/src/capstonenext/arch/BPF/BPFInstPrinter.c
Line | Count | Source |
1 | | /* Capstone Disassembly Engine */ |
2 | | /* BPF Backend by david942j <david942j@gmail.com>, 2019 */ |
3 | | /* SPDX-FileCopyrightText: 2024 Roee Toledano <roeetoledano10@gmail.com> */ |
4 | | /* SPDX-License-Identifier: BSD-3 */ |
5 | | |
6 | | #include <capstone/platform.h> |
7 | | |
8 | | #include "BPFConstants.h" |
9 | | #include "BPFInstPrinter.h" |
10 | | #include "BPFMapping.h" |
11 | | #include "../../Mapping.h" |
12 | | |
13 | | static cs_bpf_op *expand_bpf_operands(cs_bpf *bpf) |
14 | 39.7k | { |
15 | 39.7k | assert(bpf->op_count < 3); |
16 | 39.7k | return &bpf->operands[bpf->op_count++]; |
17 | 39.7k | } |
18 | | |
19 | | static void push_op_reg(cs_bpf *bpf, bpf_op_type val, uint8_t ac_mode) |
20 | 13.8k | { |
21 | 13.8k | cs_bpf_op *op = expand_bpf_operands(bpf); |
22 | | |
23 | 13.8k | op->type = BPF_OP_REG; |
24 | 13.8k | op->reg = val; |
25 | 13.8k | op->access = ac_mode; |
26 | 13.8k | } |
27 | | |
28 | | static void push_op_imm(cs_bpf *bpf, uint64_t val, const bool is_signed) |
29 | 10.9k | { |
30 | 10.9k | cs_bpf_op *op = expand_bpf_operands(bpf); |
31 | | |
32 | 10.9k | op->type = BPF_OP_IMM; |
33 | 10.9k | op->imm = val; |
34 | 10.9k | op->is_signed = is_signed; |
35 | 10.9k | } |
36 | | |
37 | | static void push_op_off(cs_bpf *bpf, uint32_t val, const bool is_signed) |
38 | 7.39k | { |
39 | 7.39k | cs_bpf_op *op = expand_bpf_operands(bpf); |
40 | | |
41 | 7.39k | op->type = BPF_OP_OFF; |
42 | 7.39k | op->off = val; |
43 | 7.39k | op->is_signed = is_signed; |
44 | 7.39k | } |
45 | | |
46 | | static void push_op_mem(cs_bpf *bpf, bpf_reg reg, uint32_t val, |
47 | | const bool is_signed, const bool is_pkt) |
48 | 6.74k | { |
49 | 6.74k | cs_bpf_op *op = expand_bpf_operands(bpf); |
50 | | |
51 | 6.74k | op->type = BPF_OP_MEM; |
52 | 6.74k | op->mem.base = reg; |
53 | 6.74k | op->mem.disp = val; |
54 | 6.74k | op->is_signed = is_signed; |
55 | 6.74k | op->is_pkt = is_pkt; |
56 | 6.74k | } |
57 | | |
58 | | static void push_op_mmem(cs_bpf *bpf, uint32_t val) |
59 | 479 | { |
60 | 479 | cs_bpf_op *op = expand_bpf_operands(bpf); |
61 | | |
62 | 479 | op->type = BPF_OP_MMEM; |
63 | 479 | op->mmem = val; |
64 | 479 | } |
65 | | |
66 | | static void push_op_msh(cs_bpf *bpf, uint32_t val) |
67 | 82 | { |
68 | 82 | cs_bpf_op *op = expand_bpf_operands(bpf); |
69 | | |
70 | 82 | op->type = BPF_OP_MSH; |
71 | 82 | op->msh = val; |
72 | 82 | } |
73 | | |
74 | | static void push_op_ext(cs_bpf *bpf, bpf_ext_type val) |
75 | 278 | { |
76 | 278 | cs_bpf_op *op = expand_bpf_operands(bpf); |
77 | | |
78 | 278 | op->type = BPF_OP_EXT; |
79 | 278 | op->ext = val; |
