You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Context:
I use capstone to disassemble BPF bytecode extracted from kernel crash dumps.
Problem:
For some BPF programs, Capstone does not disassemble the complete bytecode. objdump and bpftool are able to display the correct disassembly for the same files.
Reproducer:
I attached two BPF programs and a script to disassemble them. The netns one should have about 120 instructions, the other about 40. Compare for example to objdump -m bpf -b binary -D prog_structops.bin. poc.zip
Tested capstone version:
current master, i.e., pip3 "https://github.com/aquynh/capstone/archive/next.zip#egg=capstone&subdirectory=bindings/python"
5.0.1
The text was updated successfully, but these errors were encountered:
Just like many other archs, BPF is very much outdated.
We have a new update tool now which should make it easier. Though Capstone lacks maintainers and it would need someone to update BPF. Also see #2015
Context:
I use capstone to disassemble BPF bytecode extracted from kernel crash dumps.
Problem:
For some BPF programs, Capstone does not disassemble the complete bytecode.
objdump
andbpftool
are able to display the correct disassembly for the same files.Reproducer:
I attached two BPF programs and a script to disassemble them. The netns one should have about 120 instructions, the other about 40. Compare for example to
objdump -m bpf -b binary -D prog_structops.bin
.poc.zip
Tested capstone version:
pip3 "https://github.com/aquynh/capstone/archive/next.zip#egg=capstone&subdirectory=bindings/python"
The text was updated successfully, but these errors were encountered: