Feat/amd64 retf (#53)

* Added the simplest form of RETF without consideration for protected mode / segment privilege

* Changed comment from RET to RETF

* Missed sizeof(R_CS) = 16 bits returns Ijk_Ret now

Co-authored-by: Dan Pesce <dan@redballoonsecurity.com>

priv/guest_amd64_toIR.c

@@ -8964,6 +8964,23 @@ void dis_ret ( /*MOD*/DisResult* dres, const VexAbiInfo* vbi, ULong d64 )
    vassert(dres->whatNext == Dis_StopHere);
 }
 
+static
+void dis_retf ( /*MOD*/DisResult* dres, const VexAbiInfo* vbi, ULong d64 )
+{
+   IRTemp t1 = newTemp(Ity_I64);
+   IRTemp t2 = newTemp(Ity_I64);
+   IRTemp t3 = newTemp(Ity_I64);
+   IRTemp t4 = newTemp(Ity_I16);
+   assign(t1, getIReg64(R_RSP));
+   assign(t2, loadLE(Ity_I64,mkexpr(t1)));
+   assign(t4, loadLE(Ity_I16, binop(Iop_Add64, mkexpr(t1), mkU64(8+d64))));
+   assign(t3, binop(Iop_Add64, mkexpr(t1), mkU64(10+d64)));
+   putIReg64(R_RSP, mkexpr(t3));
+   putSReg(R_CS, mkexpr(t4));
+   make_redzone_AbiHint(vbi, t1, t2/*nia*/, "ret");
+   jmp_treg(dres, Ijk_Ret, t2);
+   vassert(dres->whatNext == Dis_StopHere);
+}
 
 /*------------------------------------------------------------*/
 /*--- SSE/SSE2/SSE3 helpers                                ---*/
@@ -21232,6 +21249,23 @@ Long dis_ESC_NONE (
       DIP("leave\n");
       return delta;
 
+   case 0xCA: /* RETF imm16 */
+      if (have66orF3(pfx)) goto decode_failure;
+      if (haveF2(pfx)) DIP("bnd ; "); /* MPX bnd prefix. */
+      d64 = getUDisp16(delta);
+      delta += 2;
+      dis_retf(dres, vbi, d64);
+      DIP("ret $%lld\n", d64);
+      return delta;
+
+   case 0xCB: /* RETF */
+      if (have66(pfx)) goto decode_failure;
+      /* F3 is acceptable on AMD. */
+      if (haveF2(pfx)) DIP("bnd ; "); /* MPX bnd prefix. */
+      dis_retf(dres, vbi, 0);
+      DIP(haveF3(pfx) ? "rep ; ret\n" : "ret\n");
+      return delta;
+
    case 0xCC: /* INT 3 */
       jmp_lit(dres, Ijk_SigTRAP, guest_RIP_bbstart + delta);
       vassert(dres->whatNext == Dis_StopHere);