/src/capstonenext/arch/BPF/BPFDisassembler.c
Line | Count | Source |
1 | | /* Capstone Disassembly Engine */ |
2 | | /* BPF Backend by david942j <david942j@gmail.com>, 2019 */ |
3 | | /* SPDX-FileCopyrightText: 2024 Roee Toledano <roeetoledano10@gmail.com> */ |
4 | | /* SPDX-License-Identifier: BSD-3 */ |
5 | | |
6 | | #ifdef CAPSTONE_HAS_BPF |
7 | | |
8 | | #include <string.h> |
9 | | #include <stddef.h> // offsetof macro |
10 | | |
11 | | #include "BPFConstants.h" |
12 | | #include "BPFDisassembler.h" |
13 | | #include "BPFMapping.h" |
14 | | #include "../../Mapping.h" |
15 | | #include "../../cs_priv.h" |
16 | | #include "../../utils.h" |
17 | | |
18 | | ///< Malloc bpf_internal, also checks if code_len is large enough. |
19 | | static bpf_internal *alloc_bpf_internal(const size_t code_len) |
20 | 39.4k | { |
21 | 39.4k | bpf_internal *bpf; |
22 | | |
23 | 39.4k | if (code_len < 8) |
24 | 499 | return NULL; |
25 | 38.9k | bpf = cs_mem_malloc(sizeof(bpf_internal)); |
26 | 38.9k | if (bpf == NULL) |
27 | 0 | return NULL; |
28 | | /* default value */ |
29 | 38.9k | bpf->insn_size = 8; |
30 | 38.9k | return bpf; |
31 | 38.9k | } |
32 | | |
33 | | ///< Fetch a cBPF structure from code |
34 | | static bpf_internal *fetch_cbpf(MCInst *instr, const uint8_t *code, |
35 | | const size_t code_len) |
36 | 14.3k | { |
37 | 14.3k | bpf_internal *bpf; |
38 | | |
39 | 14.3k | bpf = alloc_bpf_internal(code_len); |
40 | 14.3k | if (bpf == NULL) |
41 | 186 | return NULL; |
42 | | |
43 | 14.1k | bpf->op = readBytes16(instr, code); |
44 | 14.1k | bpf->jt = code[2]; |
45 | 14.1k | bpf->jf = code[3]; |
46 | 14.1k | bpf->k = readBytes32(instr, code + 4); |
47 | 14.1k | return bpf; |
48 | 14.3k | } |
49 | | |
50 | | ///< Fetch an eBPF structure from code |
51 | | static bpf_internal *fetch_ebpf(MCInst *instr, const uint8_t *code, |
52 | | const size_t code_len) |
53 | 25.1k | { |
54 | 25.1k | bpf_internal *bpf; |
55 | | |
56 | 25.1k | bpf = alloc_bpf_internal(code_len); |
57 | 25.1k | if (bpf == NULL) |
58 | 313 | return NULL; |
59 | | |
60 | 24.8k | bpf->op = (uint16_t)code[0]; |
61 | 24.8k | bpf->dst = code[1] & 0xf; |
62 | 24.8k | bpf->src = (code[1] & 0xf0) >> 4; |
63 | | |
64 | | // eBPF has one 16-byte instruction: BPF_LD | BPF_DW | BPF_IMM, |
65 | | // in this case imm is combined with the next block's imm. |
66 | 24.8k | if (bpf->op == (BPF_CLASS_LD | BPF_SIZE_DW | BPF_MODE_IMM)) { |
67 | 692 | if (code_len < 16) { |
68 | 3 | cs_mem_free(bpf); |
69 | 3 | return NULL; |
70 | 3 | } |
71 | 689 | bpf->k = readBytes32(instr, code + 4) | |
72 | 689 | (((uint64_t)readBytes32(instr, code + 12)) << 32); |
73 | 689 | bpf->insn_size = 16; |
74 | 24.1k | } else { |
75 | 24.1k | bpf->offset = readBytes16(instr, code + 2); |
76 | 24.1k | bpf->k = readBytes32(instr, code + 4); |
77 | 24.1k | } |
78 | 24.8k | return bpf; |
79 | 24.8k | } |
80 | | |
81 | | #define CHECK_READABLE_REG(ud, reg) \ |
82 | 13.4k | do { \ |
83 | 13.4k | if (!((reg) >= BPF_REG_R0 && (reg) <= BPF_REG_R10)) \ |
84 | 13.4k | return false; \ |
85 | 13.4k | } while (0) |
86 | | |
87 | | #define CHECK_WRITEABLE_REG(ud, reg) \ |
88 | 6.55k | do { \ |
89 | 6.55k | if (!((reg) >= BPF_REG_R0 && (reg) < BPF_REG_R10)) \ |
90 | 6.55k | return false; \ |
91 | 6.55k | } while (0) |
92 | | |
93 | | #define CHECK_READABLE_AND_PUSH(ud, MI, r) \ |
94 | 13.4k | do { \ |
95 | 13.4k | CHECK_READABLE_REG(ud, r + BPF_REG_R0); \ |
96 | 13.4k | MCOperand_CreateReg0(MI, r + BPF_REG_R0); \ |
97 | 13.4k | } while (0) |
98 | | |
99 | | #define CHECK_WRITABLE_AND_PUSH(ud, MI, r) \ |
100 | 6.55k | do { \ |
101 | 6.55k | CHECK_WRITEABLE_REG(ud, r + BPF_REG_R0); \ |
102 | 6.55k | MCOperand_CreateReg0(MI, r + BPF_REG_R0); \ |
103 | 6.53k | } while (0) |
104 | | |
