Skip to content
This repository has been archived by the owner on Jan 10, 2025. It is now read-only.

Call instruction transfers control to incorrect address #539

Closed
dmakarov opened this issue Oct 6, 2023 · 4 comments · Fixed by #541
Closed

Call instruction transfers control to incorrect address #539

dmakarov opened this issue Oct 6, 2023 · 4 comments · Fixed by #541

Comments

@dmakarov
Copy link

dmakarov commented Oct 6, 2023

Attached a sample program that is executed incorrectly by the VM. The third instruction from the entrypoint is a call which should transfer control to instruction 270817. Instead the VM jumps to instruction 834 according to instruction trace.

sample.zip
@Lichtso
Copy link

Lichtso commented Oct 9, 2023
edited
Loading

It does not jump to instruction 834, but rather from that instruction. The target IP/PC is in the next line.

0 [0000000000000000, 0000000400000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000200001000] 230885: lddw r1, 0x1001c2f38
1 [0000000000000000, 00000001001C2F38, 0000000000000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000200001000] 230887: call function_805
2 [0000000000000000, 00000001001C2F38, 0000000000000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000200003000]    834: callx r1
3 [0000000000000000, 00000001001C2F38, 0000000000000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000000000000, 0000000200005000] 230880: lddw r1, 0x1002e2210

Text section vaddr: 0x100000120
Jump from: 0x100001928
Jump target: 0x1001C2F38
(0x1001C2F38 - 0x100000120) / 8 = 230851 (displayed as 230880)

Looks fine to me. You might be wondering why we still offset addresses before we display them. That is completely outdated (see https://github.com/solana-labs/rbpf/blame/main/src/ebpf.rs#L42) and we can probably remove it.

@Lichtso Lichtso mentioned this issue Oct 9, 2023
Merged
@dmakarov
Copy link
Author

dmakarov commented Oct 9, 2023

For this .so file I have the following disassembly

00000000001c2f38 <coretests::main>:
  230887:	18 01 00 00 10 22 2e 00 00 00 00 00 00 00 00 00	r1 = 0x2e2210 ll
  230889:	b7 02 00 00 f8 05 00 00	r2 = 0x5f8
  230890:	85 10 00 00 f6 9b 00 00	call 0x9bf6

call 0x9bf6 should jump to instruction 270817 which is test::test_main_static

 0000000000210f08 <test::test_main_static>:
  270817:	bf 14 00 00 00 00 00 00	r4 = r1

How does it end up on 834?

@Lichtso
Copy link

Lichtso commented Oct 9, 2023

The offsets are wrong, your disassembler and the one of RBPF are not aligned. They are shifted by text_section.vaddr and ELF_INSN_DUMP_OFFSET.

@dmakarov
Copy link
Author

dmakarov commented Oct 9, 2023

i believe llvm-objdump offsets are correct and less concerned about offset shift. With coretests::main being the entrypoint I don’t see where and how rbpf takes the sequence of insns that it executes

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Cleanup - Removes ELF_INSN_DUMP_OFFSET solana-labs/rbpf
2 participants
@dmakarov @Lichtso