|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v2] x86emul/fuzz: add rudimentary limit checking
>>> On 05.07.17 at 17:22, <JBeulich@xxxxxxxx> wrote: > fuzz_insn_fetch() is the only data access helper where it is possible > to see offsets larger than 4Gb in 16- or 32-bit modes, as we leave the > incoming rIP untouched in the emulator itself. The check is needed here > as otherwise, after successfully fetching insn bytes, we may end up > zero-extending EIP soon after complete_insn, which collides with the > X86EMUL_EXCEPTION-conditional respective ASSERT() in > x86_emulate_wrapper(). (NB: put_rep_prefix() is what allows > complete_insn to be reached with rc set to other than X86EMUL_OKAY or > X86EMUL_DONE. See also commit 53f87c03b4 ["x86emul: generalize > exception handling for rep_* hooks"].) > > Add assert()-s for all other (data) access routines, as effective > address generation in the emulator ought to guarantee in-range values. > For them to not trigger, an adjustment to the emulator's DstBitBase > handling is needed. While adding a truncate_ea() invocation there, > also convert open coded instances of it. > > Reported-by: George Dunlap <george.dunlap@xxxxxxxxxx> > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> I have to withdraw this - it was sent too early. For two-part memory accesses (like e.g. LFS emulation does) further changes are needed to either the emulator or the respective assert()-s. Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |