Remove an unconstrained context variable in mips16.sinc #7303
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Removing a line which seems to allow the aregs field to be set to any value for encodings of the "restore" instruction, some of which are invalid/reserved.
ryanmkurtz
added
Feature: Processor/MIPS
Status: Triage
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Removing a line which seems to allow the aregs field to be set to any value for encodings of the "restore" instruction, some of which are invalid/reserved. The MIPS sleigh specification contains a constructor for the "restore" instruction which produces a result that differs from the MIPS instruction manual. More specifically, the aregs field is encoded incorrectly in the sleigh specification, as the current encoding includes a mask for the aregs field that is too general.
Take for example the instruction
restore 0x1b8,ra,s0-s1, which contains no aregs arguments. According to page 120 of MIPS32® Architecture for Programmers Volume IV-a: The MIPS16e™ Application Specific Extension to the MIPS32® Architecture[1], valid encodings of this scenario for the aregs field include0000,0100,1000,1100, and1110.[1] https://s3-eu-west-1.amazonaws.com/downloads-mips/documents/MD00076-2B-MIPS1632-AFP-02.63.pdf
However, when assembling this instruction in Ghidra, one AssemblyResolution that is returned contains an AssemblyPatternBlock where the mask for the aregs field is
0000. This means that any encoding for the aregs field is valid forrestore 0x1b8,ra,s0-s1, but that is incorrect. Only the five encodings listed in the paragraph above are valid for that specific instruction. We have found that removing line 172 from mips16.sinc removes the AssemblyResolution with a0000mask.It's unclear to us what the purpose of this line we have removed is, however this change removes a "reserved" encoding from showing up in the "right-click" > "patch instruction" -> "autocomplete" output and fixes an incorrectly broad mask from being returned to pickled canary when assembling the example instruction above.
It also seems like this problem also exists for at least some other instructions as well with their own unconstrained context variables (e.g. the
saveinstruction, specifically line 208 of this file).