80 | 278 | } |
81 | | |
82 | | static void convert_operands(MCInst *MI, cs_bpf *bpf) |
83 | 22.1k | { |
84 | 22.1k | unsigned opcode = MCInst_getOpcode(MI); |
85 | 22.1k | unsigned mc_op_count = MCInst_getNumOperands(MI); |
86 | 22.1k | MCOperand *op; |
87 | 22.1k | MCOperand *op2; |
88 | | |
89 | 22.1k | bpf->op_count = 0; |
90 | 22.1k | if (BPF_CLASS(opcode) == BPF_CLASS_LD || |
91 | 17.9k | BPF_CLASS(opcode) == BPF_CLASS_LDX) { |
92 | 6.70k | switch (BPF_MODE(opcode)) { |
93 | 778 | case BPF_MODE_IMM: |
94 | 778 | if (EBPF_MODE(MI->csh->mode)) { |
95 | 300 | push_op_reg(bpf, |
96 | 300 | MCOperand_getReg( |
97 | 300 | MCInst_getOperand(MI, 0)), |
98 | 300 | CS_AC_WRITE); |
99 | 300 | push_op_imm(bpf, |
100 | 300 | MCOperand_getImm( |
101 | 300 | MCInst_getOperand(MI, 1)), |
102 | 300 | false); |
103 | 478 | } else { |
104 | 478 | push_op_imm(bpf, |
105 | 478 | MCOperand_getImm( |
106 | 478 | MCInst_getOperand(MI, 0)), |
107 | 478 | false); |
108 | 478 | } |
109 | 778 | break; |
110 | 1.91k | case BPF_MODE_ABS: |
111 | 1.91k | op = MCInst_getOperand(MI, 0); |
112 | 1.91k | push_op_mem(bpf, BPF_REG_INVALID, |
113 | 1.91k | (uint32_t)MCOperand_getImm(op), |
114 | 1.91k | EBPF_MODE(MI->csh->mode), true); |
115 | 1.91k | break; |
116 | 1.40k | case BPF_MODE_IND: |
117 | 1.40k | op = MCInst_getOperand(MI, 0); |
118 | 1.40k | if (EBPF_MODE(MI->csh->mode)) |
119 | 756 | push_op_mem(bpf, MCOperand_getReg(op), 0x0, |
120 | 756 | true, true); |
121 | 648 | else { |
122 | 648 | op2 = MCInst_getOperand(MI, 1); |
123 | 648 | push_op_mem(bpf, MCOperand_getReg(op), |
124 | 648 | (uint32_t)MCOperand_getImm(op2), |
125 | 648 | false, true); |
126 | 648 | } |
127 | 1.40k | break; |
128 | 2.24k | case BPF_MODE_MEM: |
129 | 2.24k | if (EBPF_MODE(MI->csh->mode)) { |
130 | | /* ldx{w,h,b,dw} dst, [src+off] */ |
131 | 1.80k | push_op_reg(bpf, |
132 | 1.80k | MCOperand_getReg( |
133 | 1.80k | MCInst_getOperand(MI, 0)), |
134 | 1.80k | CS_AC_WRITE); |
135 | 1.80k | op = MCInst_getOperand(MI, 1); |
136 | 1.80k | op2 = MCInst_getOperand(MI, 2); |
137 | 1.80k | push_op_mem(bpf, MCOperand_getReg(op), |
138 | 1.80k | (uint32_t)MCOperand_getImm(op2), |
139 | 1.80k | true, false); |
140 | 1.80k | } else { |
141 | 442 | push_op_mmem(bpf, |
142 | 442 | (uint32_t)MCOperand_getImm( |
143 | 442 | MCInst_getOperand(MI, 0))); |
144 | 442 | } |
145 | 2.24k | break; |
146 | 278 | case BPF_MODE_LEN: |
147 | 278 | push_op_ext(bpf, BPF_EXT_LEN); |
148 | 278 | break; |
149 | 82 | case BPF_MODE_MSH: |
150 | 82 | op = MCInst_getOperand(MI, 0); |
151 | 82 | push_op_msh(bpf, (uint32_t)MCOperand_getImm(op)); |
152 | 82 | break; |
153 | | /* case BPF_MODE_XADD: // not exists */ |
154 | 6.70k | } |
