Decoder can be initialized with ill-formed defaults

[mappzor]

ZydisDecoderInit accepts machine_mode and address_width. In conjunction those arguments will determine decoder's default values for stack size (ssz), operand size (osz) and address size (asz). Typically Zydis users pass matching values (e.g. 32-bit machine mode with 32-bit address width) but decoder logic acts improperly when those values do not match:
(decoder->machine_mode, decoder->address_width) -> (ssz, osz, asz)
(16, 32) -> (32, 16, 32)
(32, 16) -> (16, 32, 16)

Such defaults are not possible on real hardware. They are controlled by D/B flag in CS and SS. For CS we have CS.D that controls "effective addresses and operands referenced by instructions in the segment", so default values of osz and asz, should be always the same. For SS we have SS.B that determines ssz.

Expected behavior would be to derive osz and asz from machine_mode and take ssz from address_width (which probably should be named stack_width just as in decoded instruction).

[3zh11k]

question: should stack-address size (SSZ) affect unrelated to stack instructions?

example with increment:

ZydisInfo -32 ff 00
SSZ: 32
 1   REGISTER      HIDDEN       W          NONE     32     32       1       INT                       eflags

vs

ZydisInfo -32 -16 ff 00
SSZ: 16
 1   REGISTER      HIDDEN       W          NONE     16     16       1       INT                       eflags

[mappzor]

@3zh11k In 16-bit mode you are dealing with 16-bit flags register instead of 32-bit eflags. It seems you are using an older version of Zydis because current build of ZydisInfo indicates that but in your output you have eflags in both cases.

[3zh11k]

@mappzor :

I'm using the latest and the greatest:

$ git log -1
commit 3f5a3ad8e16658c62d7033e9373232d19480d3cc (HEAD -> master, origin/master, origin/HEAD)
Author: serge-sans-paille <serge.guelton@telecom-bretagne.eu>
Date:   Tue Mar 22 11:01:55 2022 +0100

    Cleanup zydis include
    
    Remove unused headers / replace them by a selection if needs be.
    Cleanup assisted by iwyu[0]
    This results in slightly less lines in the preprocessed output (-6908) but also
    reduces coupling between compilation units.
    
    [0] https://include-what-you-use.org/

It's always 32-bit mode. Not a 16-bit mode. Only difference here is stack-address size 16-bit vs 32-bit:

here is a full output for 16-bit stack address size:

$ ./ZydisInfo -32 -16 ff 00 
== [    BASIC ] ============================================================================================
   MNEMONIC: inc [ENC: DEFAULT, MAP: DEFAULT, OPC: 0xFF]
     LENGTH:  2
        SSZ: 16
       EOSZ: 32
       EASZ: 32
   CATEGORY: BINARY
    ISA-SET: I86
    ISA-EXT: BASE
 EXCEPTIONS: NONE
 ATTRIBUTES: HAS_MODRM CPUFLAG_ACCESS ACCEPTS_LOCK ACCEPTS_XACQUIRE ACCEPTS_XRELEASE ACCEPTS_SEGMENT 
  OPTIMIZED: FF 00 

== [ OPERANDS ] ============================================================================================
##       TYPE  VISIBILITY  ACTION      ENCODING   SIZE  NELEM  ELEMSZ  ELEMTYPE                        VALUE
--  ---------  ----------  ------  ------------   ----  -----  ------  --------  ---------------------------
 0     MEMORY    EXPLICIT      RW      MODRM_RM     32      1      32       INT  TYPE  =                 MEM
                                                                                 SEG   =                  ds
                                                                                 BASE  =                 eax
                                                                                 INDEX =                none
                                                                                 SCALE =                   0
                                                                                 DISP  =  0x0000000000000000
 1   REGISTER      HIDDEN       W          NONE     16     16       1       INT                        flags
--  ---------  ----------  ------  ------------   ----  -----  ------  --------  ---------------------------

== [    FLAGS ] ============================================================================================
    ACTIONS: [PF  : M  ] [AF  : M  ] [ZF  : M  ] [SF  : M  ] [OF  : M  ] 
       READ: 0x00000000
    WRITTEN: 0x000008D4