105 | | static bool decodeLoad(MCInst *MI, bpf_internal *bpf) |
106 | 12.3k | { |
107 | 12.3k | if (!EBPF_MODE(MI->csh->mode)) { |
108 | | /* |
109 | | * +-----+-----------+--------------------+ |
110 | | * | ldb | [k] | [x+k] | |
111 | | * | ldh | [k] | [x+k] | |
112 | | * +-----+-----------+--------------------+ |
113 | | */ |
114 | 5.93k | if (BPF_SIZE(bpf->op) == BPF_SIZE_DW) |
115 | 14 | return false; |
116 | 5.92k | if (BPF_SIZE(bpf->op) == BPF_SIZE_B || |
117 | 5.01k | BPF_SIZE(bpf->op) == BPF_SIZE_H) { |
118 | | /* no ldx */ |
119 | 1.59k | if (BPF_CLASS(bpf->op) != BPF_CLASS_LD) |
120 | 9 | return false; |
121 | | /* can only be BPF_ABS and BPF_IND */ |
122 | 1.58k | if (BPF_MODE(bpf->op) == BPF_MODE_ABS) { |
123 | 884 | MCOperand_CreateImm0(MI, bpf->k); |
124 | 884 | return true; |
125 | 884 | } else if (BPF_MODE(bpf->op) == BPF_MODE_IND) { |
126 | 696 | MCOperand_CreateReg0(MI, BPF_REG_X); |
127 | 696 | MCOperand_CreateImm0(MI, bpf->k); |
128 | 696 | return true; |
129 | 696 | } |
130 | 7 | return false; |
131 | 1.58k | } |
132 | | /* |
133 | | * +-----+----+------+------+-----+-------+ |
134 | | * | ld | #k | #len | M[k] | [k] | [x+k] | |
135 | | * +-----+----+------+------+-----+-------+ |
136 | | * | ldx | #k | #len | M[k] | 4*([k]&0xf) | |
137 | | * +-----+----+------+------+-------------+ |
138 | | */ |
139 | 4.32k | switch (BPF_MODE(bpf->op)) { |
140 | 1.81k | default: |
141 | 1.81k | break; |
142 | 1.81k | case BPF_MODE_IMM: |
143 | 1.32k | MCOperand_CreateImm0(MI, bpf->k); |
144 | 1.32k | return true; |
145 | 364 | case BPF_MODE_LEN: |
146 | 364 | return true; |
147 | 829 | case BPF_MODE_MEM: |
148 | 829 | MCOperand_CreateImm0(MI, bpf->k); |
149 | 829 | return true; |
150 | 4.32k | } |
151 | 1.81k | if (BPF_CLASS(bpf->op) == BPF_CLASS_LD) { |
152 | 1.45k | if (BPF_MODE(bpf->op) == BPF_MODE_ABS) { |
153 | 982 | MCOperand_CreateImm0(MI, bpf->k); |
154 | 982 | return true; |
155 | 982 | } else if (BPF_MODE(bpf->op) == BPF_MODE_IND) { |
156 | 467 | MCOperand_CreateReg0(MI, BPF_REG_X); |
157 | 467 | MCOperand_CreateImm0(MI, bpf->k); |
158 | 467 | return true; |
159 | 467 | } |
160 | 1.45k | } else { /* LDX */ |
161 | 358 | if (BPF_MODE(bpf->op) == BPF_MODE_MSH) { |
162 | 351 | MCOperand_CreateImm0(MI, bpf->k); |
163 | 351 | return true; |
164 | 351 | } |
165 | 358 | } |
166 | 12 | return false; |
167 | 1.81k | } |
168 | | |
169 | | /* eBPF mode */ |
170 | | /* |
171 | | * - IMM: lddw dst, imm64 |
172 | | * - ABS: ld{w,h,b} [k] |
173 | | * - IND: ld{w,h,b} [src] |
174 | | * - MEM: ldx{w,h,b,dw} dst, [src+off] |
175 | | */ |
176 | 6.45k | if (BPF_CLASS(bpf->op) == BPF_CLASS_LD) { |
177 | 4.16k | switch (BPF_MODE(bpf->op)) { |
178 | 745 | case BPF_MODE_IMM: |
179 | 745 | if (bpf->op != |
180 | 745 | (BPF_CLASS_LD | BPF_SIZE_DW | BPF_MODE_IMM)) |
181 | 56 | return false; |
182 | 689 | CHECK_WRITABLE_AND_PUSH(ud, MI, bpf->dst); |
183 | 687 | MCOperand_CreateImm0(MI, bpf->k); |
184 | 687 | return true; |
185 | 2.04k | case BPF_MODE_ABS: |
186 | 2.04k | MCOperand_CreateImm0(MI, bpf->k); |
187 | 2.04k | return true; |
188 | 1.35k | case BPF_MODE_IND: |
189 | 1.35k | CHECK_READABLE_AND_PUSH(ud, MI, bpf->src); |
190 | 1.35k | return true; |
191 | 4.16k | } |
192 | 24 | return false; |
193 | 4.16k | } |
194 | | /* LDX */ |
195 | 2.29k | if (BPF_MODE(bpf->op) == BPF_MODE_MEM) { |
196 | 2.26k | CHECK_WRITABLE_AND_PUSH(ud, MI, bpf->dst); |
197 | 2.26k | CHECK_READABLE_AND_PUSH(ud, MI, bpf->src); |
198 | 2.25k | MCOperand_CreateImm0(MI, bpf->offset); |
199 | 2.25k | return true; |
200 | 2.26k | } |
201 | 24 | return false; |
202 | 2.29k | } |
203 | | |
204 | | static bool decodeStore(MCInst *MI, bpf_internal *bpf) |
205 | 3.30k | { |
206 | | /* in cBPF, only BPF_ST* | BPF_MEM | BPF_W is valid |
207 | | * while in eBPF: |
