Issue 670664 in chromium: The VEX decoding of the AVX2 and F16C instruction in SyzyAsan is wrong

[sebmarch… via monorail]

Status: Untriaged
Owner: ----
CC: syzyg...@chromium.org

New issue 670664 by sebma...@chromium.org: The VEX decoding of the AVX2 and F16C instruction in SyzyAsan is wrong
https://bugs.chromium.org/p/chromium/issues/detail?id=670664

The VEX decoding that we're doing in SyzyAsan for the 3-byte encoded VEX instructions[1] is wrong, it assume that the instructions always have a fixed length but it's not always the case, some of them use ModR/M, which means they have a variable length.

It's possible we're getting away with this for Chrome, but it is really flaky and should be fixed.

There's different way to fix this:
- Disable VEX in Chrome for the SyzyASAN builds.
- Back off on instrumenting blocks we can't disassemble, without failure.
- Add Capstone as a backup disassembler when we can't disassemble an instruction.

(the real solution will probably be a combination of these 3 approach).


[1] https://github.com/google/syzygy/blob/master/syzygy/core/disassembler_util.cc#L50

--
You received this message because:
1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment.

[sebmarch… via monorail]

Comment #1 on issue 670664 by sebma...@chromium.org: The VEX decoding of the AVX2 and F16C instruction in SyzyAsan is wrong
https://bugs.chromium.org/p/chromium/issues/detail?id=670664#c1

I've disabled AVX2 in Skia in https://codereview.chromium.org/2544503004/

[a… via monorail]

Updates:
Labels: M-57

Comment #2 on issue 670664 by a...@chromium.org: The VEX decoding of the AVX2 and F16C instruction in SyzyAsan is wrong
https://bugs.chromium.org/p/chromium/issues/detail?id=670664#c2

Tagging with current canary milestone.

[sheriff… via monorail]

Comment #3 on issue 670664 by sheri...@chromium.org: The VEX decoding of the AVX2 and F16C instruction in SyzyAsan is wrong
https://bugs.chromium.org/p/chromium/issues/detail?id=670664#c3

Pri-0 bugs are critical regressions or serious emergencies, and this bug has not been updated in three days. Could you please provide an update, or adjust the priority to a more appropriate level if applicable?

If a fix is in active development, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

[sheriff… via monorail]

Comment #4 on issue 670664 by sheri...@chromium.org: The VEX decoding of the AVX2 and F16C instruction in SyzyAsan is wrong
https://bugs.chromium.org/p/chromium/issues/detail?id=670664#c4

[benhe… via monorail]

Updates:
Components: Internals>Network
Labels: -Pri-0 Pri-1

Comment #5 on issue 670664 by benh...@chromium.org: The VEX decoding of the AVX2 and F16C instruction in SyzyAsan is wrong
https://bugs.chromium.org/p/chromium/issues/detail?id=670664#c5

Not a P0.

[sebmarch… via monorail]

Updates:
Status: WontFix

Comment #6 on issue 670664 by sebma...@chromium.org: The VEX decoding of the AVX2 and F16C instruction in SyzyAsan is wrong
https://bugs.chromium.org/p/chromium/issues/detail?id=670664#c6

Syzyasan is gone.