Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No memory alignment - pshufb #8

Open
mfaerevaag opened this issue Aug 22, 2017 · 0 comments
Open

No memory alignment - pshufb #8

mfaerevaag opened this issue Aug 22, 2017 · 0 comments
Labels
BAP semantic-bug

Comments

@mfaerevaag
Copy link
Collaborator

Description

Missing enforcement of memory alignment of pshufb with certain values of source operand. Operand should be 16-byte boundary aligned when 128-bit memory.

Reference:
Ref. Intel 64 and IA-32 Architecture Software Developer's Manual Vol. 2B 4-410

Affected instructions:

0x660f3800042542424242
0x660f38000425ffffffff
0x660f38000542424242
0x660f380005ffffffff
0x660f38000d42424242
0x660f38000dffffffff

Reproduction guide

Instruction:

00000000  660F380004254242  pshufb xmm0,[0x42424242] -4242

Input:

bap-mc "660f3800042542424242" --show-bil --arch=X86

Observed output:

  YMM0 := (extract: 255:128[YMM0]).((((((((((((((((if extract: 127:127[mem32[0x42424242:32, el]:u128]
                                                     then 0x0:8
                                                     else low:8[(low:128[YMM0]) >> ((pad:128[extract: 123:120[mem32[0x42424242:32, el]:u128]]) * 0x8:128)]).(
    if extract: 119:119[mem32[0x42424242:32, el]:u128] then 0x0:8
      else low:8[(low:128[YMM0]) >> ((pad:128[extract: 115:112[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
    if extract: 111:111[mem32[0x42424242:32, el]:u128] then 0x0:8
      else low:8[(low:128[YMM0]) >> ((pad:128[extract: 107:104[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
    if extract: 103:103[mem32[0x42424242:32, el]:u128] then 0x0:8
      else low:8[(low:128[YMM0]) >> ((pad:128[extract: 99:96[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
    if extract: 95:95[mem32[0x42424242:32, el]:u128] then 0x0:8
      else low:8[(low:128[YMM0]) >> ((pad:128[extract: 91:88[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
    if extract: 87:87[mem32[0x42424242:32, el]:u128] then 0x0:8
      else low:8[(low:128[YMM0]) >> ((pad:128[extract: 83:80[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
    if extract: 79:79[mem32[0x42424242:32, el]:u128] then 0x0:8
      else low:8[(low:128[YMM0]) >> ((pad:128[extract: 75:72[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
    if extract: 71:71[mem32[0x42424242:32, el]:u128] then 0x0:8
      else low:8[(low:128[YMM0]) >> ((pad:128[extract: 67:64[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
    if extract: 63:63[mem32[0x42424242:32, el]:u128] then 0x0:8
      else low:8[(low:128[YMM0]) >> ((pad:128[extract: 59:56[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
    if extract: 55:55[mem32[0x42424242:32, el]:u128] then 0x0:8
      else low:8[(low:128[YMM0]) >> ((pad:128[extract: 51:48[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
    if extract: 47:47[mem32[0x42424242:32, el]:u128] then 0x0:8
      else low:8[(low:128[YMM0]) >> ((pad:128[extract: 43:40[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
    if extract: 39:39[mem32[0x42424242:32, el]:u128] then 0x0:8
      else low:8[(low:128[YMM0]) >> ((pad:128[extract: 35:32[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
    if extract: 31:31[mem32[0x42424242:32, el]:u128] then 0x0:8
      else low:8[(low:128[YMM0]) >> ((pad:128[extract: 27:24[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
    if extract: 23:23[mem32[0x42424242:32, el]:u128] then 0x0:8
      else low:8[(low:128[YMM0]) >> ((pad:128[extract: 19:16[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
    if extract: 15:15[mem32[0x42424242:32, el]:u128] then 0x0:8
      else low:8[(low:128[YMM0]) >> ((pad:128[extract: 11:8[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
    if extract: 7:7[mem32[0x42424242:32, el]:u128] then 0x0:8
      else low:8[(low:128[YMM0]) >> ((pad:128[extract: 3:0[mem32[0x42424242:32, el]:u128]]) * 0x8:128)]))
}

Expected output:
Something like:

{
  YMM0 := (extract: 255:128[YMM0]).(pad:128[mem32[0x42424242:32, el]:u128])
  if ((0x42424242:32 & 0xF:32) = 0x0:32) {
    
  }
  else {
    cpuexn (13)
  }
}

System Info

OS:

# uname -a
Linux ubuntu 4.10.0-28-generic #32-Ubuntu SMP Fri Jun 30 05:32:18 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=17.04
DISTRIB_CODENAME=zesty
DISTRIB_DESCRIPTION="Ubuntu 17.04"

BAP:

# bap-mc --version
1.0.0
# bap --version
1.2.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
BAP semantic-bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mfaerevaag