155 | 6.70k | return; |
156 | 6.70k | } |
157 | 15.4k | if (BPF_CLASS(opcode) == BPF_CLASS_ST || |
158 | 14.6k | BPF_CLASS(opcode) == BPF_CLASS_STX) { |
159 | 1.65k | if (!EBPF_MODE(MI->csh->mode)) { |
160 | | // cBPF has only one case - st* M[k] |
161 | 37 | push_op_mmem(bpf, (uint32_t)MCOperand_getImm( |
162 | 37 | MCInst_getOperand(MI, 0))); |
163 | 37 | return; |
164 | 37 | } |
165 | | /* eBPF has two cases: |
166 | | * - st [dst + off], src |
167 | | * - xadd [dst + off], src |
168 | | * they have same form of operands. |
169 | | */ |
170 | 1.62k | op = MCInst_getOperand(MI, 0); |
171 | 1.62k | op2 = MCInst_getOperand(MI, 1); |
172 | 1.62k | push_op_mem(bpf, MCOperand_getReg(op), |
173 | 1.62k | (uint32_t)MCOperand_getImm(op2), true, false); |
174 | | |
175 | 1.62k | op = MCInst_getOperand(MI, 2); |
176 | 1.62k | if (MCOperand_isImm(op)) |
177 | 767 | push_op_imm(bpf, MCOperand_getImm(op), false); |
178 | 853 | else if (MCOperand_isReg(op)) |
179 | 853 | push_op_reg(bpf, MCOperand_getReg(op), CS_AC_READ); |
180 | 1.62k | return; |
181 | 1.65k | } |
182 | | |
183 | 13.8k | { |
184 | 13.8k | const bool is_jmp32 = EBPF_MODE(MI->csh->mode) && |
185 | 9.82k | (BPF_CLASS(opcode) == BPF_CLASS_JMP32); |
186 | 13.8k | if (BPF_CLASS(opcode) == BPF_CLASS_JMP || is_jmp32) { |
187 | 26.3k | for (size_t i = 0; i < mc_op_count; i++) { |
188 | 18.9k | op = MCInst_getOperand(MI, i); |
189 | 18.9k | if (MCOperand_isImm(op)) { |
190 | | /* Decide if we're using IMM or OFF here (and if OFF, then signed or unsigned): |
191 | | * |
192 | | * 1. any jump/jump32 + signed off (not including exit/call and ja on jump32) // eBPF |
193 | | * 2. exit/call/ja + k // eBPF |
194 | | * 3. ja + unsigned off // cBPF (cBPF programs can only jump forwards) |
195 | | * 4. any jump {x,k}, +jt, +jf // cBPF |
196 | | * */ |
197 | | |
198 | 13.2k | if ((BPF_OP(opcode) == BPF_JUMP_JA && |
199 | 678 | !is_jmp32) || |
200 | 12.7k | (!EBPF_MODE(MI->csh->mode) && |
201 | 2.22k | i >= 1) || |
202 | 10.8k | (EBPF_MODE(MI->csh->mode) && |
203 | 10.4k | i == 2)) |
204 | 7.39k | push_op_off( |
205 | 7.39k | bpf, |
206 | 7.39k | MCOperand_getImm(op), |
207 | 7.39k | EBPF_MODE( |
208 | 7.39k | MI->csh->mode)); |
209 | 5.88k | else |
210 | 5.88k | push_op_imm( |
211 | 5.88k | bpf, |
212 | 5.88k | MCOperand_getImm(op), |
213 | 5.88k | true); |
214 | 13.2k | } else if (MCOperand_isReg(op)) { |
215 | 5.69k | push_op_reg(bpf, MCOperand_getReg(op), |
216 | 5.69k | CS_AC_READ); |
217 | 5.69k | } |
218 | 18.9k | } |
219 | 7.42k | return; |
220 | 7.42k | } |
221 | 13.8k | } |
222 | | |
223 | 6.40k | if (!EBPF_MODE(MI->csh->mode)) { |
224 | | /* In cBPF mode, all registers in operands are accessed as read */ |
