Fixed xchg aliasing (Fixes #560)

Author: mappzor

include/Zydis/Internal/EncoderData.h

@@ -194,8 +194,8 @@ typedef struct ZydisEncodableInstruction_
      * (high bit in `REX.R`). Encoder uses swappable definitions to take advantage of this
      * optimization opportunity.
      *
-     * Second use of this field is to handle special case for `mov` instruction. This particular
-     * conflict is described in detail inside `ZydisHandleSwappableDefinition`.
+     * This field is also used to handle special cases for optimizations. Those opportunities are
+     * described inside `ZydisHandleSwappableDefinition`.
      */
     ZyanU8 swappable                ZYAN_BITFIELD(1);
 } ZydisEncodableInstruction;

src/Encoder.c

@@ -2900,14 +2900,34 @@ static ZyanBool ZydisHandleSwappableDefinition(ZydisEncoderInstructionMatch *mat
     if (match->request->mnemonic == ZYDIS_MNEMONIC_MOV)
     {
         const ZyanU8 imm_size = ZydisGetSignedImmSize(match->request->operands[1].imm.s);
-        if ((match->request->machine_mode == ZYDIS_MACHINE_MODE_LONG_64) &&
-            (match->eosz == 64) &&
-            (imm_size < 64))
+        return (match->request->machine_mode == ZYDIS_MACHINE_MODE_LONG_64) &&
+               (match->eosz == 64) &&
+               (imm_size < 64);
+    }
+
+    // `xchg ax, ax`, `xchg eax, eax`, `xchg rax, rax` can be encoded as single-byte `nop` (opcode
+    // 0x90, see `xchg` documentation in Intel SDM Vol. 2C). However in 64-bit mode operations
+    // on 32-bit operands zero-extend results to full 64 bits (Intel SDM Vol. 1, 3.4.1), so
+    // `xchg eax, eax` should not be aliased in this mode.
+    if (match->request->mnemonic == ZYDIS_MNEMONIC_XCHG)
+    {
+        ZYAN_ASSERT((match->request->operand_count == 2) &&
+                    (match->request->operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER));
+        switch (match->request->operands[0].reg.value)
         {
-            return ZYAN_TRUE;
+        case ZYDIS_REGISTER_AX:
+        case ZYDIS_REGISTER_RAX:
+            match->eosz = 0;
+            return ZYAN_FALSE;
+        case ZYDIS_REGISTER_EAX:
+            match->eosz = 0;
+            return ZydisGetMachineModeWidth(match->request->machine_mode) == 64;
+        default:
+            return ZYAN_FALSE;
         }
     }
 
+    // Check for possible `VEX` optimization
     ZYAN_ASSERT((match->request->operand_count == 2) || (match->request->operand_count == 3));
     const ZyanU8 src_index = (match->request->operand_count == 3) ? 2 : 1;
     const ZyanI8 dest_id = ZydisRegisterGetId(match->request->operands[0].reg.value);

src/Generated/EncoderTables.inc

@@ -1765,18 +1765,19 @@ const ZydisEncoderLookupEntry encoder_instruction_lookup[] =
     { 0x1E47, 1 },
     { 0x1E48, 4 },
     { 0x1E4C, 1 },
-    { 0x1E4D, 6 },
+    { 0x1E4D, 5 },
+    { 0x1E52, 1 },
     { 0x1E53, 1 },
     { 0x1E54, 1 },
     { 0x1E55, 1 },
     { 0x1E56, 1 },
     { 0x1E57, 1 },
     { 0x1E58, 1 },
     { 0x1E59, 1 },
-    { 0x1E5A, 1 },
-    { 0x1E5B, 18 },
-    { 0x1E6D, 2 },
-    { 0x1E6F, 2 },
+    { 0x1E5A, 18 },
+    { 0x1E6C, 2 },
+    { 0x1E6E, 2 },
+    { 0x1E70, 1 },
     { 0x1E71, 1 },
     { 0x1E72, 1 },
     { 0x1E73, 1 },
@@ -1792,10 +1793,9 @@ const ZydisEncoderLookupEntry encoder_instruction_lookup[] =
     { 0x1E7D, 1 },
     { 0x1E7E, 1 },
     { 0x1E7F, 1 },
-    { 0x1E80, 1 },
-    { 0x1E81, 2 },
+    { 0x1E80, 2 },
+    { 0x1E82, 1 },
     { 0x1E83, 1 },
-    { 0x1E84, 1 },
 };
 
