diff options
| author | iximeow <me@iximeow.net> | 2023-12-16 13:26:48 -0800 |
|---|---|---|
| committer | iximeow <me@iximeow.net> | 2023-12-16 13:26:48 -0800 |
| commit | 110f797005cca70e18cbcc0975397d26d8045245 (patch) | |
| tree | a3ff79c0c3a7519d00e19d213447c268614cef00 /fuzz/fuzz_targets/does_not_decode_invalid_registers.rs | |
| parent | 85668b222582ef1edae537beea452d5e1c933389 (diff) | |
fix opportunity for unhandled register synonyms
registers `al`, `cl`, `dl`, and `bl` could have two different
representations - with `rex.w` and without. these two forms of `RegSpec`
would not compare equal, nor has the same, so for code relying on
`RegSpec` to faithfully represent a 1-1 mapping to x86 registers, these
synonyms would introduce bugs in register analysis.
for example, in `yaxpeax-core`, this would result in instructions
writing to `rex.w al` not being visible as definitions for a future
read of `!rex.w al`.
fix this in `x86_64` code, add new test cases about the confusion,
adjust register names to make this situation more clearly a bug, and
introduce two new fuzz targets that would have helped spot this error.
Diffstat (limited to 'fuzz/fuzz_targets/does_not_decode_invalid_registers.rs')
| -rw-r--r-- | fuzz/fuzz_targets/does_not_decode_invalid_registers.rs | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/fuzz/fuzz_targets/does_not_decode_invalid_registers.rs b/fuzz/fuzz_targets/does_not_decode_invalid_registers.rs new file mode 100644 index 0000000..0f32f73 --- /dev/null +++ b/fuzz/fuzz_targets/does_not_decode_invalid_registers.rs @@ -0,0 +1,30 @@ +//! instruction text should never include the word BUG - this is a symptom of selecting an invalid +//! RegSpec while disassembling. + +#![no_main] +#[macro_use] extern crate libfuzzer_sys; +extern crate yaxpeax_x86; + +fuzz_target!(|data: &[u8]| { + let x86_64_decoder = yaxpeax_x86::long_mode::InstDecoder::default(); + let x86_32_decoder = yaxpeax_x86::protected_mode::InstDecoder::default(); + let x86_16_decoder = yaxpeax_x86::real_mode::InstDecoder::default(); + + if let Ok(inst) = x86_64_decoder.decode_slice(data) { + let mut res = String::new(); + inst.write_to(&mut res).expect("format does not panic"); + assert!(!res.contains("BUG")); + }; + + if let Ok(inst) = x86_32_decoder.decode_slice(data) { + let mut res = String::new(); + inst.write_to(&mut res).expect("format does not panic"); + assert!(!res.contains("BUG")); + }; + + if let Ok(inst) = x86_16_decoder.decode_slice(data) { + let mut res = String::new(); + inst.write_to(&mut res).expect("format does not panic"); + assert!(!res.contains("BUG")); + }; +}); |