[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging] x86emul: don't call ->read_segment() with x86_seg_none

To: xen-changelog@xxxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Wed, 14 Aug 2024 13:44:44 +0000
Delivery-date: Wed, 14 Aug 2024 13:44:46 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xenproject.org>

commit 5ed317c45d7323a6985797dc9a2d39d8c5df8201
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Wed Aug 14 15:40:06 2024 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Wed Aug 14 15:40:06 2024 +0200

    x86emul: don't call ->read_segment() with x86_seg_none
    
    LAR, LSL, VERR, and VERW emulation involve calling protmode_load_seg()
    with x86_seg_none. The fuzzer's read_segment() hook function has an
    assertion which triggers in this case. Calling the hook function,
    however, makes little sense for those insns, as there's no data to
    retrieve. Instead zero-filling the output structure is what properly
    corresponds to those insns being invoked with a NUL selector.
    
    While there also add a related comment at the VERR/VERW call site.
    
    Fixes: 06a3b8cd7ad2 ("x86emul: support LAR/LSL/VERR/VERW")
    Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=70918
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxx>
    Acked-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 xen/arch/x86/x86_emulate/x86_emulate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c 
b/xen/arch/x86/x86_emulate/x86_emulate.c
index 9025382670..34b0b0fe73 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -839,7 +839,8 @@ protmode_load_seg(
         case x86_seg_tr:
             goto raise_exn;
         }
-        if ( !_amd_like(cp) || vcpu_has_nscb() || !ops->read_segment ||
+        if ( seg == x86_seg_none || !_amd_like(cp) || vcpu_has_nscb() ||
+             !ops->read_segment ||
              ops->read_segment(seg, sreg, ctxt) != X86EMUL_OKAY )
             memset(sreg, 0, sizeof(*sreg));
         else
@@ -2852,7 +2853,7 @@ x86_emulate(
                                             &sreg, ctxt, ops) )
             {
             case X86EMUL_OKAY:
-                if ( sreg.s &&
+                if ( sreg.s /* Excludes NUL selectors too. */ &&
                      ((modrm_reg & 1) ? ((sreg.type & 0xa) == 0x2)
                                       : ((sreg.type & 0xa) != 0x8)) )
                     _regs.eflags |= X86_EFLAGS_ZF;
--
generated by git-patchbot for /home/xen/git/xen.git#staging

Prev by Date: [xen staging] x86/spec-ctrl: initialize per-domain XPTI in spec_ctrl_init_domain()
Next by Date: [xen staging] xvmalloc: please Misra C:2012 Rule 8.2
Previous by thread: [xen staging] x86/spec-ctrl: initialize per-domain XPTI in spec_ctrl_init_domain()
Next by thread: [xen staging] xvmalloc: please Misra C:2012 Rule 8.2
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.