208 | | * - BPF_STX | BPF_XADD | BPF_{W,DW} |
209 | | * - BPF_ST* | BPF_MEM | BPF_{W,H,B,DW} |
210 | | * are valid |
211 | | */ |
212 | 3.30k | if (!EBPF_MODE(MI->csh->mode)) { |
213 | | /* can only store to M[] */ |
214 | 397 | if (bpf->op != (BPF_CLASS(bpf->op) | BPF_MODE_MEM | BPF_SIZE_W)) |
215 | 38 | return false; |
216 | 359 | MCOperand_CreateImm0(MI, bpf->k); |
217 | 359 | return true; |
218 | 397 | } |
219 | | |
220 | | /* eBPF */ |
221 | 2.91k | if (BPF_MODE(bpf->op) == BPF_MODE_ATOMIC) { |
222 | 355 | if (BPF_CLASS(bpf->op) != BPF_CLASS_STX) |
223 | 3 | return false; |
224 | 352 | if (BPF_SIZE(bpf->op) != BPF_SIZE_W && |
225 | 125 | BPF_SIZE(bpf->op) != BPF_SIZE_DW) |
226 | 3 | return false; |
227 | | /* xadd [dst + off], src */ |
228 | 349 | CHECK_READABLE_AND_PUSH(ud, MI, bpf->dst); |
229 | 345 | MCOperand_CreateImm0(MI, bpf->offset); |
230 | 345 | CHECK_READABLE_AND_PUSH(ud, MI, bpf->src); |
231 | 342 | return true; |
232 | 345 | } |
233 | | |
234 | 2.55k | if (BPF_MODE(bpf->op) != BPF_MODE_MEM) |
235 | 25 | return false; |
236 | | |
237 | | /* st [dst + off], src */ |
238 | 2.53k | CHECK_READABLE_AND_PUSH(ud, MI, bpf->dst); |
239 | 2.52k | MCOperand_CreateImm0(MI, bpf->offset); |
240 | 2.52k | if (BPF_CLASS(bpf->op) == BPF_CLASS_ST) |
241 | 1.42k | MCOperand_CreateImm0(MI, bpf->k); |
242 | 1.09k | else |
243 | 1.09k | CHECK_READABLE_AND_PUSH(ud, MI, bpf->src); |
244 | 2.51k | return true; |
245 | 2.52k | } |
246 | | |
247 | | static bool decodeALU(MCInst *MI, bpf_internal *bpf) |
248 | 5.58k | { |
249 | | /* Set MI->Operands */ |
250 | | |
251 | | /* cBPF */ |
252 | 5.58k | if (!EBPF_MODE(MI->csh->mode)) { |
253 | 1.94k | if (BPF_OP(bpf->op) > BPF_ALU_XOR) |
254 | 1 | return false; |
255 | | /* cBPF's NEG has no operands */ |
256 | 1.94k | if (BPF_OP(bpf->op) == BPF_ALU_NEG) |
257 | 610 | return true; |
258 | 1.33k | if (BPF_SRC(bpf->op) == BPF_SRC_K) |
259 | 581 | MCOperand_CreateImm0(MI, bpf->k); |
260 | 756 | else /* BPF_SRC_X */ |
261 | 756 | MCOperand_CreateReg0(MI, BPF_REG_X); |
262 | 1.33k | return true; |
263 | 1.94k | } |
264 | | |
265 | | /* eBPF */ |
266 | | |
267 | 3.63k | if (BPF_OP(bpf->op) > BPF_ALU_END) |
268 | 12 | return false; |
269 | | /* ENDian's imm must be one of 16, 32, 64 */ |
270 | 3.62k | if (BPF_OP(bpf->op) == BPF_ALU_END) { |
271 | 260 | if (bpf->k != 16 && bpf->k != 32 && bpf->k != 64) |
272 | 29 | return false; |
273 | 231 | if (BPF_CLASS(bpf->op) == BPF_CLASS_ALU64 && |
274 | 31 | BPF_SRC(bpf->op) != BPF_SRC_LITTLE) |
275 | 1 | return false; |
276 | 231 | } |
277 | | |
278 | | /* - op dst, imm |
279 | | * - op dst, src |
280 | | * - neg dst |
281 | | * - le<imm> dst |
282 | | */ |
283 | | /* every ALU instructions have dst op */ |
284 | 3.59k | CHECK_WRITABLE_AND_PUSH(ud, MI, bpf->dst); |
285 | | |
286 | | /* special cases */ |
287 | 3.58k | if (BPF_OP(bpf->op) == BPF_ALU_NEG) |
288 | 298 | return true; |
289 | 3.28k | if (BPF_OP(bpf->op) == BPF_ALU_END) { |
290 | | /* bpf->k must be one of 16, 32, 64 */ |
291 | 230 | bpf->op |= ((uint32_t)bpf->k << 4); |
292 | 230 | return true; |
293 | 230 | } |
294 | | |
295 | | /* normal cases */ |
296 | 3.05k | if (BPF_SRC(bpf->op) == BPF_SRC_K) { |
297 | 2.69k | MCOperand_CreateImm0(MI, bpf->k); |
298 | 2.69k | } else { /* BPF_SRC_X */ |
299 | 360 | CHECK_READABLE_AND_PUSH(ud, MI, bpf->src); |
300 | 360 | } |
301 | 3.05k | return true; |
302 | 3.05k | } |
303 | | |
304 | | static bool decodeJump(MCInst *MI, bpf_internal *bpf) |
305 | 7.48k | { |
306 | | /* cBPF and eBPF are very different in class jump */ |
307 | 7.48k | if (!EBPF_MODE(MI->csh->mode)) { |
308 | 1.16k | if (BPF_OP(bpf->op) > BPF_JUMP_JSET) |
309 | 7 | return false; |
310 | | |
311 | | /* ja is a special case of jumps */ |
312 | 1.15k | if (BPF_OP(bpf->op) == BPF_JUMP_JA) { |
