Introduce R_ANAL_OP_FAMILY_SECURITY ##anal (#17394)

* Merge PAC and MTE op families into SECURITY
* Add BTI to anal hacks
Co-authored-by: phakeobj <phakeobj@users.noreply.github.com>

libr/anal/op.c

@@ -583,7 +583,7 @@ R_API const char *r_anal_op_family_to_string(int n) {
 	switch (n) {
 	case R_ANAL_OP_FAMILY_UNKNOWN: return "unk";
 	case R_ANAL_OP_FAMILY_CPU: return "cpu";
-	case R_ANAL_OP_FAMILY_PAC: return "pac";
+	case R_ANAL_OP_FAMILY_SECURITY: return "sec";
 	case R_ANAL_OP_FAMILY_FPU: return "fpu";
 	case R_ANAL_OP_FAMILY_MMX: return "mmx";
 	case R_ANAL_OP_FAMILY_SSE: return "sse";
@@ -592,7 +592,6 @@ R_API const char *r_anal_op_family_to_string(int n) {
 	case R_ANAL_OP_FAMILY_CRYPTO: return "crpt";
 	case R_ANAL_OP_FAMILY_IO: return "io";
 	case R_ANAL_OP_FAMILY_VIRT: return "virt";
-	case R_ANAL_OP_FAMILY_MTE: return "mte";
 	}
 	return NULL;
 }
@@ -611,9 +610,8 @@ R_API int r_anal_op_family_from_string(const char *f) {
 		{"virt", R_ANAL_OP_FAMILY_VIRT},
 		{"crpt", R_ANAL_OP_FAMILY_CRYPTO},
 		{"io", R_ANAL_OP_FAMILY_IO},
-		{"pac", R_ANAL_OP_FAMILY_PAC},
+		{"sec", R_ANAL_OP_FAMILY_SECURITY},
 		{"thread", R_ANAL_OP_FAMILY_THREAD},
-		{"mte", R_ANAL_OP_FAMILY_MTE},
 	};
 
 	int i;

libr/anal/p/anal_arm_cs.c

@@ -2255,7 +2255,7 @@ static void anop64(csh handle, RAnalOp *op, cs_insn *insn) {
 	case ARM64_INS_XPACI:
 	case ARM64_INS_XPACLRI:
 		op->type = R_ANAL_OP_TYPE_CMP;
-		op->family = R_ANAL_OP_FAMILY_PAC;
+		op->family = R_ANAL_OP_FAMILY_SECURITY;
 		break;
 #endif
 	case ARM64_INS_SVC:
@@ -2509,26 +2509,26 @@ static void anop64(csh handle, RAnalOp *op, cs_insn *insn) {
 	case ARM64_INS_BLRAAZ:
 	case ARM64_INS_BLRAB:
 	case ARM64_INS_BLRABZ:
-		op->family = R_ANAL_OP_FAMILY_PAC;
+		op->family = R_ANAL_OP_FAMILY_SECURITY;
 		op->type = R_ANAL_OP_TYPE_RCALL;
 		break;
 	case ARM64_INS_BRAA:
 	case ARM64_INS_BRAAZ:
 	case ARM64_INS_BRAB:
 	case ARM64_INS_BRABZ:
-		op->family = R_ANAL_OP_FAMILY_PAC;
+		op->family = R_ANAL_OP_FAMILY_SECURITY;
 		op->type = R_ANAL_OP_TYPE_RJMP;
 		break;
 	case ARM64_INS_LDRAA:
 	case ARM64_INS_LDRAB:
-		op->family = R_ANAL_OP_FAMILY_PAC;
+		op->family = R_ANAL_OP_FAMILY_SECURITY;
 		op->type = R_ANAL_OP_TYPE_LOAD;
 		break;
 	case ARM64_INS_RETAA:
 	case ARM64_INS_RETAB:
 	case ARM64_INS_ERETAA:
 	case ARM64_INS_ERETAB:
-		op->family = R_ANAL_OP_FAMILY_PAC;
+		op->family = R_ANAL_OP_FAMILY_SECURITY;
 		op->type = R_ANAL_OP_TYPE_RET;
 		break;
 #endif

libr/anal/p/anal_arm_hacks.inc

@@ -1,3 +1,4 @@
+#include "r_anal.h"
 static int hack_handle_dp_reg(ut32 insn, RAnalOp *op) {
 	const bool op0 = (insn >> 30) & 0x1;
 	const bool op1 = (insn >> 28) & 0x1;
@@ -119,6 +120,29 @@ static int hack_handle_dp_imm(ut32 insn, RAnalOp *op) {
 	return -1;
 }
 
