yetangitu/ghidra
1
0
Fork 0
mirror of https://github.com/NationalSecurityAgency/ghidra.git synced 2025-10-03 01:39:21 +02:00
Code Issues Releases Wiki Activity
14917 commits 3 branches 48 tags 428 MiB
Commit graph

14917 commits

This branch
This branch
All branches
Author SHA1 Message Date
ghidra1
ada4b5c4ae GP-0 Update Ghidra patch version to 11.4.2 2025-07-31 13:52:18 -04:00
ghidra1
da059ed907 GP-0 Reverted version to 11.4.1 for patch release 2025-07-31 11:21:23 -04:00
ghidra1
2f439d6909 GP-0 Set release version to 11.4.2 2025-07-30 10:11:39 -04:00
ghidra1
cc932b12b2 GP-5888 Corrected regression error in stack editor 2025-07-30 10:09:35 -04:00
Ryan Kurtz
369804843c GP-0: Fixing docker README file location 2025-07-30 07:56:15 -04:00
ghidra1
fe7cbd8ee8 GP-0 Updated ChangeHistory for 11.4.1 release 2025-07-29 14:31:09 -04:00
ghidra1
a3137e33d7 GP-5881 Corrected regression error with Structure editor change 2025-07-29 14:00:21 -04:00
ghidorahrex
4abf6d55ad GP-5766: Fixed instruction AVX512 disassembly errors 2025-07-29 08:56:43 -04:00
Ryan Kurtz
9b8468b6b6 Merge remote-tracking branch 
'origin/GP-5592_ghidorahrex_PR-7982_niooss-ledger_ebpf-ISA-v4' into
patch (Closes #7982)
 2025-07-29 08:53:18 -04:00
Nicolas Iooss
24d19f6e8c Add eBPF ISA v4 instructions 
In 2023, the eBPF instruction set was modified to add several
instructions related to signed operations (load with sign-extension,
signed division, etc.), a 32-bit jump instruction and some byte-swap
instructions. This became version 4 of eBPF ISA.

Here are some references about this change:

- https://pchaigno.github.io/bpf/2021/10/20/ebpf-instruction-sets.html
  (a blog post about eBPF instruction set extensions)
- https://lore.kernel.org/bpf/4bfe98be-5333-1c7e-2f6d-42486c8ec039@meta.com/
  (documentation sent to Linux Kernel mailing list)
- https://www.rfc-editor.org/rfc/rfc9669.html#name-sign-extension-load-operati
  (IETF's BPF Instruction Set Architecture standard defined the new
  instructions)
- https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/core.c?h=v6.14#n1859
  (implementation of signed division and remainder in Linux kernel.
  This shows that 32-bit signed DIV and signed MOD are zero-extending
  the result in DST)
- https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/core.c?h=v6.14#n2135
  (implementation of signed memory load in Linux kernel)
- https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1f9a1ea821ff25353a0e80d971e7958cd55b47a3
  (commit which added signed memory load instructions in Linux kernel)

This can be tested with a recent enough version of clang and LLVM (this
works with clang 19.1.4 on Alpine 3.21).
For example for signed memory load instructions:

    signed int sext_8bit(signed char x) {
        return x;
    }

produces:

    $ clang -O0 -target bpf -mcpu=v4 -c test.c -o test.ebpf
    $ llvm-objdump -rd test.ebpf
    ...
    0000000000000000 <sext_8bit>:
           0:  73 1a ff ff 00 00 00 00  *(u8 *)(r10 - 0x1) = r1
           1:  91 a1 ff ff 00 00 00 00  r1 = *(s8 *)(r10 - 0x1)
           2:  bc 10 00 00 00 00 00 00  w0 = w1
           3:  95 00 00 00 00 00 00 00  exit

(The second instruction is a signed memory load)

Instruction MOVS (Sign extend register MOV) uses offset to encode the
conversion (whether the source register is to be considered as signed
8-bit, 16-bit or 32-bit integer). The mnemonic for these instructions is
quite unclear:

- They are all named MOVS in the proposal
  https://lore.kernel.org/bpf/4bfe98be-5333-1c7e-2f6d-42486c8ec039@meta.com/
- LLVM and Linux disassemblers only display pseudo-code (`r0 = (s8)r1`)
- RFC 9669 (https://datatracker.ietf.org/doc/rfc9669/) uses MOVSX for
  all instructions.
- GCC uses MOVS for all instructions:
  https://github.com/gcc-mirror/gcc/blob/releases/gcc-14.1.0/gcc/config/bpf/bpf.md?plain=1#L326-L365

To make the disassembled code clearer, decode such instructions with a
size suffix: MOVSB, MOVSH, MOVSW.