313 | 224 | MCOperand_CreateImm0(MI, bpf->k); |
314 | 224 | return true; |
315 | 224 | } |
316 | | |
317 | 931 | if (BPF_SRC(bpf->op) == BPF_SRC_K) |
318 | 366 | MCOperand_CreateImm0(MI, bpf->k); |
319 | 565 | else /* BPF_SRC_X */ |
320 | 565 | MCOperand_CreateReg0(MI, BPF_REG_X); |
321 | 931 | MCOperand_CreateImm0(MI, bpf->jt); |
322 | 931 | MCOperand_CreateImm0(MI, bpf->jf); |
323 | 6.31k | } else { |
324 | 6.31k | if (BPF_OP(bpf->op) > BPF_JUMP_JSLE) |
325 | 5 | return false; |
326 | | |
327 | | /* JMP32 has no CALL/EXIT instruction */ |
328 | | /* No operands for exit */ |
329 | 6.31k | if (BPF_OP(bpf->op) == BPF_JUMP_EXIT) |
330 | 215 | return bpf->op == (BPF_CLASS_JMP | BPF_JUMP_EXIT); |
331 | 6.09k | if (BPF_OP(bpf->op) == BPF_JUMP_CALL) { |
332 | 680 | if (bpf->op == (BPF_CLASS_JMP | BPF_JUMP_CALL)) { |
333 | 595 | MCOperand_CreateImm0(MI, bpf->k); |
334 | 595 | return true; |
335 | 595 | } |
336 | 85 | if (bpf->op == |
337 | 85 | (BPF_CLASS_JMP | BPF_JUMP_CALL | BPF_SRC_X)) { |
338 | 83 | CHECK_READABLE_AND_PUSH(ud, MI, bpf->k); |
339 | 54 | return true; |
340 | 83 | } |
341 | 2 | return false; |
342 | 85 | } |
343 | | |
344 | | /* ja is a special case of jumps */ |
345 | 5.41k | if (BPF_OP(bpf->op) == BPF_JUMP_JA) { |
346 | 456 | if (BPF_SRC(bpf->op) != BPF_SRC_K) |
347 | 2 | return false; |
348 | 454 | if (BPF_CLASS(bpf->op) == BPF_CLASS_JMP) |
349 | 353 | MCOperand_CreateImm0(MI, bpf->offset); |
350 | 101 | else |
351 | 101 | MCOperand_CreateImm0(MI, bpf->k); |
352 | | |
353 | 454 | return true; |
354 | 456 | } |
355 | | |
356 | | /* <j> dst, src, +off */ |
357 | 4.96k | CHECK_READABLE_AND_PUSH(ud, MI, bpf->dst); |
358 | 4.95k | if (BPF_SRC(bpf->op) == BPF_SRC_K) |
359 | 4.82k | MCOperand_CreateImm0(MI, bpf->k); |
360 | 127 | else |
361 | 127 | CHECK_READABLE_AND_PUSH(ud, MI, bpf->src); |
362 | 4.95k | MCOperand_CreateImm0(MI, bpf->offset); |
363 | 4.95k | } |
364 | 5.88k | return true; |
365 | 7.48k | } |
366 | | |
367 | | static bool decodeReturn(MCInst *MI, bpf_internal *bpf) |
368 | 1.92k | { |
369 | | /* Here only handles the BPF_RET class in cBPF */ |
370 | 1.92k | switch (BPF_RVAL(bpf->op)) { |
371 | 540 | case BPF_SRC_K: |
372 | 540 | MCOperand_CreateImm0(MI, bpf->k); |
373 | 540 | return true; |
374 | 882 | case BPF_SRC_X: |
375 | 882 | MCOperand_CreateReg0(MI, BPF_REG_X); |
376 | 882 | return true; |
377 | 496 | case BPF_SRC_A: |
378 | 496 | MCOperand_CreateReg0(MI, BPF_REG_A); |
379 | 496 | return true; |
380 | 1.92k | } |
381 | 4 | return false; |
382 | 1.92k | } |
383 | | |
384 | | static bool decodeMISC(MCInst *MI, bpf_internal *bpf) |
385 | 492 | { |
386 | 492 | uint16_t op = bpf->op ^ BPF_CLASS_MISC; |
387 | 492 | return op == BPF_MISCOP_TAX || op == BPF_MISCOP_TXA; |
388 | 492 | } |
389 | | |
390 | | ///< 1. Check if the instruction is valid |
391 | | ///< 2. Set MI->opcode |
392 | | ///< 3. Set MI->Operands |
393 | | static bool getInstruction(MCInst *MI, bpf_internal *bpf) |
394 | 22.5k | { |
395 | 22.5k | cs_detail *detail; |
396 | | |
397 | 22.5k | detail = MI->flat_insn->detail; |
398 | | // initialize detail |
399 | 22.5k | if (detail) { |
400 | 22.5k | memset(detail, 0, offsetof(cs_detail, bpf) + sizeof(cs_bpf)); |
401 | 22.5k | } |
402 | | |
403 | 22.5k | MCInst_clear(MI); |
404 | | |
405 | 22.5k | switch (BPF_CLASS(bpf->op)) { |
406 | 0 | default: /* should never happen */ |
407 | 0 | return false; |
408 | 4.33k | case BPF_CLASS_LD: |
409 | 6.80k | case BPF_CLASS_LDX: |
410 | 6.80k | return decodeLoad(MI, bpf); |
411 | 809 | case BPF_CLASS_ST: |
412 | 1.72k | case BPF_CLASS_STX: |
413 | 1.72k | return decodeStore(MI, bpf); |
414 | 3.05k | case BPF_CLASS_ALU: |
415 | 3.05k | return decodeALU(MI, bpf); |
416 | 4.92k | case BPF_CLASS_JMP: |
