[BPF] Update the BPF arch to match the current specification

capstone-engine / capstone

Capstone disassembly/disassembler framework for ARM, ARM64 (ARMv8), Alpha, BPF, Ethereum VM, HPPA, LoongArch, M68K, M680X, Mips, MOS65XX, PPC, RISC-V(rv32G/rv64G), SH, Sparc, SystemZ, TMS320C64X, TriCore, Webassembly, XCore and X86.

http://www.capstone-engine.org

7.62k stars 1.56k forks source link

[BPF] Update the BPF arch to match the current specification #2544

Open Roeegg2 opened 2 weeks ago

Roeegg2 commented 2 weeks ago

Feature

[ ] New architecture module
[ ] Support for processor extension
[x] Add more instruction details (elaborated below)
[ ] Binding support for: language
[x] Other (elaborated below)

Describe the feature you'd like Update the BPF architecture to the current specification

Additional context

Add JUMP32 instruction class
Add SDIV, SMOD, MOVSX instructions
Add ATOMIC instruction modifier
Add XCHG and CMPXCHG instructions

I think that's everything that needs to be updated, but if you do find something I'm missing, please let me know.

Roeegg2 commented 2 weeks ago

If it's OK I would love to implement that :)

Rot127 commented 2 weeks ago

Sure, go ahead!

Roeegg2 commented 1 week ago

Apparently since around 2019 eBPF programs can jump backwards in code too, so all of the branch instructions are invalid now too... (offset is interpreted as signed value instead of unsigned) I suspect there are other similar major changes too. Should we add an option for different major eBPF versions? So we can still support older programs.

Rot127 commented 1 week ago

Quickly skimmed the kernel ISA and the RFC ISA. They seem to match. So you can change the bpf_op_mem::disp to be a 64bit field and cast it to what the instruction uses.