MeanDiff icon indicating copy to clipboard operation
MeanDiff copied to clipboard

Published 20 hours ago verified publisher icon SoftSec-KAIST

Invalid stack operation - `pop`

Open mfaerevaag opened this issue 6 years ago • 0 comments

Description

When execution pop esp the memory is accessed before incrementing the stack pointer. According to the Intel manual, "The POP ESP instruction increments the stack pointer (ESP) before data at the old top of stack is written into the destination."

Reference: Ref. Intel 64 and IA-32 Architecture Software Developer's Manual Vol. 2B 4-384

Affected instructions:

0x5c    # pop

Reproduction guide

Instruction:

00000000  5C                pop esp

Input:

binsec disasm -decode 5c

Observed output:

        ⎧ 0: esp := @[esp₍₃₂₎]₄
pop esp ⎨ 1: esp := (esp₍₃₂₎ + 4₍₃₂₎)
        ⎩ 2: goto ({0x00000001; 32}, 0)

Expected output:

pop esp ⎧ 0: esp := @[esp₍₃₂₎]₄
        ⎩ 1: goto ({0x00000001; 32}, 0)

System Info

OS:

# uname -a
Linux ubuntu 4.10.0-28-generic #32-Ubuntu SMP Fri Jun 30 05:32:18 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=17.04
DISTRIB_CODENAME=zesty
DISTRIB_DESCRIPTION="Ubuntu 17.04"

BINSEC: 20170301 0.1

mfaerevaag avatar Aug 23 '17 06:08 mfaerevaag