417 | 4.92k | return decodeJump(MI, bpf); |
418 | 3.34k | case BPF_CLASS_RET: |
419 | | /* case BPF_CLASS_JMP32: */ |
420 | 3.34k | if (EBPF_MODE(MI->csh->mode)) |
421 | 2.55k | return decodeJump(MI, bpf); |
422 | 791 | else |
423 | 791 | return decodeReturn(MI, bpf); |
424 | 2.65k | case BPF_CLASS_MISC: |
425 | | /* case BPF_CLASS_ALU64: */ |
426 | 2.65k | if (EBPF_MODE(MI->csh->mode)) |
427 | 2.53k | return decodeALU(MI, bpf); |
428 | 122 | else |
429 | 122 | return decodeMISC(MI, bpf); |
430 | 22.5k | } |
431 | 22.5k | } |
432 | | |
433 | | // Check for regular load instructions |
434 | | #define REG_LOAD_CASE(c) \ |
435 | 5.17k | case BPF_SIZE_##c: \ |
436 | 5.17k | if (BPF_CLASS(opcode) == BPF_CLASS_LD) \ |
437 | 5.17k | return BPF_INS_LD##c; \ |
438 | 5.17k | else \ |
439 | 5.17k | return BPF_INS_LDX##c; |
440 | | |
441 | | static bpf_insn op2insn_ld_cbpf(unsigned opcode) |
442 | 5.17k | { |
443 | 5.17k | switch (BPF_SIZE(opcode)) { |
444 | 2.82k | REG_LOAD_CASE(W); |
445 | 610 | REG_LOAD_CASE(H); |
446 | 718 | REG_LOAD_CASE(B); |
447 | 1.02k | REG_LOAD_CASE(DW); |
448 | 5.17k | } |
449 | | |
450 | 0 | return BPF_INS_INVALID; |
451 | 5.17k | } |
452 | | #undef REG_LOAD_CASE |
453 | | |
454 | | // Check for packet load instructions |
455 | | #define PACKET_LOAD_CASE(c) \ |
456 | 1.53k | case BPF_SIZE_##c: \ |
457 | 1.53k | if (BPF_MODE(opcode) == BPF_MODE_ABS) \ |
458 | 1.53k | return BPF_INS_LDABS##c; \ |
459 | 1.53k | else if (BPF_MODE(opcode) == BPF_MODE_IND) \ |
460 | 737 | return BPF_INS_LDIND##c; \ |
461 | 737 | else \ |
462 | 737 | return BPF_INS_INVALID; |
463 | | |
464 | | static bpf_insn op2insn_ld_ebpf(unsigned opcode) |
465 | 3.76k | { |
466 | 3.76k | if (BPF_CLASS(opcode) == BPF_CLASS_LD) { |
467 | 1.95k | switch (BPF_SIZE(opcode)) { |
468 | 705 | PACKET_LOAD_CASE(W); |
469 | 491 | PACKET_LOAD_CASE(H); |
470 | 337 | PACKET_LOAD_CASE(B); |
471 | 1.95k | } |
472 | 1.95k | } |
473 | | |
474 | | // If it's not a packet load instruction, it must be a regular load instruction |
475 | 2.23k | return op2insn_ld_cbpf(opcode); |
476 | 3.76k | } |
477 | | #undef PACKET_LOAD_CASE |
478 | | |
479 | | /* During parsing we already checked to make sure the size is D/DW and |
480 | | * mode is STX and not ST, so we don't need to check again*/ |
481 | | #define ALU_CASE_REG(c) \ |
482 | 100 | case BPF_ALU_##c: \ |
483 | 100 | if (BPF_SIZE(opcode) == BPF_SIZE_W) \ |
484 | 100 | return BPF_INS_A##c; \ |
485 | 100 | else \ |
486 | 100 | return BPF_INS_A##c##64; |
487 | | |
488 | | #define ALU_CASE_FETCH(c) \ |
489 | 92 | case BPF_ALU_##c | BPF_MODE_FETCH: \ |
490 | 92 | if (BPF_SIZE(opcode) == BPF_SIZE_W) \ |
491 | 92 | return BPF_INS_AF##c; \ |
492 | 92 | else \ |
493 | 92 | return BPF_INS_AF##c##64; |
494 | | |
495 | | #define COMPLEX_CASE(c) \ |
496 | 23 | case BPF_ATOMIC_##c | BPF_MODE_FETCH: \ |
497 | 23 | if (BPF_SIZE(opcode) == BPF_SIZE_DW) \ |
498 | 23 | return BPF_INS_A##c##64; \ |
499 | 23 | else \ |
500 | 23 | return BPF_INS_INVALID; |
501 | | |
502 | | #define CASE(c) \ |
503 | 1.44k | case BPF_SIZE_##c: \ |
504 | 1.44k | if (BPF_CLASS(opcode) == BPF_CLASS_ST) \ |
505 | 1.44k | return BPF_INS_ST##c; \ |
506 | 1.44k | else \ |
507 | 1.44k | return BPF_INS_STX##c; |
508 | | |
509 | | static bpf_insn op2insn_st(unsigned opcode, const uint32_t imm) |
510 | 1.67k | { |
511 | | /* |
512 | | * - BPF_STX | ALU atomic operations | BPF_{W,DW} |
513 | | * - BPF_STX | Complex atomic operations | BPF_{DW} |
514 | | * - BPF_ST* | BPF_MEM | BPF_{W,H,B,DW} |
515 | | */ |
516 | | |
517 | 1.67k | if (BPF_MODE(opcode) == BPF_MODE_ATOMIC) { |
518 | 228 | switch (imm) { |
519 | 21 | ALU_CASE_REG(ADD); |
520 | 36 | ALU_CASE_REG(OR); |
521 | 30 | ALU_CASE_REG(AND); |
522 | 13 | ALU_CASE_REG(XOR); |
523 | 16 | ALU_CASE_FETCH(ADD); |
