Implement Arm64 tlbi intrinsic

[bb33bb]

What is the feature you'd like to have?
Please add the arm64 reverse c code for
tlbi vaae1is, x8
tlbi vmalle1is

Is your feature request related to a problem?
NO
Are any alternative solutions acceptable?
NO
Additional Information:
Here is the asm code for arm64

ffffff954fe06b7c    int64_t sub_ffffff954fe06b7c(int64_t arg1, int64_t arg2)

ffffff954fe06b7c  fd7bbda9   stp     x29, x30, [sp, #-0x30]! {__saved_x29} {__saved_x30}
ffffff954fe06b80  f50b00f9   str     x21, [sp, #0x10 {__saved_x21}]
ffffff954fe06b84  f44f02a9   stp     x20, x19, [sp, #0x20] {__saved_x20} {__saved_x19}
ffffff954fe06b88  fd030091   mov     x29, sp {__saved_x29}
ffffff954fe06b8c  3300008b   add     x19, x1, x0
ffffff954fe06b90  f50301aa   mov     x21, x1
ffffff954fe06b94  e10313aa   mov     x1, x19
ffffff954fe06b98  f40300aa   mov     x20, x0
ffffff954fe06b9c  94ffff97   bl      sub_ffffff954fe069ec
ffffff954fe06ba0  bf0250f1   cmp     x21, #0x400, lsl #0xc
ffffff954fe06ba4  09010054   b.ls    0xffffff954fe06bc4

ffffff954fe06ba8  9f3a03d5   dsb     ishst
🚫ffffff954fe06bac  1f8308d5   tlbi    vmalle1is
ffffff954fe06bb0  1f2003d5   nop     
ffffff954fe06bb4  1f2003d5   nop     
ffffff954fe06bb8  9f3b03d5   dsb     ish
ffffff954fe06bbc  df3f03d5   isb     
ffffff954fe06bc0  0e000014   b       0xffffff954fe06bf8

ffffff954fe06bc4  9f3a03d5   dsb     ishst
ffffff954fe06bc8  88de4cd3   ubfx    x8, x20, #0xc, #0x2c
ffffff954fe06bcc  69de4cd3   ubfx    x9, x19, #0xc, #0x2c
ffffff954fe06bd0  1f0109eb   cmp     x8, x9
ffffff954fe06bd4  e2000054   b.hs    0xffffff954fe06bf0

🚫ffffff954fe06bd8  688308d5   tlbi    vaae1is, x8
ffffff954fe06bdc  1f2003d5   nop     
ffffff954fe06be0  1f2003d5   nop     
ffffff954fe06be4  08050091   add     x8, x8, #0x1
ffffff954fe06be8  3f0108eb   cmp     x9, x8
ffffff954fe06bec  61ffff54   b.ne    0xffffff954fe06bd8

ffffff954fe06bf0  9f3b03d5   dsb     ish
ffffff954fe06bf4  df3f03d5   isb     

ffffff954fe06bf8  f44f42a9   ldp     x20, x19, [sp, #0x20] {__saved_x20} {__saved_x19}
ffffff954fe06bfc  f50b40f9   ldr     x21, [sp, #0x10 {__saved_x21}]
ffffff954fe06c00  fd7bc3a8   ldp     x29, x30, [sp], #0x30 {__saved_x29} {__saved_x30}
ffffff954fe06c04  c0035fd6   ret     

and the reverse code is

ffffff954fe06b7c    int64_t sub_ffffff954fe06b7c(int64_t arg1, int64_t arg2)

ffffff954fe06b7c    {
ffffff954fe06b7c        int64_t x19 = arg2 + arg1;
ffffff954fe06b9c        int64_t result = sub_ffffff954fe069ec(arg1, x19);
ffffff954fe06b9c        
ffffff954fe06ba4        if (arg2 <= 0x400000)
ffffff954fe06ba4        {
ffffff954fe06bc4            __dsb();
ffffff954fe06bc8            uint64_t x8_1 = arg1 >> 0xc & 0xfffffffffff;
ffffff954fe06bcc            uint64_t x9_1 = x19 >> 0xc & 0xfffffffffff;
ffffff954fe06bcc            
ffffff954fe06bd4            if (x8_1 < x9_1)
ffffff954fe06bd4            {
ffffff954fe06bec                do
ffffff954fe06bec                {
🚫ffffff954fe06bd8                    /* !!!!  unimplemented  {tlbi vaae1is, x8} !!!!*/
ffffff954fe06be4                    x8_1 += 1;
ffffff954fe06bec                } while (x9_1 != x8_1);
ffffff954fe06bd4            }
ffffff954fe06bd4            
ffffff954fe06bf0            __dsb();
ffffff954fe06bf4            __isb();
ffffff954fe06ba4        }
ffffff954fe06ba4        else
ffffff954fe06ba4        {
ffffff954fe06ba8            __dsb();
🚫ffffff954fe06bac            /* !!!!   unimplemented  {tlbi vmalle1is}  !!!!*/
ffffff954fe06bb8            __dsb();
ffffff954fe06bbc            __isb();
ffffff954fe06ba4        }
ffffff954fe06ba4        
ffffff954fe06c04        return result;
ffffff954fe06b7c    }

