Operand address changed - xchg, xadd, cmpsb, cmpsd

[mfaerevaag]

Description

The address of the destination operand is changed before being written to. In some cases directly and obvious, other cases where the calculation of EFLAGS uses an address already changed where the old value should have been used.

Reference:
Ref. Intel 64 and IA-32 Architecture Software Developer's Manual Vol. 2C 5-585
Ref. Intel 64 and IA-32 Architecture Software Developer's Manual Vol. 2C 5-580
Ref. Intel 64 and IA-32 Architecture Software Developer's Manual Vol. 2A 3-169

Affected instructions:

0x8600     # xchg
0x0fc000   # xadd
0x0fc100
0xa6       # cmpsb
0xa7       # cmpsd

Reproduction guide

Instruction:

00000000  8600              xchg al,[eax]

Input:

binsec disasm -decode 8600

Observed output:

      ⎧ 0: temp8 := eax₍₃₂₎{0,7}
      ⎪ 1: eax{0, 7} := @[eax₍₃₂₎]₁
xchg8 ⎨ 2: @[eax₍₃₂₎]₁ := temp8₍₈₎
      ⎩ 3: goto ({0x00000002; 32}, 0)

Expected output:
Not manipulate destination address before write.

System Info

OS:

# uname -a
Linux ubuntu 4.10.0-28-generic #32-Ubuntu SMP Fri Jun 30 05:32:18 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=17.04
DISTRIB_CODENAME=zesty
DISTRIB_DESCRIPTION="Ubuntu 17.04"

BINSEC: 20170301 0.1