The decoding of instructions 32-bit JA, BSWAP16, BSWAP32 and BSWAP64 is
straightforward.
 2025-07-29 12:45:06 +00:00
Ryan Kurtz
0d8a39a07a Merge remote-tracking branch 
'origin/GP-5857_ghidorahrex_PR-7979_niooss-ledger_ebpf-fix-load-zext'
into patch (Closes #7979)
 2025-07-29 08:24:03 -04:00
Ryan Kurtz
b4239911c9 Merge remote-tracking branch 
'origin/GP-5858_ghidorahrex_PR-7929_niooss-ledger_fix-ebpf-call-operand'
into patch (Closes #7929)
 2025-07-29 08:21:27 -04:00
Ryan Kurtz
179263a592 Merge remote-tracking branch 
'origin/GP-5593_ghidorahrex_PR-7985_niooss-ledger_ebpf-fix-semantic-byte-swap-instructions'
into patch (Closes #7985)
 2025-07-29 08:19:37 -04:00
Ryan Kurtz
28b46c5c93 Merge remote-tracking branch 
'origin/GP-5336_ghidorahrex_PR-7065_philpem_6805_hcs08_xidx_fix' into
patch (Closes #7065, Closes #7064)
 2025-07-29 08:16:11 -04:00
ghidra1
296778319e GP-5881 Minor Structure editor event handling improvement 2025-07-28 17:01:42 -04:00
Ryan Kurtz
1486a06165 Merge remote-tracking branch 
'origin/GP-5877_Dan_fixReDisassembler--SQUASHED' into patch
(Closes #8382)
 2025-07-28 17:25:05 +00:00
Ryan Kurtz
b729d9b217 Merge remote-tracking branch 
'origin/GP-5876-dragonmacher-vt-column-exception-patch' into patch
(Closes #8094)
 2025-07-28 17:23:02 +00:00
Dan
39c0a83c0c GP-5877: Fix Patch Instruction action in some Harvard architectures. 2025-07-28 15:48:40 +00:00
Ryan Kurtz
60ff7c9791 Merge remote-tracking branch 'origin/GP-5867_dev747368_dwarf_only_iterate_defined_dtc' into patch 2025-07-28 15:46:50 +00:00
Ryan Kurtz
6f339247ef Merge remote-tracking branch 
'origin/GP-5788_Dan_addActionForciblyCloseTxes--SQUASHED' into patch
(Closes #8298)
 2025-07-28 12:41:31 +00:00
Ryan Kurtz
790fe71c41 Merge remote-tracking branch 'origin/GP-5553_Dan_lessTimingOut' into patch 2025-07-28 12:39:41 +00:00
Ryan Kurtz
35202441cc Merge remote-tracking branch 
'origin/GP-5764_ghidra007_rttiscript_vfunctions_dont_force_thiscalls--SQUASHED'
into patch (Closes #8163)
 2025-07-28 12:32:06 +00:00
Dan
1ad0a0f719 GP-5788: Add an action to forcibly close all transactions for a target (in case of back-end misbehavior) 2025-07-28 12:31:48 +00:00
dragonmacher
0286fb59fa GP-5876 - Fixed table column exception seen when using Version Tracking 2025-07-25 19:29:07 -04:00
ghidra007
cee04048cb GP-5764 added option to RecoverClassesFromRTTIScript enabling users to not force vfunctions to be thiscalls. 2025-07-25 22:15:27 +00:00
Dan
9767073b32 GP-5553: Disable timing out when we have a ProgressService. 2025-07-25 19:36:55 +00:00
Ryan Kurtz
c56d41a353 Merge remote-tracking branch 'origin/GP-5865_emteere_MultiWordReferenceDialogFix' into patch 2025-07-25 09:43:52 -04:00
Ryan Kurtz
0e5c95dfc2 Merge remote-tracking branch 
'origin/GP-5361_James_code_compare_exception_fix' into patch
(Closes #7028, Closes #8125, Closes #8289)
 2025-07-24 14:27:51 -04:00
Ryan Kurtz
4c8b9761fe Merge remote-tracking branch 'origin/GP-0_Dan_addTestDiagnostics' into patch 2025-07-24 12:14:20 -04:00
