1

Say we have an thumb2 elf file with following disassemble snippet by objdump:

00279ae0 <some_func>:
  279ae0: e92d 4ff0     stmdb    sp!, {r4, r5, r6, r7, r8, r9, sl, fp, lr}
  279ae4: 4606          mov    r6, r0
  279ae6: f8df 9338     ldr.w    r9, [pc, #824]
  279aea: f44f 7380     mov.w    r3, #256
  ....
  279af2: 44f9          add    r9, pc
  279af4: ed2d 8b02     vpush    {d8}
  279af8: f8d6 108c     ldr.w    r1, [r6, #140]

1) if I modify line 279af2 to some illegal instructions, like "ffff", than uppon executing, process will get a SIGILL/ILL_ILLOPC when running into ffff

2) if I modify line 279af4 to illegal instructions ed2d ffff, process will just exit WITHOUT any signal received or any output in kmsg...... I really want to know why this happens only to NEON instructions? In this case, I'm expecting some error hint, but there is none... where can I find extra error hint other than kernel message?

Thank you guys so much.

Bill Randerson
  • 1,028
  • 1
  • 11
  • 29
  • Note that `ed2d ffff` is actually the generic coprocessor instruction `stc p15, c15, [sp, #255]!` - now, such illegal accesses to CP15 should still be treated as undefined instructions, but it's possible it may trap in a slightly different way (I have some suspicions, but I don't have the means to check them right now) – Notlikethat Apr 10 '15 at 10:55
  • @Notlikethat, so by which cpu can determine to interpret this "ed2d ffff" as a neon instruction or two consecutive thumb instruction? – Bill Randerson Apr 11 '15 at 13:01
  • 2
    `ed2d ffff` isn't a NEON instruction, nor is interpreted as one - rather, NEON and VFP instructions are actually nothing more than coprocessor instructions using CP10 and CP11 - you _could_ write them all as `ldc`/`stc` and `cdp` instructions if you really wanted to. To clarify, `ed2d ffff` is a perfectly valid coprocessor instruction _encoding_, it's the _operation_ of that instruction which is undefined since CP15 is reserved. It's the relevant encoding bits in the `ed2d` halfword that identify it as the first half of a 32-bit instruction. – Notlikethat Apr 11 '15 at 13:27
  • @Notlikethat, by saying NEON and VFP instructions could be written all as ldc/stc and cdp instructions, how would that be done. Let's take the original instruction "ed2d 8b02" as example, it's disassebled to be a NEON instruction "vpush {d8}", how can it be re-written as "ldc/stc" instructions? My first thought is to interpret this instruction as "ed2d" and "8b02" respectively, and then disassemble them and turn out: 2ded ---> wstrb wr0, [sp] 028b ---> ldrh r2, [r0, 24] Is that correct? – Bill Randerson Apr 11 '15 at 13:48
  • FWIW I tried to reproduce this, but both cases gave the same result with a 4.0 kernel and my BusyBox userspace - process terminated with "Invalid instruction" message. There is indeed a [whole complicated path for trapping coprocessor-related undef exceptions](https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/arch/arm/kernel/entry-armv.S#n561), but AFAICT it _should_ end up going pretty much the same way as your basic undefined instruction encoding. – Notlikethat Apr 13 '15 at 23:07

0 Answers0