From a9099be4f9494bbd31b891863568f661ddd9c509 Mon Sep 17 00:00:00 2001
From: Alexander Potapenko <glider@google.com>
Date: Tue, 30 Apr 2024 15:05:03 +0200
Subject: pkg/ifuzz: fix instruction decoding on x86

Decode() was only checking full opcode byte(s), whereas certain
instructions are encoded in a way that some bits of the opcode are
stored in the ModR/M byte.

In particular, e.g. there is a variation of MUL encoded as:
  F7 /4
(which means the opcode byte is F7, and MODRM.reg is 4), and a variation
of TEST encoded as:
  F7 /0
(opcode byte is also F7, and MODRM.reg is 0), which were previously
indistinguishable (the decoder would incorrectly treat the MUL instruction
as a TEST instruction if there were at least four extra bytes following it).

Make sure to calculate and check the MODRM.reg value if insn.Reg is set to a
non-negative value.
---
 pkg/ifuzz/x86/decode.go | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'pkg/ifuzz')

diff --git a/pkg/ifuzz/x86/decode.go b/pkg/ifuzz/x86/decode.go
index 1306f40db..0160e0fd3 100644
--- a/pkg/ifuzz/x86/decode.go
+++ b/pkg/ifuzz/x86/decode.go
@@ -145,7 +145,11 @@ nextInsn:
 			modrm := text1[0]
 			text1 = text1[1:]
 			mod := modrm >> 6
+			reg := int8(modrm>>3) & 7
 			rm := modrm & 7
+			if insn.Reg >= 0 && reg != insn.Reg {
+				continue nextInsn
+			}
 			if !insn.NoSibDisp {
 				disp := 0
 				if addrSize == 2 {
-- 
cgit mrf-deployment