Incorrect DestAv classification when both dst and src operations are pointers.

[fredfrance-oss]

Example code (compile with cc test.c), code runs a movsb with an invalid source but a valid destination.

#include <stdio.h>
#include <stdint.h>

int main() {
    char dst[128] = {0};
    uint32_t *src = (uint32_t *)0xdeadbeef;

    __asm__ (
        "mov %0, %%rsi;"
        "mov %1, %%rdi;"
        "movsb;"        
        :
        : "r"(src), "r"(dst)
        : "%rsi", "%rdi"
    );
    
    return 0;
}

Analysis in casr-gdb says the issue is DestAv

casr-gdb --stdout -- ./a.out  | jq .CrashSeverity
{
  "Type": "EXPLOITABLE",
  "ShortDescription": "DestAv",
  "Description": "Access violation on destination operand",
  "Explanation": "The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value."
}

Debugging with gdb (intel syntax) shows we can read the destination operand, but not source.

$ gdb ./a.out 
...
0x000055555555520d in main ()
(gdb) x/3i $pc
=> 0x55555555520d <main+196>:	movs   BYTE PTR es:[rdi],BYTE PTR ds:[rsi]
   0x55555555520e <main+197>:	mov    eax,0x0
   0x555555555213 <main+202>:	mov    rdx,QWORD PTR [rbp-0x8]
(gdb) x/x $rdi
0x7fffffffdb40:	0x00000000
(gdb) x/x $rsi
0xdeadbeef:	Cannot access memory at address 0xdeadbeef
(gdb) x/x $es
0x0:	Cannot access memory at address 0x0
(gdb) x/x $ds
0x0:	Cannot access memory at address 0x0

[Avgor46]

Thanks for the catch! It seems the code does not consider that the mov* instruction has a memory-to-memory semantic. If you have an idea on how to fix the bug, we would welcome a PR.

[SweetVishnya]

@anfedotoff, could you take a look on this issue, please?