search

NationalSecurityAgency / ghidra

Ghidra is a software reverse engineering (SRE) framework
https://www.nsa.gov/ghidra
Apache License 2.0
49.09k stars 5.65k forks source link

armv6m: msr instruction is reading from the wrong register #6597

Open danlehmann opened 1 month ago

danlehmann commented 1 month ago

Describe the bug msr apsr, r5 produces the correct disassembly but produces incorrect pcode.

See attached screenshots; notice how Input Objects does not list r5, but instead r0.

I dug into the Sleigh definition for this. The issue is here code:

msripsr: "i"    is thc0000=1 { }
msripsr:        is thc0000=0 { }
msrepsr: "e"    is thc0101=1 { }
msrepsr:        is thc0101=0 { }
msrapsr:        is thc0202=1 { }
// Rn0003 and thc0202 are used like they are in the same 16-bit word, but they are spread over the whole 32 bit instruction (see second comment below)
msrapsr: "a"    is thc0202=0 & Rn0003 {
    cpsr = cpsr | (Rn0003 & 0xf8000000);
    writeAPSR_nzcvq(cpsr);
}

msrpsr: msripsr^msrepsr^msrapsr^"psr"   is  msripsr & msrepsr & msrapsr {
    build msrapsr;
}
msrpsr: "xpsr"  is  sysm02=3 & msrapsr  {
    build msrapsr;
}

// Here the semicolon advances to the second 16-bit word
:msr^ItCond msrpsr,Rn0003       is TMode=1 & ItCond & op4=0xf38 & Rn0003; op12=0x8 & th_psrmask=8 & sysm37=0 & msrpsr
{
  build ItCond;
  build msrpsr;
}

Notice how Rn0003 is taken from the same 16-bit word as thc0202. This is not how this instruction is defined however; Rn is supposed to come out of the first 16-bit word.

To Reproduce Decompile a program that has the given instruction, right click the instruction and click Instruction Info.

Expected behavior A clear and concise description of what you expected to happen.

Screenshots

Attachments If applicable, please attach any files that caused problems or log files generated by the software.

Environment (please complete the following information):

Additional context I'm trying to figure out a fix for this, though I can't quite figure out how to call a subfunction like msrpsr that has access to both the first and the second 16-bit word of the instruction.

danlehmann commented 1 month ago
msr definition broken msr screenshot
danlehmann commented 1 month ago

This patch addresses the decoding issue: https://github.com/NationalSecurityAgency/ghidra/pull/6598