 const ZydisEncodableInstruction encoder_instructions[] =
@@ -9557,8 +9557,7 @@ const ZydisEncodableInstruction encoder_instructions[] =
     { 0x0767, 0x0002, 0xC1, 0xC0, ZYDIS_INSTRUCTION_ENCODING_LEGACY, ZYDIS_OPCODE_MAP_0F, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_MANDATORY_PREFIX_NONE, ZYAN_FALSE, ZYDIS_VECTOR_LENGTH_INVALID, ZYDIS_SIZE_HINT_NONE, ZYAN_FALSE },
     { 0x0768, 0x000A, 0xC1, 0x00, ZYDIS_INSTRUCTION_ENCODING_LEGACY, ZYDIS_OPCODE_MAP_0F, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_MANDATORY_PREFIX_NONE, ZYAN_FALSE, ZYDIS_VECTOR_LENGTH_INVALID, ZYDIS_SIZE_HINT_NONE, ZYAN_FALSE },
     { 0x0769, 0x0019, 0xC7, 0xF8, ZYDIS_INSTRUCTION_ENCODING_LEGACY, ZYDIS_OPCODE_MAP_DEFAULT, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_MANDATORY_PREFIX_NONE, ZYAN_FALSE, ZYDIS_VECTOR_LENGTH_INVALID, ZYDIS_SIZE_HINT_OSZ, ZYAN_FALSE },
-    { 0x076E, 0x0002, 0x90, 0x00, ZYDIS_INSTRUCTION_ENCODING_LEGACY, ZYDIS_OPCODE_MAP_DEFAULT, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_MANDATORY_PREFIX_NONE, ZYAN_FALSE, ZYDIS_VECTOR_LENGTH_INVALID, ZYDIS_SIZE_HINT_NONE, ZYAN_FALSE },
-    { 0x076F, 0x0002, 0x91, 0x00, ZYDIS_INSTRUCTION_ENCODING_LEGACY, ZYDIS_OPCODE_MAP_DEFAULT, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_MANDATORY_PREFIX_NONE, ZYAN_FALSE, ZYDIS_VECTOR_LENGTH_INVALID, ZYDIS_SIZE_HINT_NONE, ZYAN_FALSE },
+    { 0x076E, 0x0002, 0x90, 0x00, ZYDIS_INSTRUCTION_ENCODING_LEGACY, ZYDIS_OPCODE_MAP_DEFAULT, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_MANDATORY_PREFIX_NONE, ZYAN_FALSE, ZYDIS_VECTOR_LENGTH_INVALID, ZYDIS_SIZE_HINT_NONE, ZYAN_TRUE },
     { 0x076A, 0x0002, 0x86, 0xC0, ZYDIS_INSTRUCTION_ENCODING_LEGACY, ZYDIS_OPCODE_MAP_DEFAULT, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_MANDATORY_PREFIX_NONE, ZYAN_FALSE, ZYDIS_VECTOR_LENGTH_INVALID, ZYDIS_SIZE_HINT_NONE, ZYAN_FALSE },
     { 0x076B, 0x000A, 0x86, 0x00, ZYDIS_INSTRUCTION_ENCODING_LEGACY, ZYDIS_OPCODE_MAP_DEFAULT, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_MANDATORY_PREFIX_NONE, ZYAN_FALSE, ZYDIS_VECTOR_LENGTH_INVALID, ZYDIS_SIZE_HINT_NONE, ZYAN_FALSE },
     { 0x076C, 0x0002, 0x87, 0xC0, ZYDIS_INSTRUCTION_ENCODING_LEGACY, ZYDIS_OPCODE_MAP_DEFAULT, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_WIDTH_16 | ZYDIS_WIDTH_32 | ZYDIS_WIDTH_64, ZYDIS_MANDATORY_PREFIX_NONE, ZYAN_FALSE, ZYDIS_VECTOR_LENGTH_INVALID, ZYDIS_SIZE_HINT_NONE, ZYAN_FALSE },

tools/ZydisFuzzShared.c

@@ -244,7 +244,7 @@ void ZydisValidateInstructionIdentity(const ZydisDecodedInstruction* insn1,
     // TODO: Probably a good idea to input validate operand_counts to this function
     // TODO: I don't like accessing buffers without having their actual sizes available...
 
-    // Special case, `xchg rAX, rAX` is an alias for `NOP`
+    // Special case, `xchg rAX, rAX` is an alias for `NOP` except `xchg eax, eax` in 64-bit mode
     if ((insn1->mnemonic == ZYDIS_MNEMONIC_XCHG) &&
         (insn1->operand_count == 2) &&
         (operands1[0].type == ZYDIS_OPERAND_TYPE_REGISTER) &&
@@ -255,9 +255,12 @@ void ZydisValidateInstructionIdentity(const ZydisDecodedInstruction* insn1,
         switch (operands1[0].reg.value)
         {
         case ZYDIS_REGISTER_AX:
-        case ZYDIS_REGISTER_EAX:
         case ZYDIS_REGISTER_RAX:
             return;
+        case ZYDIS_REGISTER_EAX:
+            if (insn1->machine_mode != ZYDIS_MACHINE_MODE_LONG_64)
+                return;
+            break;
         default:
             break;
         }