true;
}
} // namespace google_breakpad