BPF bytecode is not disassembled completely

[vobst]

Context:
I use capstone to disassemble BPF bytecode extracted from kernel crash dumps.

Problem:
For some BPF programs, Capstone does not disassemble the complete bytecode. objdump and bpftool are able to display the correct disassembly for the same files.

Reproducer:
I attached two BPF programs and a script to disassemble them. The netns one should have about 120 instructions, the other about 40. Compare for example to objdump -m bpf -b binary -D prog_structops.bin.
poc.zip

Tested capstone version:

• current master, i.e., pip3 "https://github.com/aquynh/capstone/archive/next.zip#egg=capstone&subdirectory=bindings/python"
• 5.0.1

[Rot127]

Just like many other archs, BPF is very much outdated.
We have a new update tool now which should make it easier. Though Capstone lacks maintainers and it would need someone to update BPF. Also see #2015

[vobst]

That's sad to hear. I don't think I currently have the resources to port the BPF arch to the new sync mechanism, sorry.