Ryan Kurtz
62946ffde9 Merge remote-tracking branch 'origin/GP-0_Dan_fixTests-2025-07-24-1' into patch 2025-07-24 12:13:04 -04:00
Dan
dcbfa2aa79 GP-0: Print LLDB output in case of test failure. 2025-07-24 14:43:28 +00:00
Dan
6ce2361da5 GP-0: Fix tests due to swing invocations off-thread. 2025-07-24 13:42:36 +00:00
James
fc4b780025 GP-5736 prevent constant propagation from making RETURN inputs constant 
(Closes #8183)
 2025-07-24 06:18:30 -04:00
Ryan Kurtz
e28df99d96 Merge remote-tracking branch 'origin/GP-5789_Dan_fixModulesWithOneZeroLengthSection' into patch 2025-07-24 06:14:59 -04:00
dev747368
b6de7df726 GP-5867 dwarf: only iterate struct's defined fields 
Iterating all fields (defined and undefined) could cause large memory
allocation for the result of Structure.getComponents(), plus iterating
undefined fields was unnecessary.
 2025-07-23 22:03:41 +00:00
emteere
0744141b15 GP-5865 Add reference dialog fix for address spaces that have a wordsize 
greater than one byte
 2025-07-23 20:03:01 +00:00
Dan
92708efe40 GP-5789: Handle case where module appears to have zero length. 2025-07-23 17:33:48 +00:00
Ryan Kurtz
d11c1c6c17 Merge remote-tracking branch 
'origin/GP-5861_ghizard_PDB_and_Demangler_and_DTUtils_fix_truncated_symbol_processing'
into patch (Closes #8358)
 2025-07-23 06:08:20 -04:00
ghizard
1684aaf61f GP-5861 - PDB, MDMang, and DTUtils optim - fix for processing of 
truncated symbols and optional prefix on MDMang datatype demangling
 2025-07-22 16:27:14 -04:00
James
49d848ad5a GP-5361 fix indexoutofboundsexception in decompiler code comparison 2025-07-22 19:48:19 +00:00
Ryan Kurtz
b17d58ce18 Merge remote-tracking branch 'origin/GP-5859_Dan_fixPatchDataAction' into patch 2025-07-22 14:34:43 -04:00
Dan
f79a1a2816 GP-5859: Both enablement and pop-up of Patch Data controlled by unit type 2025-07-22 14:29:50 +00:00
Ryan Kurtz
20643f0c31 Merge remote-tracking branch 'origin/GP-5856_RulePtrsubUndoInfiniteLoop' 
into patch (Closes #7997)
 2025-07-22 06:09:35 -04:00
Ryan Kurtz
a74ad243da Merge remote-tracking branch 
'origin/GP-5852_Dan_fixStackTraceWithTrackWatchOnToolRestore' into patch
(Closes #8333)
 2025-07-22 06:07:53 -04:00
caheckman
c4c7aa5dad Fix for infinite loop caused by RulePtrsubUndo 2025-07-21 19:40:05 +00:00
Dan
07105dbc33 GP-5852: Force saved tracking config to be an option. 2025-07-21 19:30:36 +00:00
Ryan Kurtz
3cfa867ac3 Merge remote-tracking branch 'origin/GP-5843_emteere_MIPS64FunctionStarts' into patch 2025-07-21 13:14:06 -04:00
Ryan Kurtz
440867a776 Merge remote-tracking branch 'origin/GP-5833_emteere_MIPSInfiniteLoop' into patch 2025-07-21 13:11:39 -04:00
Ryan Kurtz
db6b52b10f Merge remote-tracking branch 'origin/GP-5832_InlineOpTarget' into patch 
(Closes #7383)
 2025-07-18 15:19:54 -04:00
Ryan Kurtz
edf42d82d9 Merge remote-tracking branch 'origin/GP-5846_ghidra1_PPC64_ELFRelocations' into patch 2025-07-18 15:17:45 -04:00