parameter size mismatch in mpn_pi1_bdiv_q_1

Robert Yates rob at reverse-engineering.info
Thu Dec 14 22:14:48 CET 2023


Hi,

I found an obscure bug in gmp 6.3.0.

gmp-impl.h
#define mpn_pi1_bdiv_q_1 __MPN(pi1_bdiv_q_1)
__GMP_DECLSPEC mp_limb_t mpn_pi1_bdiv_q_1 (mp_ptr, mp_srcptr, mp_size_t, 
mp_limb_t, mp_limb_t, int);


mpn\arm64\bdiv_q_1.asm
define(`cnt', `x5')
PROLOGUE(mpn_pi1_bdiv_q_1)
	sub	n, n, #1
	subs	x6, x6, x6		C clear r6 and C flag
	ldr	x9, [up],#8
	cbz	cnt, L(norm)


the cbz instruction acts upon parameter 6(32bit int) with the x5(64bit 
register).

i work on an obfuscation compiler at quarkslab, and its possible that 
optimisations or our transformation can leave random bits in the upper 
data of x5 which will make the implementation of mpn_pi1_bdiv_q_1 fail, 
since clangs codegen will not emit trunc instructions for the 64bit 
register as the function prototype clearly states `i32` type although 
the internal function uses a 64bit register.

i noticed this issue on apple-arm64.
i believe the implemetation should be changed to use the `w5` register, 
or the function prototype should use `long`, either of these solves the 
issues ive seen.

hope this helps :)
/Regards,
Rob.


More information about the gmp-bugs mailing list