As per Intel SDM version 73 released in November 2020, make sure we don't decode 32-bit EVEX instructions that have EVEX.V' cleared, and 64-bit EVEX instructions that don't use EVEX.V' field, but have it cleared.

2024-11-18 05:28:09 +00:00 · 2020-11-17 10:36:26 +02:00 · 2020-11-17 10:36:26 +02:00 · e89f56289d
commit e89f56289d
parent 67da1892d4
4 changed files with 16 additions and 6 deletions
--- a/bddisasm/bddisasm.c
+++ b/bddisasm/bddisasm.c
@ -640,7 +640,7 @@ NdFetchEvex(
    // Do EVEX validations outside 64 bits mode.
    if (ND_CODE_64 != Instrux->DefCode)
    {
-        // Evex.R and Evex.X must be 1. If they're not, we have BOUND instruction. This is checkked in the
+        // Evex.R and Evex.X must be 1. If they're not, we have BOUND instruction. This is checked in the
        // first if. Note that they are inverted inside the Evex prefix.
        Instrux->Exs.r = 0;
        Instrux->Exs.x = 0;
@ -654,8 +654,11 @@ NdFetchEvex(
        // High bit inside Evex.VVVV is ignored, so we force it to 0.
        Instrux->Exs.v &= 0x7;

-        // Evex.V' is ignored.
-        Instrux->Exs.vp = 0;
+        // Evex.V' must be 1 (negated to 0) in 32-bit mode.
+        if (Instrux->Exs.vp == 1)
+        {
+            return ND_STATUS_BAD_EVEX_V_PRIME;
+        }
    }

    // Update Instrux length & offset, and make sure we don't exceed 15 bytes.
@ -3775,12 +3778,18 @@ NdValidateInstruction(
    // VEX/EVEX validations.
    if (ND_ENCM_LEGACY != Instrux->EncMode)
    {
-        // Instructions that don't use VEX/XOP vvvv field must set it to 1111b/0, otherwise a #UD will be generated.
+        // Instructions that don't use VEX/XOP/EVEX vvvv field must set it to 1111b/0, otherwise a #UD will be generated.
        if ((0 == (Instrux->OperandsEncodingMap & (1 << ND_OPE_V))) && (0 != Instrux->Exs.v))
        {
            return ND_STATUS_VEX_VVVV_MUST_BE_ZERO;
        }

+        // Instruction that don't use EVEX.V' field must set to to 1b/0, otherwise a #UD will be generated.
+        if ((0 == (Instrux->OperandsEncodingMap & (1 << ND_OPE_V))) && !ND_HAS_VSIB(Instrux) && (0 != Instrux->Exs.vp))
+        {
+            return ND_STATUS_BAD_EVEX_V_PRIME;
+        }
+
        // Some instructions don't support 128 bit vectors.
        if ((ND_VECM_128 == Instrux->EfVecMode) && (0 != (Instrux->Attributes & ND_FLAG_NOL0)))
        {
--- a/inc/disasmstatus.h
+++ b/inc/disasmstatus.h
@ -43,6 +43,7 @@ typedef unsigned int NDSTATUS;
 #define ND_STATUS_ZEROING_ON_MEMORY                     0x80000037 // Zeroing on memory.
 #define ND_STATUS_ZEROING_NO_MASK                       0x80000038 // Zeroing without masking.
 #define ND_STATUS_BROADCAST_NOT_SUPPORTED               0x80000039 // Broadcast not supported.
+#define ND_STATUS_BAD_EVEX_V_PRIME                      0x80000040 // EVEX.V' field must be one (negated 0).

 // Not encoding specific.
 #define ND_STATUS_INVALID_PARAMETER                     0x80000100 // An invalid parameter was provided.
--- a/inc/version.h
+++ b/inc/version.h
@ -7,6 +7,6 @@

 #define DISASM_VERSION_MAJOR        1
 #define DISASM_VERSION_MINOR        31
-#define DISASM_VERSION_REVISION     3
+#define DISASM_VERSION_REVISION     4

 #endif // DISASM_VER_H
--- a/pybddisasm/setup.py
+++ b/pybddisasm/setup.py
@ -12,7 +12,7 @@ from setuptools import find_packages, setup, Command, Extension, Distribution
 from codecs import open

 VERSION = (0, 1, 3)
-LIBRARY_VERSION = (1, 31, 3)
+LIBRARY_VERSION = (1, 31, 4)
 LIBRARY_INSTRUX_SIZE = 864

 packages = ['pybddisasm']