michael@0: // copyright notice, this list of conditions and the following disclaimer michael@0: // in the documentation and/or other materials provided with the michael@0: // distribution. michael@0: // * Neither the name of Google Inc. nor the names of its michael@0: // contributors may be used to endorse or promote products derived from michael@0: // this software without specific prior written permission. michael@0: // michael@0: // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS michael@0: // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT michael@0: // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR michael@0: // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT michael@0: // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, michael@0: // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT michael@0: // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, michael@0: // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY michael@0: // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT michael@0: // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE michael@0: // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. michael@0: michael@0: // disassembler_x86.cc: simple x86 disassembler. michael@0: // michael@0: // Provides single step disassembly of x86 bytecode and flags instructions michael@0: // that utilize known bad register values. michael@0: // michael@0: // Author: Cris Neckar michael@0: michael@0: #include "processor/disassembler_x86.h" michael@0: michael@0: #include michael@0: #include michael@0: michael@0: namespace google_breakpad { michael@0: michael@0: DisassemblerX86::DisassemblerX86(const uint8_t *bytecode, michael@0: uint32_t size, michael@0: uint32_t virtual_address) : michael@0: bytecode_(bytecode), michael@0: size_(size), michael@0: virtual_address_(virtual_address), michael@0: current_byte_offset_(0), michael@0: current_inst_offset_(0), michael@0: instr_valid_(false), michael@0: register_valid_(false), michael@0: pushed_bad_value_(false), michael@0: end_of_block_(false), michael@0: flags_(0) { michael@0: libdis::x86_init(libdis::opt_none, NULL, NULL); michael@0: } michael@0: michael@0: DisassemblerX86::~DisassemblerX86() { michael@0: if (instr_valid_) michael@0: libdis::x86_oplist_free(¤t_instr_); michael@0: michael@0: libdis::x86_cleanup(); michael@0: } michael@0: michael@0: uint32_t DisassemblerX86::NextInstruction() { michael@0: if (instr_valid_) michael@0: libdis::x86_oplist_free(¤t_instr_); michael@0: michael@0: if (current_byte_offset_ >= size_) { michael@0: instr_valid_ = false; michael@0: return 0; michael@0: } michael@0: uint32_t instr_size = 0; michael@0: instr_size = libdis::x86_disasm((unsigned char *)bytecode_, size_, michael@0: virtual_address_, current_byte_offset_, michael@0: ¤t_instr_); michael@0: if (instr_size == 0) { michael@0: instr_valid_ = false; michael@0: return 0; michael@0: } michael@0: michael@0: current_byte_offset_ += instr_size; michael@0: current_inst_offset_++; michael@0: instr_valid_ = libdis::x86_insn_is_valid(¤t_instr_); michael@0: if (!instr_valid_) michael@0: return 0; michael@0: michael@0: if (current_instr_.type == libdis::insn_return) michael@0: end_of_block_ = true; michael@0: libdis::x86_op_t *src = libdis::x86_get_src_operand(¤t_instr_); michael@0: libdis::x86_op_t *dest = libdis::x86_get_dest_operand(¤t_instr_); michael@0: michael@0: if (register_valid_) { michael@0: switch (current_instr_.group) { michael@0: // Flag branches based off of bad registers and calls that occur michael@0: // after pushing bad values. michael@0: case libdis::insn_controlflow: michael@0: switch (current_instr_.type) { michael@0: case libdis::insn_jmp: michael@0: case libdis::insn_jcc: michael@0: case libdis::insn_call: michael@0: case libdis::insn_callcc: michael@0: if (dest) { michael@0: switch (dest->type) { michael@0: case libdis::op_expression: michael@0: if (dest->data.expression.base.id == bad_register_.id) michael@0: flags_ |= DISX86_BAD_BRANCH_TARGET; michael@0: break; michael@0: case libdis::op_register: michael@0: if (dest->data.reg.id == bad_register_.id) michael@0: flags_ |= DISX86_BAD_BRANCH_TARGET; michael@0: break; michael@0: default: michael@0: if (pushed_bad_value_ && michael@0: (current_instr_.type == libdis::insn_call || michael@0: current_instr_.type == libdis::insn_callcc)) michael@0: flags_ |= DISX86_BAD_ARGUMENT_PASSED; michael@0: break; michael@0: } michael@0: } michael@0: break; michael@0: default: michael@0: break; michael@0: } michael@0: break; michael@0: michael@0: // Flag block data operations that use bad registers for src or dest. michael@0: case libdis::insn_string: michael@0: if (dest && dest->type == libdis::op_expression && michael@0: dest->data.expression.base.id == bad_register_.id) michael@0: flags_ |= DISX86_BAD_BLOCK_WRITE; michael@0: if (src && src->type == libdis::op_expression && michael@0: src->data.expression.base.id == bad_register_.id) michael@0: flags_ |= DISX86_BAD_BLOCK_READ; michael@0: break; michael@0: michael@0: // Flag comparisons based on bad data. michael@0: case libdis::insn_comparison: michael@0: if ((dest && dest->type == libdis::op_expression && michael@0: dest->data.expression.base.id == bad_register_.id) || michael@0: (src && src->type == libdis::op_expression && michael@0: src->data.expression.base.id == bad_register_.id) || michael@0: (dest && dest->type == libdis::op_register && michael@0: dest->data.reg.id == bad_register_.id) || michael@0: (src && src->type == libdis::op_register && michael@0: src->data.reg.id == bad_register_.id)) michael@0: flags_ |= DISX86_BAD_COMPARISON; michael@0: break; michael@0: michael@0: // Flag any other instruction which derefs a bad register for michael@0: // src or dest. michael@0: default: michael@0: if (dest && dest->type == libdis::op_expression && michael@0: dest->data.expression.base.id == bad_register_.id) michael@0: flags_ |= DISX86_BAD_WRITE; michael@0: if (src && src->type == libdis::op_expression && michael@0: src->data.expression.base.id == bad_register_.id) michael@0: flags_ |= DISX86_BAD_READ; michael@0: break; michael@0: } michael@0: } michael@0: michael@0: // When a register is marked as tainted check if it is pushed. michael@0: // TODO(cdn): may also want to check for MOVs into EBP offsets. michael@0: if (register_valid_ && dest && current_instr_.type == libdis::insn_push) { michael@0: switch (dest->type) { michael@0: case libdis::op_expression: michael@0: if (dest->data.expression.base.id == bad_register_.id || michael@0: dest->data.expression.index.id == bad_register_.id) michael@0: pushed_bad_value_ = true; michael@0: break; michael@0: case libdis::op_register: michael@0: if (dest->data.reg.id == bad_register_.id) michael@0: pushed_bad_value_ = true; michael@0: break; michael@0: default: michael@0: break; michael@0: } michael@0: } michael@0: michael@0: // Check if a tainted register value is clobbered. michael@0: // For conditional MOVs and XCHGs assume that michael@0: // there is a hit. michael@0: if (register_valid_) { michael@0: switch (current_instr_.type) { michael@0: case libdis::insn_xor: michael@0: if (src && src->type == libdis::op_register && michael@0: dest && dest->type == libdis::op_register && michael@0: src->data.reg.id == bad_register_.id && michael@0: src->data.reg.id == dest->data.reg.id) michael@0: register_valid_ = false; michael@0: break; michael@0: case libdis::insn_pop: michael@0: case libdis::insn_mov: michael@0: case libdis::insn_movcc: michael@0: if (dest && dest->type == libdis::op_register && michael@0: dest->data.reg.id == bad_register_.id) michael@0: register_valid_ = false; michael@0: break; michael@0: case libdis::insn_popregs: michael@0: register_valid_ = false; michael@0: break; michael@0: case libdis::insn_xchg: michael@0: case libdis::insn_xchgcc: michael@0: if (dest && dest->type == libdis::op_register && michael@0: src && src->type == libdis::op_register) { michael@0: if (dest->data.reg.id == bad_register_.id) michael@0: memcpy(&bad_register_, &src->data.reg, sizeof(libdis::x86_reg_t)); michael@0: else if (src->data.reg.id == bad_register_.id) michael@0: memcpy(&bad_register_, &dest->data.reg, sizeof(libdis::x86_reg_t)); michael@0: } michael@0: break; michael@0: default: michael@0: break; michael@0: } michael@0: } michael@0: michael@0: return instr_size; michael@0: } michael@0: michael@0: bool DisassemblerX86::setBadRead() { michael@0: if (!instr_valid_) michael@0: return false; michael@0: michael@0: libdis::x86_op_t *operand = libdis::x86_get_src_operand(¤t_instr_); michael@0: if (!operand || operand->type != libdis::op_expression) michael@0: return false; michael@0: michael@0: memcpy(&bad_register_, &operand->data.expression.base, michael@0: sizeof(libdis::x86_reg_t)); michael@0: register_valid_ = true; michael@0: return true; michael@0: } michael@0: michael@0: bool DisassemblerX86::setBadWrite() { michael@0: if (!instr_valid_) michael@0: return false; michael@0: michael@0: libdis::x86_op_t *operand = libdis::x86_get_dest_operand(¤t_instr_); michael@0: if (!operand || operand->type != libdis::op_expression) michael@0: return false; michael@0: michael@0: memcpy(&bad_register_, &operand->data.expression.base, michael@0: sizeof(libdis::x86_reg_t)); michael@0: register_valid_ = true; michael@0: return true; michael@0: } michael@0: michael@0: } // namespace google_breakpad