capstone icon indicating copy to clipboard operation
capstone copied to clipboard
verified publisher icon capstone-engine

UB on PPC because `vargs` are not casted.

Open Rot127 opened this issue 1 year ago • 3 comments

Expected behavior

No UB on PPC.

Actual behavior

The generator does not cast the varg arguments before passing them to add_cs_detail(). And sometimes it passes non-64bit values but unpacks them as uint64_t. Which is UB for some compilers (PPC apparently). In general we should always cast to uint64_t values before passing them as vargs. The operand handler can cast them back.

Steps to reproduce the behavior

Compile Capstone for PPC.

Additional Logs, screenshots, source code, configuration dump, ...

Could be fixed by: https://github.com/capstone-engine/capstone/issues/2135

cc @thestr4ng3r

Rot127 avatar Aug 26 '24 07:08 Rot127

This is UB, not necessarily anything OOB. I am able to reproduce it on Mac OS X 10.5 on ppc. The safest solution would be to not use varargs at all, so the compiler can ensure that types are correct.

thestr4ng3r avatar Aug 26 '24 15:08 thestr4ng3r

Ah, yes. I should think while writing. Added the relevant issue as well.

Rot127 avatar Aug 26 '24 16:08 Rot127

Reproducer:

xserve1:capstone florian$ uname -pv
Darwin Kernel Version 9.8.0: Wed Jul 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC powerpc
xserve1:capstone florian$ cstool -d aarch64 204862f8
Assertion failed: (0 && "Extender not handled\n"), function AArch64_set_detail_shift_ext, file /Users/florian/dev/capstone/arch/AArch64/AArch64Mapping.c, line 2703.
Abort trap

thestr4ng3r avatar Oct 02 '24 17:10 thestr4ng3r