binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

RISC-V: Lifting bug in `JALR rd, rs1, imm` when `rd == rs1`

Open jeanmicheldeva opened this issue 1 year ago • 0 comments

See here: https://github.com/Vector35/binaryninja-api/blob/7d0b6bc3f49070a10d6257628bbdf93e52d87fed/arch/riscv/src/lib.rs#L1220-L1234

If rd == rs1, but is neither zero or ra (x0 or x1 resp.), the above code will lift the jalr rd, rs1, imm instruction as follows:

# let's say rd == rs1 == t1
# target = t1 + imm
t1 = pc + 4            # inst_len==4
jump(target) <=> jump(t1 + imm) <=> jump(pc + 4 + imm)

Whereas the intended code should be lifted as:

tmp_register = t1 + imm
t1 = pc + 4
jump(tmp_register)

jeanmicheldeva avatar Oct 17 '24 14:10 jeanmicheldeva