524 | 30 | ALU_CASE_FETCH(OR); |
525 | 28 | ALU_CASE_FETCH(AND); |
526 | 18 | ALU_CASE_FETCH(XOR); |
527 | 13 | COMPLEX_CASE(XCHG); |
528 | 10 | COMPLEX_CASE(CMPXCHG); |
529 | 13 | default: // Reached if complex atomic operation is used without fetch modifier |
530 | 13 | return BPF_INS_INVALID; |
531 | 228 | } |
532 | 228 | } |
533 | | |
534 | | /* should be BPF_MEM */ |
535 | 1.44k | switch (BPF_SIZE(opcode)) { |
536 | 385 | CASE(W); |
537 | 345 | CASE(H); |
538 | 456 | CASE(B); |
539 | 257 | CASE(DW); |
540 | 1.44k | } |
541 | | |
542 | 0 | return BPF_INS_INVALID; |
543 | 1.44k | } |
544 | | #undef CASE |
545 | | |
546 | | #define CASE(c) \ |
547 | 4.52k | case BPF_ALU_##c: \ |
548 | 4.52k | CASE_IF(c) |
549 | | |
550 | | #define CASE_IF(c) \ |
551 | 5.27k | do { \ |
552 | 5.27k | if (BPF_CLASS(opcode) == BPF_CLASS_ALU) \ |
553 | 5.27k | return BPF_INS_##c; \ |
554 | 5.27k | else \ |
555 | 5.27k | return BPF_INS_##c##64; \ |
556 | 5.27k | } while (0) |
557 | | |
558 | | static bpf_insn op2insn_alu(unsigned opcode, const uint16_t off, |
559 | | const bool is_ebpf) |
560 | 5.53k | { |
561 | | /* Endian is a special case */ |
562 | 5.53k | if (BPF_OP(opcode) == BPF_ALU_END) { |
563 | 230 | if (BPF_CLASS(opcode) == BPF_CLASS_ALU64) { |
564 | 30 | switch (opcode ^ BPF_CLASS_ALU64 ^ BPF_ALU_END ^ |
565 | 30 | BPF_SRC_LITTLE) { |
566 | 5 | case (16 << 4): |
567 | 5 | return BPF_INS_BSWAP16; |
568 | 8 | case (32 << 4): |
569 | 8 | return BPF_INS_BSWAP32; |
570 | 17 | case (64 << 4): |
571 | 17 | return BPF_INS_BSWAP64; |
572 | 0 | default: |
573 | 0 | return BPF_INS_INVALID; |
574 | 30 | } |
575 | 30 | } |
576 | | |
577 | 200 | switch (opcode ^ BPF_CLASS_ALU ^ BPF_ALU_END) { |
578 | 9 | case BPF_SRC_LITTLE | (16 << 4): |
579 | 9 | return BPF_INS_LE16; |
580 | 9 | case BPF_SRC_LITTLE | (32 << 4): |
581 | 9 | return BPF_INS_LE32; |
582 | 11 | case BPF_SRC_LITTLE | (64 << 4): |
583 | 11 | return BPF_INS_LE64; |
584 | 45 | case BPF_SRC_BIG | (16 << 4): |
585 | 45 | return BPF_INS_BE16; |
586 | 112 | case BPF_SRC_BIG | (32 << 4): |
587 | 112 | return BPF_INS_BE32; |
588 | 14 | case BPF_SRC_BIG | (64 << 4): |
589 | 14 | return BPF_INS_BE64; |
590 | 200 | } |
591 | 0 | return BPF_INS_INVALID; |
592 | 200 | } |
593 | | |
594 | 5.30k | switch (BPF_OP(opcode)) { |
595 | 338 | CASE(ADD); |
596 | 294 | CASE(SUB); |
597 | 261 | CASE(MUL); |
598 | 410 | CASE(OR); |
599 | 230 | CASE(AND); |
600 | 880 | CASE(LSH); |
601 | 513 | CASE(RSH); |
602 | 908 | CASE(NEG); |
603 | 256 | CASE(XOR); |
604 | 438 | CASE(ARSH); |
605 | 350 | case BPF_ALU_DIV: |
606 | 350 | if (!is_ebpf || off == 0) |
607 | 312 | CASE_IF(DIV); |
608 | 38 | else if (off == 1) |
609 | 28 | CASE_IF(SDIV); |
610 | 10 | else |
611 | 10 | return BPF_INS_INVALID; |
612 | 301 | case BPF_ALU_MOD: |
613 | 301 | if (!is_ebpf || off == 0) |
614 | 260 | CASE_IF(MOD); |
615 | 41 | else if (off == 1) |
616 | 34 | CASE_IF(SMOD); |
617 | 7 | else |
618 | 7 | return BPF_INS_INVALID; |
619 | 122 | case BPF_ALU_MOV: |
620 | | /* BPF_CLASS_ALU can have: mov, mov8s, mov16s |
621 | | * BPF_CLASS_ALU64 can have: mov, mov8s, mov16s, mov32s |
622 | | * */ |
623 | 122 | if (off == 0) |
624 | 23 | CASE_IF(MOV); |
625 | 99 | else if (off == 8) |
626 | 57 | CASE_IF(MOVSB); |
627 | 42 | else if (off == 16) |
628 | 29 | CASE_IF(MOVSH); |
629 | 13 | else if (off == 32 && BPF_CLASS(opcode) == BPF_CLASS_ALU64) |
630 | 6 | return BPF_INS_MOVSW64; |
631 | 7 | else |
632 | 7 | return BPF_INS_INVALID; |
633 | 5.30k | } |
634 | | |
635 | 0 | return BPF_INS_INVALID; |
636 | 5.30k | } |
637 | | #undef CASE_IF |
638 | | #undef CASE |
639 | | |
640 | 7.42k | #define BPF_CALLX (BPF_CLASS_JMP | BPF_JUMP_CALL | BPF_SRC_X) |
641 | | |
642 | | #define CASE(c) \ |
643 | 5.88k | case BPF_JUMP_##c: \ |