+static int hack_handle_br_exc_sys(ut32 insn, RAnalOp *op) {
+	const ut8 op0 = (insn >> 29) & 0x7;
+	const ut16 op1 = (insn >> 12) & 0x3fff;
+	ut8 op2 = insn & 0x1f;
+
+	// Hints
+	if (op0 == 6 && op1 == 4146 && op2 == 31) {
+		const ut8 CRm = (insn >> 8) & 0xf;
+		op2 = (insn >> 5) & 0x7;
+		if (CRm == 4 && (op2 & 1) == 0) {
+			switch (op2) {
+			case 0:
+			case 2:
+			case 4:
+			case 6:
+				op->type = R_ANAL_OP_TYPE_CMP;
+				return op->size = 4;
+			}
+		}
+	}
+	return -1;
+}
+
 static inline int hackyArmAnal(RAnal *a, RAnalOp *op, const ut8 *buf, int len) {
 	int ret = -1;
 	ut32 *insn = (ut32 *)buf;
@@ -154,6 +178,11 @@ static inline int hackyArmAnal(RAnal *a, RAnalOp *op, const ut8 *buf, int len) {
 			// addg, subg
 			ret = hack_handle_dp_imm (*insn, op);
 			break;
+		case 10:
+		case 11:
+			// bti
+			ret = hack_handle_br_exc_sys (*insn, op);
+			break;
 		// Loads and Stores
 		case 4:
 		case 6:
@@ -167,7 +196,7 @@ static inline int hackyArmAnal(RAnal *a, RAnalOp *op, const ut8 *buf, int len) {
 		}
 
 		if (ret > 0) {
-			op->family = R_ANAL_OP_FAMILY_MTE;
+			op->family = R_ANAL_OP_FAMILY_SECURITY;
 		}
 
 	}

libr/core/cmd_search.c

@@ -983,7 +983,7 @@ R_API RList *r_core_get_boundaries_prot(RCore *core, int perm, const char *mode,
 }
 
 static bool is_end_gadget(const RAnalOp *aop, const ut8 crop) {
-	if (aop->family == R_ANAL_OP_FAMILY_PAC) {
+	if (aop->family == R_ANAL_OP_FAMILY_SECURITY) {
 		return false;
 	}
 	switch (aop->type) {

libr/include/r_anal.h

@@ -352,17 +352,16 @@ typedef struct r_anal_meta_item_t {
 // anal
 typedef enum {
 	R_ANAL_OP_FAMILY_UNKNOWN = -1,
-	R_ANAL_OP_FAMILY_CPU = 0,/* normal cpu instruction */
-	R_ANAL_OP_FAMILY_FPU,    /* fpu (floating point) */
-	R_ANAL_OP_FAMILY_MMX,    /* multimedia instruction (packed data) */
-	R_ANAL_OP_FAMILY_SSE,    /* extended multimedia instruction (packed data) */
-	R_ANAL_OP_FAMILY_PRIV,   /* privileged instruction */
-	R_ANAL_OP_FAMILY_CRYPTO, /* cryptographic instructions */
-	R_ANAL_OP_FAMILY_THREAD, /* thread/lock/sync instructions */
-	R_ANAL_OP_FAMILY_VIRT,   /* virtualization instructions */
-	R_ANAL_OP_FAMILY_PAC,    /* pointer authentication instructions */
-	R_ANAL_OP_FAMILY_IO,     /* IO instructions (i.e. IN/OUT) */
-	R_ANAL_OP_FAMILY_MTE,    /* Memory Tagging Extension instructions */
+	R_ANAL_OP_FAMILY_CPU = 0,	/* normal cpu instruction */
+	R_ANAL_OP_FAMILY_FPU,    	/* fpu (floating point) */
+	R_ANAL_OP_FAMILY_MMX,    	/* multimedia instruction (packed data) */
+	R_ANAL_OP_FAMILY_SSE,    	/* extended multimedia instruction (packed data) */
+	R_ANAL_OP_FAMILY_PRIV,   	/* privileged instruction */
+	R_ANAL_OP_FAMILY_CRYPTO, 	/* cryptographic instructions */
+	R_ANAL_OP_FAMILY_THREAD, 	/* thread/lock/sync instructions */
+	R_ANAL_OP_FAMILY_VIRT,   	/* virtualization instructions */
+	R_ANAL_OP_FAMILY_SECURITY,	/* security instructions */
+	R_ANAL_OP_FAMILY_IO,     	/* IO instructions (i.e. IN/OUT) */
 	R_ANAL_OP_FAMILY_LAST
 } RAnalOpFamily;
 

test/db/anal/arm64

@@ -77,7 +77,7 @@ size: 4
 sign: false
 type: mov
 cycles: 0
-family: mte
+family: sec
 --
 address: 0x100007f14
 opcode: addg x9, x8, 0x20, 0x0
@@ -93,6 +93,6 @@ size: 4
 sign: false
 type: add
 cycles: 0
-family: mte
+family: sec
 EOF
 RUN