[bb33bb]

we can see there are two places of unimplemented instructions
🚫ffffff954fe06bd8 /* !!!! unimplemented {tlbi vaae1is, x8} !!!!/
and
🚫ffffff954fe06bac / !!!! unimplemented {tlbi vmalle1is} !!!!*/

[bb33bb]

version: 4.2.6325-dev Personal (c3d1ad94)
system: Linux version 6.10.13-3-MANJARO (builduser@fv-az1246-770) (gcc (GCC) 14.2.1 20240910, GNU ld (GNU Binutils) 2.43.0) #1 SMP PREEMPT_DYNAMIC Tue Oct 8 03:24:49 UTC 2024

ffffff93d1868b00                    do
ffffff93d1868b00                    {
🚫ffffff93d1868ae8                        /*   unimplemented  {ldxp x11, x26, [x10]} */
ffffff93d1868aec                        x11 ^= result;
ffffff93d1868af4                        arg4 = x11 | (arg4 ^ x8_6);
ffffff93d1868af4                        
ffffff93d1868af8                        if (arg4)
ffffff93d1868af8                            break;
ffffff93d1868af8                        
🚫ffffff93d1868afc                        /*   unimplemented  {stxp w11, x9, x12, [x10]} */
ffffff93d1868b00                    } while (x11);

also the unimplemented code

[galenbwill]

Are you able to share this binary? (You can email it to binaryninja@vector35.com or DM it via the public slack if you cannot or do not want to upload it publicly here)

[bb33bb]

Yes, I will send u as soon as possible

[bb33bb]

Yes, I will send u as soon as possible

https://1drv.ms/u/c/01e018a652fc6a6e/EemB2u0x9rZBtbsKQ5BeWI4BjTjxwyzPRO-pSH9cdhxpVA?e=XHiOYF
expired tomorrow

so plz download as soon as pozzible

[xusheng6]

v35 folks should search for "whispered meadow sunset echo drift" to find the file

[xusheng6]

Yes, I will send u as soon as possible

https://1drv.ms/u/c/01e018a652fc6a6e/EemB2u0x9rZBtbsKQ5BeWI4BjTjxwyzPRO-pSH9cdhxpVA?e=XHiOYF expired tomorrow

so plz download as soon as pozzible

I opened the database and 0xffffff954fe06bac does not seem to be a valid address. Could you please verify it? Also, is the file the same one as #6045?

Btw, since this issue is only relevant to a particular instruction, you can actually just send us the bytes of the instructions and you do not have to share the entire binary with us, I know it is huge

[bb33bb]

Yes, I will send u as soon as possible

https://1drv.ms/u/c/01e018a652fc6a6e/EemB2u0x9rZBtbsKQ5BeWI4BjTjxwyzPRO-pSH9cdhxpVA?e=XHiOYF expired tomorrow
so plz download as soon as pozzible

I opened the database and 0xffffff954fe06bac does not seem to be a valid address. Could you please verify it? Also, is the file the same one as #6045?

Btw, since this issue is only relevant to a particular instruction, you can actually just send us the bytes of the instructions and you do not have to share the entire binary with us, I know it is huge

ffffff954fe06b7c    int64_t unmap_kernel_range(int64_t arg1, int64_t arg2)
ffffff954fe06b7c    {
ffffff954fe06b7c        int64_t x19 = arg2 + arg1;
ffffff954fe06b9c        int64_t result = sub_ffffff954fe069ec(arg1, x19);
ffffff954fe06b9c        
ffffff954fe06ba4        if (arg2 <= 0x400000)
ffffff954fe06ba4        {
ffffff954fe06bc4            __dsb();
ffffff954fe06bc8            uint64_t x8_1 = arg1 >> 0xc & 0xfffffffffff;
ffffff954fe06bcc            uint64_t x9_1 = x19 >> 0xc & 0xfffffffffff;
ffffff954fe06bcc            
ffffff954fe06bd4            if (x8_1 < x9_1)
ffffff954fe06bd4            {
ffffff954fe06bec                do
ffffff954fe06bec                {
🚫ffffff954fe06bd8                    /*   unimplemented  {tlbi vaae1is, x8} */
ffffff954fe06be4                    x8_1 += 1;
ffffff954fe06bec                } while (x9_1 != x8_1);
ffffff954fe06bd4            }