MeanDiff
MeanDiff copied to clipboard
Published
20 hours ago •
SoftSec-KAIST
SoftSec-KAIST
No memory alignment - `pshufb`
Description
Missing enforcement of memory alignment of pshufb with certain values of source operand. Operand should be 16-byte boundary aligned when 128-bit memory.
Reference: Ref. Intel 64 and IA-32 Architecture Software Developer's Manual Vol. 2B 4-410
Affected instructions:
0x660f3800042542424242
0x660f38000425ffffffff
0x660f38000542424242
0x660f380005ffffffff
0x660f38000d42424242
0x660f38000dffffffff
Reproduction guide
Instruction:
00000000 660F380004254242 pshufb xmm0,[0x42424242] -4242
Input:
bap-mc "660f3800042542424242" --show-bil --arch=X86
Observed output:
YMM0 := (extract: 255:128[YMM0]).((((((((((((((((if extract: 127:127[mem32[0x42424242:32, el]:u128]
then 0x0:8
else low:8[(low:128[YMM0]) >> ((pad:128[extract: 123:120[mem32[0x42424242:32, el]:u128]]) * 0x8:128)]).(
if extract: 119:119[mem32[0x42424242:32, el]:u128] then 0x0:8
else low:8[(low:128[YMM0]) >> ((pad:128[extract: 115:112[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
if extract: 111:111[mem32[0x42424242:32, el]:u128] then 0x0:8
else low:8[(low:128[YMM0]) >> ((pad:128[extract: 107:104[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
if extract: 103:103[mem32[0x42424242:32, el]:u128] then 0x0:8
else low:8[(low:128[YMM0]) >> ((pad:128[extract: 99:96[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
if extract: 95:95[mem32[0x42424242:32, el]:u128] then 0x0:8
else low:8[(low:128[YMM0]) >> ((pad:128[extract: 91:88[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
if extract: 87:87[mem32[0x42424242:32, el]:u128] then 0x0:8
else low:8[(low:128[YMM0]) >> ((pad:128[extract: 83:80[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
if extract: 79:79[mem32[0x42424242:32, el]:u128] then 0x0:8
else low:8[(low:128[YMM0]) >> ((pad:128[extract: 75:72[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
if extract: 71:71[mem32[0x42424242:32, el]:u128] then 0x0:8
else low:8[(low:128[YMM0]) >> ((pad:128[extract: 67:64[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
if extract: 63:63[mem32[0x42424242:32, el]:u128] then 0x0:8
else low:8[(low:128[YMM0]) >> ((pad:128[extract: 59:56[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
if extract: 55:55[mem32[0x42424242:32, el]:u128] then 0x0:8
else low:8[(low:128[YMM0]) >> ((pad:128[extract: 51:48[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
if extract: 47:47[mem32[0x42424242:32, el]:u128] then 0x0:8
else low:8[(low:128[YMM0]) >> ((pad:128[extract: 43:40[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
if extract: 39:39[mem32[0x42424242:32, el]:u128] then 0x0:8
else low:8[(low:128[YMM0]) >> ((pad:128[extract: 35:32[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
if extract: 31:31[mem32[0x42424242:32, el]:u128] then 0x0:8
else low:8[(low:128[YMM0]) >> ((pad:128[extract: 27:24[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
if extract: 23:23[mem32[0x42424242:32, el]:u128] then 0x0:8
else low:8[(low:128[YMM0]) >> ((pad:128[extract: 19:16[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
if extract: 15:15[mem32[0x42424242:32, el]:u128] then 0x0:8
else low:8[(low:128[YMM0]) >> ((pad:128[extract: 11:8[mem32[0x42424242:32, el]:u128]]) * 0x8:128)])).(
if extract: 7:7[mem32[0x42424242:32, el]:u128] then 0x0:8
else low:8[(low:128[YMM0]) >> ((pad:128[extract: 3:0[mem32[0x42424242:32, el]:u128]]) * 0x8:128)]))
}
Expected output: Something like:
{
YMM0 := (extract: 255:128[YMM0]).(pad:128[mem32[0x42424242:32, el]:u128])
if ((0x42424242:32 & 0xF:32) = 0x0:32) {
}
else {
cpuexn (13)
}
}
System Info
OS:
# uname -a
Linux ubuntu 4.10.0-28-generic #32-Ubuntu SMP Fri Jun 30 05:32:18 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=17.04
DISTRIB_CODENAME=zesty
DISTRIB_DESCRIPTION="Ubuntu 17.04"
BAP:
# bap-mc --version
1.0.0
# bap --version
1.2.0
