validator_ragel: Use different actions for different types of commands

src/trusted/validator_ragel/unreviewed/validator-x86_64.rl

 /*
  * Copyright (c) 2012 The Native Client Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 #include <assert.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ skipping 70 matching lines @@
   action rel16_operand {
     assert(FALSE);
   }
   action rel32_operand {
     int32_t offset =
            (uint32_t) (p[-3] + 256U * (p[-2] + 256U * (p[-1] + 256U * (p[0]))));
     size_t jump_dest = offset + (p - data);
     check_jump_dest;
   }
 
-  include decode_x86_64 "validator-x86_64-instruction.rl";
-
-  action process_normal_instruction {
+  action process_0_operands {
     /* Restricted %rsp or %rbp must be processed by appropriate nacl-special
-       instruction, not with regular instruction.  */
+     * instruction, not with regular instruction.  */
     if (restricted_register == REG_RSP) {
       PrintError("Incorrectly modified register %%rsp\n", begin - data);
       result = 1;
+      goto error_detected;
+    } else if (restricted_register == REG_RBP) {
+      PrintError("Incorrectly modified register %%rbp\n", begin - data);
+      result = 1;
+      goto error_detected;
+    }
+    restricted_register = kNoRestrictedReg;
+  }
+
+  action process_1_operands {
+    /* Restricted %rsp or %rbp must be processed by appropriate nacl-special
+     * instruction, not with regular instruction.  */
+    if (restricted_register == REG_RSP) {
+      PrintError("Incorrectly modified register %%rsp\n", begin - data);
+      result = 1;
       goto error_detected;
     } else if (restricted_register == REG_RBP) {
       PrintError("Incorrectly modified register %%rbp\n", begin - data);
       result = 1;
       goto error_detected;
     }
-    /* If Sandboxed Rsi is destroyed then we must note that.  */
+    /* If Sandboxed Rsi is destroyed then we must detect that.  */
+    if (restricted_register == kSandboxedRsi) {
+      if (CHECK_OPERAND(0, REG_RSI, OperandSandboxRestricted) ||
+          CHECK_OPERAND(0, REG_RSI, OperandSandboxUnrestricted)) {
+        restricted_register = kNoRestrictedReg;
+      }
+    }
+    if (restricted_register == kSandboxedRsi) {
+      if (CHECK_OPERAND(0, REG_RDI, OperandSandboxRestricted)) {
+        sandboxed_rsi_restricted_rdi = begin;
+        restricted_register = kSandboxedRsiRestrictedRdi;
+      }
+    }
+    if (restricted_register != kSandboxedRsiRestrictedRdi) {
+      restricted_register = kNoRestrictedReg;
+      if (CHECK_OPERAND(0, REG_R15, OperandSandbox8bit) ||
+          CHECK_OPERAND(0, REG_R15, OperandSandboxRestricted) ||
+          CHECK_OPERAND(0, REG_R15, OperandSandboxUnrestricted)) {
+        PrintError("Incorrectly modified register %%r15\n", begin - data);
+        result = 1;
+        goto error_detected;
+      } else if ((CHECK_OPERAND(0, REG_RBP, OperandSandbox8bit) &&
+                  GET_REX_PREFIX()) ||
+                 CHECK_OPERAND(0, REG_RBP, OperandSandboxUnrestricted)) {
+        PrintError("Incorrectly modified register %%rbp\n", begin - data);
+        result = 1;
+        goto error_detected;
+      } else if ((CHECK_OPERAND(0, REG_RSP, OperandSandbox8bit) &&
+                  GET_REX_PREFIX()) ||
+                 CHECK_OPERAND(0, REG_RSP, OperandSandboxUnrestricted)) {
+        PrintError("Incorrectly modified register %%rsp\n", begin - data);
+        result = 1;
+        goto error_detected;
+      /* Take 2 bits of operand type from operand_states as restricted_register,
+       * make sure operand_states denotes a register (4th bit == 0). */
+      } else if ((operand_states & 0x70) == (OperandSandboxRestricted << 5)) {
+        restricted_register = operand_states & 0x0f;
+      }
+    }
+  }
+
+  action process_2_operands {
+    /* Restricted %rsp or %rbp must be processed by appropriate nacl-special
+     * instruction, not with regular instruction.  */
+    if (restricted_register == REG_RSP) {
+      PrintError("Incorrectly modified register %%rsp\n", begin - data);
+      result = 1;
+      goto error_detected;
+    } else if (restricted_register == REG_RBP) {
+      PrintError("Incorrectly modified register %%rbp\n", begin - data);
+      result = 1;
+      goto error_detected;
+    }
+    /* If Sandboxed Rsi is destroyed then we must detect that.  */
     if (restricted_register == kSandboxedRsi) {
       if (CHECK_OPERAND(0, REG_RSI, OperandSandboxRestricted) ||
           CHECK_OPERAND(0, REG_RSI, OperandSandboxUnrestricted) ||
           CHECK_OPERAND(1, REG_RSI, OperandSandboxRestricted) ||
           CHECK_OPERAND(1, REG_RSI, OperandSandboxUnrestricted)) {
         restricted_register = kNoRestrictedReg;
       }
     }
     if (restricted_register == kSandboxedRsi) {
       if (CHECK_OPERAND(0, REG_RDI, OperandSandboxRestricted) ||
@@ skipping 24 matching lines @@
         goto error_detected;
       } else if ((CHECK_OPERAND(0, REG_RSP, OperandSandbox8bit) &&
                   GET_REX_PREFIX()) ||
                  CHECK_OPERAND(0, REG_RSP, OperandSandboxUnrestricted) ||
                  (CHECK_OPERAND(1, REG_RSP, OperandSandbox8bit) &&
                   GET_REX_PREFIX()) ||
                  CHECK_OPERAND(1, REG_RSP, OperandSandboxUnrestricted)) {
         PrintError("Incorrectly modified register %%rsp\n", begin - data);
         result = 1;
         goto error_detected;
+      /* Take 2 bits of operand type from operand_states as restricted_register,
+       * make sure operand_states denotes a register (4th bit == 0).  */
       } else if ((operand_states & 0x70) == (OperandSandboxRestricted << 5)) {
         restricted_register = operand_states & 0x0f;
+      /* Take 2 bits of operand type from operand_states as restricted_register,
+       * make sure operand_states denotes a register (12th bit == 0).  */
       } else if ((operand_states & 0x7000) ==
-                                        (OperandSandboxRestricted << (5 + 8))) {
+          (OperandSandboxRestricted << (5 + 8))) {
         restricted_register = (operand_states & 0x0f00) >> 8;
       }
     }
   }
 
