Special care about the endbr64 instruction

Older versions of capstone are not aware
of this (now common) instruction, thus it is
now hardwired into libsyscall_itercept.

Author: GBuella

src/disasm_wrapper.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2017, Intel Corporation
+ * Copyright 2016-2020, Intel Corporation
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -207,11 +207,24 @@ struct intercept_disasm_result
 intercept_disasm_next_instruction(struct intercept_disasm_context *context,
 					const unsigned char *code)
 {
+	static const unsigned char endbr64[] = {0xf3, 0x0f, 0x1e, 0xfa};
+
 	struct intercept_disasm_result result = {0, };
 	const unsigned char *start = code;
 	size_t size = (size_t)(context->end - code + 1);
 	uint64_t address = (uint64_t)code;
 
+	if (size >= sizeof(endbr64) &&
+	    memcmp(code, endbr64, sizeof(endbr64)) == 0) {
+		result.is_set = true;
+		result.is_endbr = true;
+		result.length = 4;
+#ifndef NDEBUG
+		result.mnemonic = "endbr64";
+#endif
+		return result;
+	}
+
 	if (!cs_disasm_iter(context->handle, &start, &size,
 	    &address, context->insn)) {
 		result.is_set = false;

src/disasm_wrapper.h

@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2017, Intel Corporation
+ * Copyright 2016-2020, Intel Corporation
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -63,6 +63,9 @@ struct intercept_disasm_result {
 	 */
 	bool has_ip_relative_opr;
 
+	/* as of now this only refers to endbr64 */
+	bool is_endbr;
+
 	/* call instruction */
 	bool is_call;
 

src/patcher.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2017, Intel Corporation
+ * Copyright 2016-2020, Intel Corporation
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -284,12 +284,13 @@ is_relocateable_before_syscall(struct intercept_disasm_result ins)
 	    ins.is_rel_jump ||
 	    ins.is_jump ||
 	    ins.is_ret ||
+	    ins.is_endbr ||
 	    ins.is_syscall);
 }
 
 /*
  * is_relocateable_after_syscall
- * checks if an instruction found before a syscall instruction
+ * checks if an instruction found after a syscall instruction
  * can be relocated (and thus overwritten).
  *
  * Notice: we allow relocation of ret instructions.
@@ -304,6 +305,7 @@ is_relocateable_after_syscall(struct intercept_disasm_result ins)
 	    ins.is_call ||
 	    ins.is_rel_jump ||
 	    ins.is_jump ||
+	    ins.is_endbr ||
 	    ins.is_syscall);
 }
 

test/CMakeLists.txt

@@ -1,5 +1,5 @@
 #
-# Copyright 2017-2019, Intel Corporation
+# Copyright 2017-2020, Intel Corporation
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -71,6 +71,13 @@ set(asm_patterns
 	pattern_nop_padding8
 	pattern_nop_padding9)
 
+try_compile(ASSEMBLER_SUPPORTS_ENDBR64 ${CMAKE_BINARY_DIR}
+		${CMAKE_CURRENT_SOURCE_DIR}/pattern_endbr64.in.S
+		CMAKE_FLAGS "-DCMAKE_ASM_LINK_EXECUTABLE='echo skip linking'")
+if(ASSEMBLER_SUPPORTS_ENDBR64)
+	list(APPEND asm_patterns pattern_endbr64)
+endif()
+
 set(asm_patterns_failing
 	pattern_double_syscall
 	pattern_rets

test/pattern_endbr64.in.S

@@ -0,0 +1,55 @@
+#
+# Copyright 2020, Intel Corporation
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in
+#       the documentation and/or other materials provided with the
+#       distribution.
+#
+#     * Neither the name of the copyright holder nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#
+# A simple test with a syscall preceded by an endbr64 instruction.
+# This happens often in recent versions of glibc, but older versions
+# of capstone are not aware of this instruction.
+#
+
+.intel_syntax noprefix
+
+.global text_start;
+.global text_end;
+
+#include "mock_trampoline_table.S"
+
+.text
+
+text_start:
+		cmp     rax, -1
+		endbr64
+		syscall
+		cmp     rax, -1
+		cmp     rax, -1
+		cmp     rax, -1
+		cmp     rax, -1
+text_end:

test/pattern_endbr64.out.S

@@ -0,0 +1,51 @@
+#
+# Copyright 2020, Intel Corporation
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in
+#       the documentation and/or other materials provided with the
+#       distribution.
+#
+#     * Neither the name of the copyright holder nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# see pattern_endbr64.in.S
+
+.intel_syntax noprefix
+
+.global text_start;
+.global text_end;
+
+#include "mock_trampoline_table.S"
+
+.text
+
+text_start:
+		cmp     rax, -1
+		endbr64
+		jmp     dst0
+		int3
+		cmp     rax, -1
+		cmp     rax, -1
+		cmp     rax, -1
+text_end: