Fix eBPF lddw opcode

arch/BPF/BPFDisassembler.c

@@ -70,6 +70,8 @@ static bpf_internal* fetch_ebpf(cs_struct *ud, const uint8_t *code,
 		return NULL;
 
 	bpf->op = (uint16_t)code[0];
+	bpf->dst = code[1] & 0xf;
+	bpf->src = (code[1] & 0xf0) >> 4;
 
 	// eBPF has one 16-byte instruction: BPF_LD | BPF_DW | BPF_IMM,
 	// in this case imm is combined with the next block's imm.
@@ -82,8 +84,6 @@ static bpf_internal* fetch_ebpf(cs_struct *ud, const uint8_t *code,
 		bpf->insn_size = 16;
 	}
 	else {
-		bpf->dst = code[1] & 0xf;
-		bpf->src = (code[1] & 0xf0) >> 4;
 		bpf->offset = read_u16(ud, code + 2);
 		bpf->k = read_u32(ud, code + 4);
 	}
@@ -178,7 +178,7 @@ static bool decodeLoad(cs_struct *ud, MCInst *MI, bpf_internal *bpf)
 
 	/* eBPF mode */
 	/*
-	 * - IMM: lddw imm64
+	 * - IMM: lddw dst, imm64
 	 * - ABS: ld{w,h,b,dw} [k]
 	 * - IND: ld{w,h,b,dw} [src+k]
 	 * - MEM: ldx{w,h,b,dw} dst, [src+off]
@@ -188,6 +188,7 @@ static bool decodeLoad(cs_struct *ud, MCInst *MI, bpf_internal *bpf)
 		case BPF_MODE_IMM:
 			if (bpf->op != (BPF_CLASS_LD | BPF_SIZE_DW | BPF_MODE_IMM))
 				return false;
+			CHECK_WRITABLE_AND_PUSH(ud, MI, bpf->dst);
 			MCOperand_CreateImm0(MI, bpf->k);
 			return true;
 		case BPF_MODE_ABS:

arch/BPF/BPFInstPrinter.c

@@ -83,7 +83,12 @@ static void convert_operands(MCInst *MI, cs_bpf *bpf)
 	if (BPF_CLASS(opcode) == BPF_CLASS_LD || BPF_CLASS(opcode) == BPF_CLASS_LDX) {
 		switch (BPF_MODE(opcode)) {
 		case BPF_MODE_IMM:
-			push_op_imm(bpf, MCOperand_getImm(MCInst_getOperand(MI, 0)));
+			if (EBPF_MODE(MI->csh)) {
+				push_op_reg(bpf, MCOperand_getReg(MCInst_getOperand(MI, 0)), CS_AC_WRITE);
+				push_op_imm(bpf, MCOperand_getImm(MCInst_getOperand(MI, 1)));
+			} else {
+				push_op_imm(bpf, MCOperand_getImm(MCInst_getOperand(MI, 0)));
+			}
 			break;
 		case BPF_MODE_ABS:
 			op = MCInst_getOperand(MI, 0);

arch/BPF/BPFMapping.c

@@ -292,7 +292,7 @@ static void update_regs_access(cs_struct *ud, cs_detail *detail,
 	} while (0)
 	/*
 	 * In eBPF mode, only these instructions have implicit registers access:
-	 * - ld{w,h,b,dw} * // w: r0
+	 * - legacy ld{w,h,b,dw} * // w: r0
 	 * - exit // r: r0
 	 */
 	if (EBPF_MODE(ud)) {
@@ -303,7 +303,9 @@ static void update_regs_access(cs_struct *ud, cs_detail *detail,
 		case BPF_INS_LDH:
 		case BPF_INS_LDB:
 		case BPF_INS_LDDW:
-			PUSH_WRITE(BPF_REG_R0);
+			if (BPF_MODE(opcode) == BPF_MODE_ABS || BPF_MODE(opcode) == BPF_MODE_IND) {
+				PUSH_WRITE(BPF_REG_R0);
+			}
 			break;
 		case BPF_INS_EXIT:
 			PUSH_READ(BPF_REG_R0);

suite/MC/BPF/extended-all.cs

@@ -7,7 +7,7 @@
 0x14,0xd9,0xba,0xb8,0x6f,0x07,0x93,0x2a = sub r9, 0x2a93076f
 0x15,0x6a,0x9f,0x38,0x1a,0x9d,0xb7,0x4d = jeq r10, 0x4db79d1a, +0x389f
 0x17,0xc5,0x60,0xed,0x0b,0xdc,0xe6,0x22 = sub64 r5, 0x22e6dc0b
-0x18,0xa3,0x5c,0x14,0xde,0xf0,0xa5,0xff,0x9a,0x7e,0x10,0xee,0xd8,0xa4,0x2b,0x2f = lddw 0x2f2ba4d8ffa5f0de
+0x18,0xa3,0x5c,0x14,0xde,0xf0,0xa5,0xff,0x9a,0x7e,0x10,0xee,0xd8,0xa4,0x2b,0x2f = lddw r3, 0x2f2ba4d8ffa5f0de
 0x1c,0x73,0x68,0xa4,0x8b,0x5b,0x93,0x1f = sub r3, r7
 0x1d,0x21,0x20,0x4d,0xe3,0x47,0xaf,0x1b = jeq r1, r2, +0x4d20
 0x1f,0x06,0x51,0x5a,0x39,0xb2,0x10,0x10 = sub64 r6, r0

suite/MC/BPF/extended-be.cs

@@ -2,7 +2,7 @@
 0x30,0x00,0x00,0x00,0x00,0x00,0x00,0x00 = ldb [0x0]
 0x28,0x00,0x00,0x00,0xfa,0x00,0x00,0xff = ldh [0xfa0000ff]
 0x40,0x10,0x00,0x00,0xcc,0x00,0x00,0x00 = ldw [r1+0xcc000000]
-0x18,0x00,0x00,0x00,0x0c,0xb0,0xce,0xfa,0x00,0x00,0x00,0x00,0xef,0xbe,0xad,0xde = lddw 0xefbeadde0cb0cefa
+0x18,0x00,0x00,0x00,0x0c,0xb0,0xce,0xfa,0x00,0x00,0x00,0x00,0xef,0xbe,0xad,0xde = lddw r0, 0xefbeadde0cb0cefa
 0x71,0x13,0x11,0x00,0x00,0x00,0x00,0x00 = ldxb r3, [r1+0x1100]
 0x94,0x09,0x00,0x00,0x37,0x13,0x03,0x00 = mod r9, 0x37130300
 0x84,0x03,0x00,0x00,0x00,0x00,0x00,0x00 = neg r3