225 | 4.96k | for (size_t i = 0; i < mc_op_count; i++) { |
226 | 2.12k | op = MCInst_getOperand(MI, i); |
227 | 2.12k | if (MCOperand_isImm(op)) |
228 | 879 | push_op_imm(bpf, MCOperand_getImm(op), false); |
229 | 1.24k | else if (MCOperand_isReg(op)) |
230 | 1.24k | push_op_reg(bpf, MCOperand_getReg(op), |
231 | 1.24k | CS_AC_READ); |
232 | 2.12k | } |
233 | 2.84k | return; |
234 | 2.84k | } |
235 | | |
236 | | /* remain cases are: eBPF mode && ALU */ |
237 | | /* if (BPF_CLASS(opcode) == BPF_CLASS_ALU || BPF_CLASS(opcode) == BPF_CLASS_ALU64) */ |
238 | | |
239 | | /* We have three types: |
240 | | * 1. {l,b}e dst // dst = byteswap(dst) |
241 | | * 2. neg dst // dst = -dst |
242 | | * 3. <op> dst, {src_reg, imm} // dst = dst <op> src |
243 | | * so we can simply check the number of operands, |
244 | | * exactly one operand means we are in case 1. and 2., |
245 | | * otherwise in case 3. |
246 | | */ |
247 | 3.56k | if (mc_op_count == 1) { |
248 | 528 | op = MCInst_getOperand(MI, 0); |
249 | 528 | push_op_reg(bpf, MCOperand_getReg(op), |
250 | 528 | CS_AC_READ | CS_AC_WRITE); |
251 | 3.03k | } else { // if (mc_op_count == 2) |
252 | 3.03k | op = MCInst_getOperand(MI, 0); |
253 | 3.03k | push_op_reg(bpf, MCOperand_getReg(op), |
254 | 3.03k | CS_AC_READ | CS_AC_WRITE); |
255 | | |
256 | 3.03k | op = MCInst_getOperand(MI, 1); |
257 | 3.03k | if (MCOperand_isImm(op)) |
258 | 2.68k | push_op_imm(bpf, MCOperand_getImm(op), false); |
259 | 348 | else if (MCOperand_isReg(op)) |
260 | 348 | push_op_reg(bpf, MCOperand_getReg(op), CS_AC_READ); |
261 | 3.03k | } |
262 | 3.56k | } |
263 | | |
264 | | static void print_operand(MCInst *MI, struct SStream *O, const cs_bpf_op *op) |
265 | 39.7k | { |
266 | 39.7k | switch (op->type) { |
267 | 0 | case BPF_OP_INVALID: |
268 | 0 | SStream_concat(O, "invalid"); |
269 | 0 | break; |
270 | 13.8k | case BPF_OP_REG: |
271 | 13.8k | SStream_concat(O, BPF_reg_name((csh)MI->csh, op->reg)); |
272 | 13.8k | break; |
273 | 10.9k | case BPF_OP_IMM: |
274 | 10.9k | if (op->is_signed) |
275 | 5.88k | printInt32Hex(O, op->imm); |
276 | 5.10k | else |
277 | 5.10k | SStream_concat(O, "0x%" PRIx64, op->imm); |
278 | 10.9k | break; |
279 | 7.39k | case BPF_OP_OFF: |
280 | 7.39k | if (op->is_signed) |
281 | 5.30k | printInt16HexOffset(O, op->off); |
282 | 2.08k | else |
283 | 2.08k | SStream_concat(O, "+0x%" PRIx32, op->off); |
284 | 7.39k | break; |
285 | 6.74k | case BPF_OP_MEM: |
286 | 6.74k | SStream_concat(O, "["); |
287 | | |
288 | 6.74k | if (op->is_pkt && EBPF_MODE(MI->csh->mode)) { |
289 | 1.65k | SStream_concat(O, "skb"); |
290 | | |
291 | 1.65k | if (op->mem.base != BPF_REG_INVALID) |