+  include decode_x86_64 "validator-x86_64-instruction.rl";
+
   # Remove special instructions which are only allowed in special cases.
-  normal_instruction = (one_instruction - (
+  normal_instruction = one_instruction - (
     (0x48 0x89 0xe5)             | # mov %rsp,%rbp
     (0x48 0x89 0xec)             | # mov %rbp,%rsp
     (0x48 0x81 0xe4 any{4})      | # and $XXX,%rsp
     (0x48 0x83 0xe4 any)         | # and $XXX,%rsp
     (0x4c 0x01 0xfd)             | # add %r15,%rbp
     (0x49 0x8d 0x2c 0x2f)        | # lea (%r15,%rbp,1),%rbp
     (0x4a 0x8d 0x6c 0x3d any)    | # lea 0x0(%rbp,%r15,1),%rbp
     (0x48 0x81 0xe5 any{4})      | # and $XXX,%rsp
     (0x48 0x83 0xe5 any)         | # and $XXX,%rsp
     (0x4c 0x01 0xfc)             | # add %r15,%rsp
     (0x4a 0x8d 0x24 0x3c)        | # lea (%rsp,%r15,1),%rsp
     (0x49 0x8d 0x34 0x37)        | # lea (%r15,%rsi,1),%rsi
     (0x49 0x8d 0x3c 0x3f)          # lea (%r15,%rdi,1),%rdi
-  )) @process_normal_instruction;
+  );
 
   data16condrep = (data16 | condrep data16 | data16 condrep);
   data16rep = (data16 | rep data16 | data16 rep);
 
   special_instruction =
     (0x48 0x89 0xe5)                       | # mov %rsp,%rbp
     (0x48 0x81 0xe4 any{3} (0x80 .. 0xff)) | # and $XXX,%rsp
     (0x48 0x83 0xe4 (0x80 .. 0xff))          # and $XXX,%rsp
     @{ if (restricted_register == REG_RSP) {
          PrintError("Incorrectly modified register %%rsp\n", begin - data);
@@ skipping 187 matching lines @@
    * OperandSandboxUnrestricted to match the behavior of the old validator.
    *
    * 8bit operands must be distinguished from other types because the REX prefix
    * regulates the choice between %ah and %spl, as well as %ch and %bpl.
    */
   OperandSandbox8bit,
   OperandSandboxRestricted,
   OperandSandboxUnrestricted
 };
 
