UB on PPC because `vargs` are not casted.

capstone-engine / capstone

Capstone disassembly/disassembler framework for ARM, ARM64 (ARMv8), Alpha, BPF, Ethereum VM, HPPA, LoongArch, M68K, M680X, Mips, MOS65XX, PPC, RISC-V(rv32G/rv64G), SH, Sparc, SystemZ, TMS320C64X, TriCore, Webassembly, XCore and X86.

http://www.capstone-engine.org

7.64k stars 1.56k forks source link

UB on PPC because `vargs` are not casted. #2458

Open Rot127 opened 3 months ago

Rot127 commented 3 months ago

Expected behavior

No OOB on PPC.

Actual behavior

The generator does not cast the varg arguments before passing them to add_cs_detail(). And sometimes it passes non-64bit values but unpacks them as uint64_t. Which is UB for some compilers (PPC apparently). In general we should always cast to uint64_t values before passing them as vargs. The operand handler can cast them back.

Steps to reproduce the behavior

Compile Capstone for PPC.

Additional Logs, screenshots, source code, configuration dump, ...

Could be fixed by: https://github.com/capstone-engine/capstone/issues/2135

cc @thestr4ng3r

thestr4ng3r commented 3 months ago

This is UB, not necessarily anything OOB. I am able to reproduce it on Mac OS X 10.5 on ppc. The safest solution would be to not use varargs at all, so the compiler can ensure that types are correct.

Rot127 commented 3 months ago

Ah, yes. I should think while writing. Added the relevant issue as well.

thestr4ng3r commented 2 months ago

Reproducer:

xserve1:capstone florian$ uname -pv
Darwin Kernel Version 9.8.0: Wed Jul 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC powerpc
xserve1:capstone florian$ cstool -d aarch64 204862f8
Assertion failed: (0 && "Extender not handled\n"), function AArch64_set_detail_shift_ext, file /Users/florian/dev/capstone/arch/AArch64/AArch64Mapping.c, line 2703.
Abort trap