292 | 756 | SStream_concat(O, "+%s", |
293 | 756 | BPF_reg_name((csh)MI->csh, |
294 | 756 | op->mem.base)); |
295 | 903 | else { |
296 | 903 | if (op->is_signed) |
297 | 903 | printInt32HexOffset(O, op->mem.disp); |
298 | 0 | else |
299 | 0 | SStream_concat(O, "+0x%" PRIx32, |
300 | 0 | op->mem.disp); |
301 | 903 | } |
302 | 5.08k | } else { |
303 | 5.08k | if (op->mem.base != BPF_REG_INVALID) |
304 | 4.07k | SStream_concat(O, BPF_reg_name((csh)MI->csh, |
305 | 4.07k | op->mem.base)); |
306 | 5.08k | if (op->mem.disp != 0) { |
307 | 4.92k | if (op->mem.base != BPF_REG_INVALID) { |
308 | | // if operation is signed, then it always uses off, not k |
309 | 4.00k | if (op->is_signed) |
310 | 3.35k | printInt16HexOffset( |
311 | 3.35k | O, op->mem.disp); |
312 | 647 | else if (op->is_pkt) |
313 | 647 | SStream_concat(O, "+0x%" PRIx32, |
314 | 647 | op->mem.disp); |
315 | 0 | else |
316 | 0 | SStream_concat(O, "+0x%" PRIx16, |
317 | 0 | op->mem.disp); |
318 | 4.00k | } else |
319 | 918 | SStream_concat(O, "0x%" PRIx32, |
320 | 918 | op->mem.disp); |
321 | 4.92k | } |
322 | | |
323 | 5.08k | if (op->mem.base == BPF_REG_INVALID && |
324 | 1.01k | op->mem.disp == 0) |
325 | 95 | SStream_concat(O, "0x0"); |
326 | 5.08k | } |
327 | | |
328 | 6.74k | SStream_concat(O, "]"); |
329 | 6.74k | break; |
330 | 479 | case BPF_OP_MMEM: |
331 | 479 | SStream_concat(O, "m[0x%x]", op->mmem); |
332 | 479 | break; |
333 | 82 | case BPF_OP_MSH: |
334 | 82 | SStream_concat(O, "4*([0x%x]&0xf)", op->msh); |
335 | 82 | break; |
336 | 278 | case BPF_OP_EXT: |
337 | 278 | switch (op->ext) { |
338 | 278 | case BPF_EXT_LEN: |
339 | 278 | SStream_concat(O, "#len"); |
340 | 278 | break; |
341 | 278 | } |
342 | 278 | break; |
343 | 39.7k | } |
344 | 39.7k | } |
345 | | |
346 | | /* |
347 | | * 1. human readable mnemonic |
348 | | * 2. set pubOpcode (BPF_INSN_*) |
349 | | * 3. set detail->bpf.operands |
350 | | * */ |
351 | | void BPF_printInst(MCInst *MI, struct SStream *O, void *PrinterInfo) |
352 | 22.1k | { |
353 | 22.1k | cs_bpf bpf = { 0 }; |
354 | | |
355 | | /* set pubOpcode as instruction id */ |
356 | 22.1k | SStream_concat(O, BPF_insn_name((csh)MI->csh, MCInst_getOpcodePub(MI))); |
357 | 22.1k | convert_operands(MI, &bpf); |
358 | 61.9k | for (size_t i = 0; i < bpf.op_count; i++) { |
359 | 39.7k | if (i == 0) |
360 | 21.2k | SStream_concat(O, "\t"); |
361 | 18.5k | else |
362 | 18.5k | SStream_concat(O, ", "); |
363 | 39.7k | print_operand(MI, O, &bpf.operands[i]); |
364 | 39.7k | } |
365 | | |
366 | 22.1k | #ifndef CAPSTONE_DIET |
367 | 22.1k | if (detail_is_set(MI)) { |
368 | 22.1k | MI->flat_insn->detail->bpf = bpf; |
369 | 22.1k | } |
370 | 22.1k | #endif |
371 | 22.1k | } |