Off-by-one instruction when function splicing with x86_64 #29
Description
This bug is tied to the fact that this slice of code in shiva_module.c uses logic that is based on the fact that every
instruction is ARM_INSN_LEN bytes (4 bytes). In x86_64 the instructions are variable length.
if (transform->new_len == transform->old_len) {
transform->flags |= SHIVA_TRANSFORM_F_REPLACE;
} else if (transform->new_len < transform->old_len) {
transform->flags |=
(SHIVA_TRANSFORM_F_NOP_PAD | SHIVA_TRANSFORM_F_REPLACE);
} else if ((transform->new_len > transform->old_len) &&
transform->old_len > ARM_INSN_LEN) {
transform->flags |=
(SHIVA_TRANSFORM_F_EXTEND);
} else if (transform->old_len == ARM_INSN_LEN && transform->new_len > 0) {
transform->flags |=
(SHIVA_TRANSFORM_F_EXTEND | SHIVA_TRANSFORM_F_INJECT);
transform->offset += ARM_INSN_LEN;
transform->old_len = 0;
} else if (transform->old_len == 0 && transform->new_len == 0) {
fprintf(stderr, "Invalid patch lengths. Length of patch: %zu,"
" Length of patch area: %zu\n", transform->new_len, transform->old_len);
return false;
}
I'm going to encase this into a function set_transform_type() that based on the architecture handles setting the transform type operation correctly.