model: [fix] incorrect tainting of MOVHPS

(cherry picked from commit 95cb220f2d)
2024-07-25 10:14:10 +01:00 · 2024-07-25 10:14:10 +01:00 · 870266a263
--- a/src/model.py
+++ b/src/model.py
@ -1129,10 +1129,10 @@ class BaseTaintTracker(TaintTrackerInterface):
        # FIXME: this is an x86-specific implementation and it should be moved to the x86 model
        override: bool = False
        inst_name = inst.name.lower()
-        if (inst_name.startswith("mov") or inst_name == "lea") \
-                and self.dest_regs \
-                and inst.get_reg_operands()[0].width == 64:
-            override = True
+        if (inst_name.startswith("mov") or inst_name == "lea") and len(self.dest_regs) == 1:
+            reg = inst.get_reg_operands()[0].value
+            if self.target_desc.register_sizes.get(reg, 0) == 64:
+                override = True

        # If the instruction overrides previous dependencies, remove them
        if override:
--- a/src/x86/x86_target_desc.py
+++ b/src/x86/x86_target_desc.py
@ -8,7 +8,6 @@ from typing import List
 import re
 import unicorn.x86_const as ucc  # type: ignore

-
 from ..interfaces import Instruction, TargetDesc, MacroSpec, CPUDesc
 from ..model import UnicornTargetDesc
 from ..config import CONF
@ -16,12 +15,19 @@ from ..config import CONF

 class X86TargetDesc(TargetDesc):
    register_sizes = {
+        "xmm0": 128, "xmm1": 128, "xmm2": 128, "xmm3": 128, "xmm4": 128, "xmm5": 128, "xmm6": 128,
+        "xmm7": 128, "xmm8": 128, "xmm9": 128, "xmm10": 128, "xmm11": 128, "xmm12": 128,
+        "xmm13": 128, "xmm14": 128, "xmm15": 128,
+
        "rax": 64, "rbx": 64, "rcx": 64, "rdx": 64, "rsi": 64, "rdi": 64, "rsp": 64, "rbp": 64,
        "r8": 64, "r9": 64, "r10": 64, "r11": 64, "r12": 64, "r13": 64, "r14": 64, "r15": 64,
+
        "eax": 32, "ebx": 32, "ecx": 32, "edx": 32, "esi": 32, "edi": 32, "r8d": 32, "r9d": 32,
        "r10d": 32, "r11d": 32, "r12d": 32, "r13d": 32, "r14d": 32, "r15d": 32,
+
        "ax": 16, "bx": 16, "cx": 16, "dx": 16, "si": 16, "di": 16, "r8w": 16, "r9w": 16,
        "r10w": 16, "r11w": 16, "r12w": 16, "r13w": 16, "r14w": 16, "r15w": 16,
+
        "al": 8, "bl": 8, "cl": 8, "dl": 8, "sil": 8, "dil": 8, "r8b": 8, "r9b": 8,
        "r10b": 8, "r11b": 8, "r12b": 8, "r13b": 8, "r14b": 8, "r15b": 8,
        "ah": 8, "bh": 8, "ch": 8, "dh": 8,
--- a/tests/x86_tests/unit_taint_tracker.py
+++ b/tests/x86_tests/unit_taint_tracker.py
@ -140,6 +140,17 @@ class X86TaintTrackerTest(unittest.TestCase):
        tracker._finalize_instruction()
        self.assertCountEqual(tracker.reg_deps['A'], ['B', 'C', 'A'])

+    def test_dependency_override_partial(self):
+        """ Test that partial update instructions (e.g., MOVHPS) do NOT override dependencies """
+        tracker = x86_model.X86TaintTracker([])
+
+        inst = Instruction("MOVHPS").add_op(RegisterOperand("XMM1", 128, False,
+                                                            True)).add_op(get_m64_src("RCX"))
+        tracker.start_instruction(inst)
+        tracker.track_memory_access(0x100, 8, False)
+        tracker._finalize_instruction()
+        self.assertCountEqual(tracker.reg_deps['XMM1'], ['XMM1', '0x100'])
+
    def test_dependency_lea(self):
        """ Test that LEA instructions are handled correctly """
        tracker = x86_model.X86TaintTracker([])