Lifter fails on basic blocks containing rdsspq instruction

Question

Lifter fails on basic blocks containing rdsspq instruction

danmaam opened this issue 2 years ago · 6 comments

Good morning
I've encountered a strange bug while lifting some bytecode containing an rdsspq instruction. The resulting irsb is empty.
Script to reproduce the problem:
import pyvex, archinfo
bytecode = b'\xf3H\x0f\x1e\xc8H\x89GX1\xc0\xc3'
irsb = pyvex.lift(bytecode, 0x0, archinfo.ArchAMD64())

Actually, irsb is a IRSB <0x0 bytes, 0 ins., <Arch AMD64 (LE)>> at 0x0, and irsb.jumpkind is Ijk_NoDecode.

Answer 1 · 2022-10-13T16:55:12.000Z

I am not convinced that that is actually a rdsspq. One of my disassemblers says it is invalid entirely, and another says it is several instructions starting with a repz nop rax.

Answer 2 · 2022-10-13T17:19:06.000Z

capstone 5.0.0 disassembles it as rdsspq rax

import capstone
md = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
bytecode = b'\xf3H\x0f\x1e\xc8H\x89GX1\xc0\xc3' 
for i in md.disasm(bytecode, 0x0): 
    print("0x%x:\t%s\t%s" % (i.address, i.mnemonic, i.op_str))

output:

0x0:	rdsspq	rax
0x5:	mov	qword ptr [rdi + 0x58], rax
0x9:	xor	eax, eax
0xb:	ret

Answer 3 · 2022-10-13T17:51:09.000Z

It looks like we have been failing to update the vex submodule to properly track the changes we've been making in vex. We've had support for rdsspq for a few months now, but the reference was out of date... Can you try pulling and rebuilding and seeing if it works for you now? This is what I'm getting:

[+] ~/proj/angr/pyvex% python -c 'import pyvex, archinfo; arch = archinfo.ArchAMD64(); pyvex.lift(bytes.fromhex("f3480f1ec84889475831c0c3"), 0, arch).pp()'                                         (angr-c) audrey@daisy [10:50:18 AM]
IRSB {
   t0:Ity_I64 t1:Ity_I32 t2:Ity_I32 t3:Ity_I32 t4:Ity_I64 t5:Ity_I64 t6:Ity_I64 t7:Ity_I64 t8:Ity_I64 t9:Ity_I64 t10:Ity_I64 t11:Ity_I32 t12:Ity_I64 t13:Ity_I32 t14:Ity_I64 t15:Ity_I64 t16:Ity_I64 t17:Ity_I64 t18:Ity_I64

   00 | ------ IMark(0x0, 5, 0) ------
   01 | PUT(rip) = 0x0000000000000005
   02 | ------ IMark(0x5, 4, 0) ------
   03 | t8 = GET:I64(rdi)
   04 | t7 = Add64(t8,0x0000000000000058)
   05 | t9 = GET:I64(rax)
   06 | STle(t7) = t9
   07 | ------ IMark(0x9, 2, 0) ------
   08 | PUT(cc_op) = 0x0000000000000013
   09 | PUT(cc_dep1) = 0x0000000000000000
   10 | PUT(cc_dep2) = 0x0000000000000000
   11 | PUT(rax) = 0x0000000000000000
   12 | PUT(rip) = 0x000000000000000b
   13 | ------ IMark(0xb, 1, 0) ------
   14 | t4 = GET:I64(rsp)
   15 | t5 = LDle:I64(t4)
   16 | t6 = Add64(t4,0x0000000000000008)
   17 | PUT(rsp) = t6
   18 | t17 = Sub64(t6,0x0000000000000080)
   19 | ====== AbiHint(0xt17, 128, t5) ======
   NEXT: PUT(rip) = t5; Ijk_Ret
}

Answer 4 · 2022-10-13T18:51:45.000Z

I'm having some problems building from the master branch.
python setup.py install fails since can't find archinfo-9.2.23.dev0, while editing setup.cfg to install archinfo-9.2.22 leads to

----> 1 import pyvex

File ~/.virtualenvs/pyvex_/lib/python3.10/site-packages/pyvex-9.2.23.dev0-py3.10.egg/pyvex/__init__.py:17
     15 from typing import Any
     16 import cffi
---> 17 from .vex_ffi import ffi_str as _ffi_str
     18 ffi = cffi.FFI()
     20 import logging

ModuleNotFoundError: No module named 'pyvex.vex_ffi'

importing pyvex

Answer 5 · 2022-10-13T18:53:47.000Z

ah - if you're building from git, you need to have the entire angr suite from git. we have a repository to facilitate this: https://github.com/angr/angr-dev

there may also be some issues with the version of setuptools you're using? if there are additional problems let me know and I'll ping the appropriate person.

Answer 6 · 2022-10-13T20:09:14.000Z

thank you, I've been able to build the fixed version, and now rdsspq is correctly lifted!