Update decoder to handle indirect jumps for jump tables and syscall/i…

…nterrupt pseudo-call control flow
intel · Nov 20, 2023 · 31a980d · 31a980d
1 parent a983273
commit 31a980d
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 8 deletions.
diff --git a/modules/tsffs/src/tsffs/src/arch/x86.rs b/modules/tsffs/src/tsffs/src/arch/x86.rs
@@ -1133,7 +1133,8 @@ impl TracerDisassembler for Disassembler {
         if let Some(last) = self.last {
             return matches!(
                 last.opcode(),
-                Opcode::JA
+                Opcode::JMP
+                    | Opcode::JA
                     | Opcode::JB
                     | Opcode::JG
                     | Opcode::JGE
@@ -1161,7 +1162,15 @@ impl TracerDisassembler for Disassembler {
     /// Check if an instruction is a call instruction
     fn last_was_call(&self) -> bool {
         if let Some(last) = self.last {
-            return matches!(last.opcode(), Opcode::CALL | Opcode::CALLF);
+            return matches!(
+                last.opcode(),
+                Opcode::CALL
+                    | Opcode::CALLF
+                    | Opcode::INT
+                    | Opcode::INTO
+                    | Opcode::SYSCALL
+                    | Opcode::SYSENTER
+            );
         }
 
         false
@@ -1170,7 +1179,16 @@ impl TracerDisassembler for Disassembler {
     /// Check if an instruction is a ret instruction
     fn last_was_ret(&self) -> bool {
         if let Some(last) = self.last {
-            return matches!(last.opcode(), Opcode::RETF | Opcode::RETURN);
+            return matches!(
+                last.opcode(),
+                Opcode::RETF
+                    | Opcode::RETURN
+                    | Opcode::IRET
+                    | Opcode::IRETD
+                    | Opcode::IRETQ
+                    | Opcode::SYSRET
+                    | Opcode::SYSEXIT
+            );
         }
 
         false

diff --git a/modules/tsffs/src/tsffs/src/arch/x86_64.rs b/modules/tsffs/src/tsffs/src/arch/x86_64.rs
@@ -918,7 +918,8 @@ impl TracerDisassembler for Disassembler {
         if let Some(last) = self.last {
             if matches!(
                 last.opcode(),
-                Opcode::JA
+                Opcode::JMP
+                    | Opcode::JA
                     | Opcode::JB
                     | Opcode::JRCXZ
                     | Opcode::JG
@@ -945,19 +946,36 @@ impl TracerDisassembler for Disassembler {
         false
     }
 
-    /// Check if an instruction is a call instruction
+    /// Check if an instruction is a call instruction (loosely defined, this includes interrupts)
     fn last_was_call(&self) -> bool {
         if let Some(last) = self.last {
-            return matches!(last.opcode(), Opcode::CALL | Opcode::CALLF);
+            return matches!(
+                last.opcode(),
+                Opcode::CALL
+                    | Opcode::CALLF
+                    | Opcode::INT
+                    | Opcode::INTO
+                    | Opcode::SYSCALL
+                    | Opcode::SYSENTER
+            );
         }
 
         false
     }
 
-    /// Check if an instruction is a ret instruction
+    /// Check if an instruction is a ret instruction (loosely defined, this includes interrupts)
     fn last_was_ret(&self) -> bool {
         if let Some(last) = self.last {
-            return matches!(last.opcode(), Opcode::RETF | Opcode::RETURN);
+            return matches!(
+                last.opcode(),
+                Opcode::RETF
+                    | Opcode::RETURN
+                    | Opcode::IRET
+                    | Opcode::IRETD
+                    | Opcode::IRETQ
+                    | Opcode::SYSRET
+                    | Opcode::SYSEXIT
+            );
         }
 
         false