644 | 5.88k | if (BPF_CLASS(opcode) == BPF_CLASS_JMP) \ |
645 | 5.88k | return BPF_INS_##c; \ |
646 | 5.88k | else \ |
647 | 5.88k | return BPF_INS_##c##32; |
648 | | |
649 | | #define SPEC_CASE(c) \ |
650 | 806 | case BPF_JUMP_##c: \ |
651 | 806 | if (BPF_CLASS(opcode) == BPF_CLASS_JMP) \ |
652 | 806 | return BPF_INS_##c; \ |
653 | 806 | else \ |
654 | 806 | return BPF_INS_INVALID; |
655 | | |
656 | | static bpf_insn op2insn_jmp(unsigned opcode) |
657 | 7.42k | { |
658 | 7.42k | if (opcode == BPF_CALLX) { |
659 | 54 | return BPF_INS_CALLX; |
660 | 54 | } |
661 | | |
662 | 7.36k | switch (BPF_OP(opcode)) { |
663 | 678 | case BPF_JUMP_JA: |
664 | 678 | if (BPF_CLASS(opcode) == BPF_CLASS_JMP) |
665 | 577 | return BPF_INS_JA; |
666 | 101 | else |
667 | 101 | return BPF_INS_JAL; |
668 | 482 | CASE(JEQ); |
669 | 221 | CASE(JGT); |
670 | 381 | CASE(JGE); |
671 | 721 | CASE(JSET); |
672 | 232 | CASE(JNE); |
673 | 401 | CASE(JSGT); |
674 | 610 | CASE(JSGE); |
675 | 595 | SPEC_CASE(CALL); |
676 | 211 | SPEC_CASE(EXIT); |
677 | 604 | CASE(JLT); |
678 | 615 | CASE(JLE); |
679 | 813 | CASE(JSLT); |
680 | 803 | CASE(JSLE); |
681 | 7.36k | } |
682 | | |
683 | 0 | return BPF_INS_INVALID; |
684 | 7.36k | } |
685 | | #undef SPEC_CASE |
686 | | #undef CASE |
687 | | #undef BPF_CALLX |
688 | | |
689 | | #ifndef CAPSTONE_DIET |
690 | | |
691 | | static void update_regs_access(MCInst *MI, cs_detail *detail, bpf_insn insn_id, |
692 | | unsigned int opcode) |
693 | 22.1k | { |
694 | 22.1k | if (insn_id == BPF_INS_INVALID) |
695 | 0 | return; |
696 | | /* |
697 | | * In eBPF mode, only these instructions have implicit registers access: |
698 | | * - legacy ld{w,h,b,dw} * // w: r0 |
699 | | * - exit // r: r0 |
700 | | */ |
701 | 22.1k | if (EBPF_MODE(MI->csh->mode)) { |
702 | 15.2k | switch (insn_id) { |
703 | 13.0k | default: |
704 | 13.0k | break; |
705 | 13.0k | case BPF_INS_LDABSW: |
706 | 558 | case BPF_INS_LDABSH: |
707 | 796 | case BPF_INS_LDABSB: |
708 | 1.17k | case BPF_INS_LDINDW: |
709 | 1.43k | case BPF_INS_LDINDH: |
710 | 1.53k | case BPF_INS_LDINDB: |
711 | 1.95k | case BPF_INS_LDDW: |
712 | 1.95k | if (BPF_MODE(opcode) == BPF_MODE_ABS || |
713 | 1.05k | BPF_MODE(opcode) == BPF_MODE_IND) |
714 | 1.65k | map_add_implicit_write(MI, BPF_REG_R0); |
715 | 1.95k | break; |
716 | 211 | case BPF_INS_EXIT: |
717 | 211 | map_add_implicit_read(MI, BPF_REG_R0); |
718 | 211 | break; |
719 | 15.2k | } |
720 | 15.2k | return; |
721 | 15.2k | } |
722 | | |
723 | | /* cBPF mode */ |
724 | 6.97k | switch (BPF_CLASS(opcode)) { |
725 | 788 | default: |
726 | 788 | break; |
727 | 2.30k | case BPF_CLASS_LD: |
728 | 2.30k | map_add_implicit_write(MI, BPF_REG_A); |
729 | 2.30k | break; |
730 | 638 | case BPF_CLASS_LDX: |
731 | 638 | map_add_implicit_write(MI, BPF_REG_X); |
732 | 638 | break; |
733 | 19 | case BPF_CLASS_ST: |
734 | 19 | map_add_implicit_read(MI, BPF_REG_A); |
735 | 19 | break; |
736 | 18 | case BPF_CLASS_STX: |
737 | 18 | map_add_implicit_read(MI, BPF_REG_X); |
738 | 18 | break; |
739 | 1.94k | case BPF_CLASS_ALU: |
740 | 1.94k | map_add_implicit_read(MI, BPF_REG_A); |
741 | 1.94k | map_add_implicit_write(MI, BPF_REG_A); |
742 | 1.94k | break; |
743 | 1.15k | case BPF_CLASS_JMP: |
744 | 1.15k | if (insn_id != BPF_INS_JA) // except the unconditional jump |
745 | 931 | map_add_implicit_read(MI, BPF_REG_A); |
746 | 1.15k | break; |
747 | | /* case BPF_CLASS_RET: */ |
748 | 107 | case BPF_CLASS_MISC: |
749 | 107 | if (insn_id == BPF_INS_TAX) { |
750 | 60 | map_add_implicit_read(MI, BPF_REG_A); |
751 | 60 | map_add_implicit_write(MI, BPF_REG_X); |
752 | 60 | } else { |
753 | 47 | map_add_implicit_read(MI, BPF_REG_X); |
754 | 47 | map_add_implicit_write(MI, BPF_REG_A); |
755 | 47 | } |
756 | 107 | break; |
757 | 6.97k | } |
758 | 6.97k | } |
759 | | #endif |
760 | | |
761 | | static bool setFinalOpcode(MCInst *MI, const bpf_internal *bpf) |
762 | 22.2k | { |
763 | 22.2k | bpf_insn id = BPF_INS_INVALID; |
764 | 22.2k | #ifndef CAPSTONE_DIET |
765 | 22.2k | cs_detail *detail; |
766 | | |
767 | 22.2k | detail = get_detail(MI); |
768 | 22.2k | #endif |
769 | | |
770 | 22.2k | const uint16_t opcode = bpf->op; |
771 | 22.2k | switch (BPF_CLASS(opcode)) { |
772 | 0 | default: // will never happen |
773 | 0 | break; |
774 | 4.26k | case BPF_CLASS_LD: |
775 | 6.70k | case BPF_CLASS_LDX: |
776 | 6.70k | if (EBPF_MODE(MI->csh->mode)) |
777 | 3.76k | id = op2insn_ld_ebpf(opcode); |
778 | 2.94k | else |
779 | 2.94k | id = op2insn_ld_cbpf(opcode); |
780 | 6.70k | add_group(MI, BPF_GRP_LOAD); |
781 | 6.70k | break; |
782 | 786 | case BPF_CLASS_ST: |
783 | 1.67k | case BPF_CLASS_STX: |
784 | 1.67k | id = op2insn_st(opcode, bpf->k); |
785 | 1.67k | add_group(MI, BPF_GRP_STORE); |
786 | 1.67k | break; |
787 | 3.03k | case BPF_CLASS_ALU: |
788 | 3.03k | id = op2insn_alu(opcode, bpf->offset, EBPF_MODE(MI->csh->mode)); |
789 | 3.03k | add_group(MI, BPF_GRP_ALU); |
790 | 3.03k | break; |
791 | 4.87k | case BPF_CLASS_JMP: |
792 | 4.87k | id = op2insn_jmp(opcode); |
793 | 4.87k | #ifndef CAPSTONE_DIET |
794 | 4.87k | if (id == BPF_INS_CALL || id == BPF_INS_CALLX) |
795 | 649 | add_group(MI, BPF_GRP_CALL); |
796 | 4.22k | else if (id == BPF_INS_EXIT) |
797 | 211 | add_group(MI, BPF_GRP_RETURN); |
798 | 4.01k | else |
799 | 4.01k | add_group(MI, BPF_GRP_JUMP); |
800 | 4.87k | #endif |
801 | 4.87k | break; |
802 | 3.33k | case BPF_CLASS_RET: |
803 | | /* case BPF_CLASS_JMP32: */ |
804 | 3.33k | if (EBPF_MODE(MI->csh->mode)) { |
805 | 2.54k | id = op2insn_jmp(opcode); |
806 | 2.54k | add_group(MI, BPF_GRP_JUMP); |
807 | 2.54k | } else { |
808 | 788 | id = BPF_INS_RET; |
809 | 788 | add_group(MI, BPF_GRP_RETURN); |
810 | 788 | } |
811 | 3.33k | break; |
812 | | // BPF_CLASS_MISC and BPF_CLASS_ALU64 have exactly same value |
813 | 2.60k | case BPF_CLASS_MISC: |
814 | | /* case BPF_CLASS_ALU64: */ |
815 | 2.60k | if (EBPF_MODE(MI->csh->mode)) { |
816 | | // ALU64 in eBPF |
817 | 2.49k | id = op2insn_alu(opcode, bpf->offset, true); |
818 | 2.49k | add_group(MI, BPF_GRP_ALU); |
819 | 2.49k | } else { |
820 | 107 | if (BPF_MISCOP(opcode) == BPF_MISCOP_TXA) |
821 | 47 | id = BPF_INS_TXA; |
822 | 60 | else |
823 | 60 | id = BPF_INS_TAX; |
824 | 107 | add_group(MI, BPF_GRP_MISC); |
825 | 107 | } |
826 | 2.60k | break; |
827 | 22.2k | } |
828 | | |
829 | 22.2k | if (id == BPF_INS_INVALID) |
830 | 38 | return false; |
831 | | |
832 | 22.1k | MCInst_setOpcodePub(MI, id); |
833 | 22.1k | #undef PUSH_GROUP |
834 | | |
835 | 22.1k | #ifndef CAPSTONE_DIET |
836 | 22.1k | if (detail) { |
837 | 22.1k | update_regs_access(MI, detail, id, opcode); |
838 | 22.1k | } |
839 | 22.1k | #endif |
840 | 22.1k | return true; |
841 | 22.2k | } |
842 | | |
843 | | bool BPF_getInstruction(csh ud, const uint8_t *code, size_t code_len, |
844 | | MCInst *instr, uint16_t *size, uint64_t address, |
845 | | void *info) |
846 | 22.8k | { |
847 | 22.8k | bpf_internal *bpf; |
848 | | |
849 | 22.8k | if (EBPF_MODE(instr->csh->mode)) |
850 | 15.6k | bpf = fetch_ebpf(instr, code, code_len); |
851 | 7.14k | else |
852 | 7.14k | bpf = fetch_cbpf(instr, code, code_len); |
853 | 22.8k | if (bpf == NULL) |
854 | 288 | return false; |
855 | 22.5k | if (!getInstruction(instr, bpf) || !setFinalOpcode(instr, bpf)) { |
856 | 328 | cs_mem_free(bpf); |
857 | 328 | return false; |
858 | 328 | } |
859 | 22.1k | MCInst_setOpcode(instr, bpf->op); |
860 | | |
861 | 22.1k | *size = bpf->insn_size; |
862 | 22.1k | cs_mem_free(bpf); |
863 | | |
864 | | return true; |
865 | 22.5k | } |
866 | | |
867 | | #endif |