-/* Define SET_OPERAND_NAME as SET_OPERAND_NAME_0, SET_OPERAND_NAME_1 to detect
- * cases where more than two general purpose registers are affected.  This will
- * produce a compile-time error if an operand with unexpected number is
- * encountered. */
-#define SET_OPERAND_NAME(N, S) SET_OPERAND_NAME_ ## N(S)
-#define SET_OPERAND_NAME_0(S) operand_states |= (S)
-#define SET_OPERAND_NAME_1(S) operand_states |= ((S) << 8)
+#define SET_OPERAND_NAME(N, S) operand_states |= ((S) << ((N) << 3))
 #define SET_OPERAND_TYPE(N, T) SET_OPERAND_TYPE_ ## T(N)
 #define SET_OPERAND_TYPE_OperandSize8bit(N) \
   operand_states |= OperandSandbox8bit << (5 + ((N) << 3))
 #define SET_OPERAND_TYPE_OperandSize16bit(N) \
   operand_states |= OperandSandboxUnrestricted << (5 + ((N) << 3))
 #define SET_OPERAND_TYPE_OperandSize32bit(N) \
   operand_states |= OperandSandboxRestricted << (5 + ((N) << 3))
 #define SET_OPERAND_TYPE_OperandSize64bit(N) \
   operand_states |= OperandSandboxUnrestricted << (5 + ((N) << 3))
 #define CHECK_OPERAND(N, S, T) \
@@ skipping 120 matching lines @@
   uint8_t rex_prefix = FALSE;
   uint8_t vex_prefix2 = 0xe0;
   uint8_t vex_prefix3 = 0x00;
   /* Keeps one byte of information per operand in the current instruction:
    *  2 bits for register kinds,
    *  5 bits for register numbers (16 regs plus RIZ). */
   int operand_states = 0;
   enum register_name base = NO_REG;
   enum register_name index = NO_REG;
   int result = 0;
-  /*
-   * These are borders of the appropriate instructions.  Initialize them to make
+  /* These are borders of the appropriate instructions.  Initialize them to make
    * compiler happy: they are never used uninitialized even without explicit
-   * initialization but GCC is not sophysicated enough to prove that.
-   */
+   * initialization but GCC is not sophysicated enough to prove that.  */
   const uint8_t *sandboxed_rsi = 0;
   const uint8_t *sandboxed_rsi_restricted_rdi = 0;
   const uint8_t *sandboxed_rdi = 0;
 
   assert(size % bundle_size == 0);
 
   while (p < data + size) {
     const uint8_t *pe = p + bundle_size;
     const uint8_t *eof = pe;
     int cs;
     enum {
       kNoRestrictedReg = 32,
       kSandboxedRsi,
       kSandboxedRdi,
       kSandboxedRsiRestrictedRdi,
       kSandboxedRsiSandboxedRdi
     }; uint8_t restricted_register = kNoRestrictedReg;
 
     %% write init;
   /* Ragel-generated code stores a difference between pointers into an "int"
-     variable. This produces C4244 warning on Windows x64.  */
+   * variable. This produces C4244 warning on Windows x64.  */
 #ifdef _MSC_VER
 #pragma warning(push)
 #pragma warning(disable: 4244) // possible loss of data
 #endif
     %% write exec;
 #ifdef _MSC_VER
 #pragma warning(pop)
 #endif
 
     if (restricted_register == REG_RBP) {
       PrintError("Incorrectly sandboxed %%rbp\n", begin - data);
       result = 1;
       goto error_detected;
     } else if (restricted_register == REG_RSP) {
       PrintError("Incorrectly sandboxed %%rsp\n", begin - data);
       result = 1;
       goto error_detected;
     }
   }
 
   if (CheckJumpTargets(valid_targets, jump_dests, size)) {
     return 1;
   }
 
 error_detected:
   return result;
 }