== [      ATT ] ============================================================================================
   ABSOLUTE: inc (%eax)
   RELATIVE: inc (%eax)

== [    INTEL ] ============================================================================================
   ABSOLUTE: inc dword ptr ds:[eax]
   RELATIVE: inc dword ptr ds:[eax]

== [ SEGMENTS ] ============================================================================================
FF 00 
:  :..MODRM
:..OPCODE

And for 32-bit stack-address size:

$ ./ZydisInfo -32 -32 ff 00 
== [    BASIC ] ============================================================================================
   MNEMONIC: inc [ENC: DEFAULT, MAP: DEFAULT, OPC: 0xFF]
     LENGTH:  2
        SSZ: 32
       EOSZ: 32
       EASZ: 32
   CATEGORY: BINARY
    ISA-SET: I86
    ISA-EXT: BASE
 EXCEPTIONS: NONE
 ATTRIBUTES: HAS_MODRM CPUFLAG_ACCESS ACCEPTS_LOCK ACCEPTS_XACQUIRE ACCEPTS_XRELEASE ACCEPTS_SEGMENT 
  OPTIMIZED: FF 00 

== [ OPERANDS ] ============================================================================================
##       TYPE  VISIBILITY  ACTION      ENCODING   SIZE  NELEM  ELEMSZ  ELEMTYPE                        VALUE
--  ---------  ----------  ------  ------------   ----  -----  ------  --------  ---------------------------
 0     MEMORY    EXPLICIT      RW      MODRM_RM     32      1      32       INT  TYPE  =                 MEM
                                                                                 SEG   =                  ds
                                                                                 BASE  =                 eax
                                                                                 INDEX =                none
                                                                                 SCALE =                   0
                                                                                 DISP  =  0x0000000000000000
 1   REGISTER      HIDDEN       W          NONE     32     32       1       INT                       eflags
--  ---------  ----------  ------  ------------   ----  -----  ------  --------  ---------------------------

== [    FLAGS ] ============================================================================================
    ACTIONS: [PF  : M  ] [AF  : M  ] [ZF  : M  ] [SF  : M  ] [OF  : M  ] 
       READ: 0x00000000
    WRITTEN: 0x000008D4

== [      ATT ] ============================================================================================
   ABSOLUTE: inc (%eax)
   RELATIVE: inc (%eax)

== [    INTEL ] ============================================================================================
   ABSOLUTE: inc dword ptr ds:[eax]
   RELATIVE: inc dword ptr ds:[eax]

== [ SEGMENTS ] ============================================================================================
FF 00 
:  :..MODRM
:..OPCODE

[mappzor]

In full output -32 -16 ff 00 produced flags register now. For some reason it was eflags in your first comment and that confused me.

Now to answer your question, I'd say it's a good design choice. Flags register is special and accessed in a bit-level fashion, so operand array which just stores "size" naturally lacks granularity to accurately represent nature of changes made to the register. It doesn't really matter if you put flags/eflags/rflags because in practice all modified bits reside in its lowest word. It's a matter of convention rather than correctness.

Sticking to stack size helps to handle cases where this actually matters (instructions that push/pop flags from stack) because it makes things consistent. For example a naive taint analyzer can use this information to mark flags/eflags/rflags as tainted and properly handle pushf/popf interactions because register size is consistent across all instruction groups. For anything more advanced you have to disregard flags operand completely and rely on fine-grained information provided via ZydisDecodedInstruction.cpu_flags. I don't see use cases where breaking this consistency would be beneficial.

[3zh11k]

I agree with with everything said about design/consistency.
But just would like to clarify for my better understanding, please correct me if I'm wrong:

• instructions push/pop or even pushf/popf use operand-size and don't use stack-size.
• only instruction known to me which uses stack-size is ret.

[mappzor]

If you are talking about number of bytes pushed/popped of stack, that's represented by implicit memory operand (not eflags one) and that one scales with operand size indeed.

There are more instructions that scale with stack size (especially in regards to implicit IP operand) e.g. call, enter, xsha1, xsha256, syscall.