Re: Assert in x86_emulate_wrapper triggerable by HVM domain

[Manuel Andreas <manuel.andreas@xxxxxx>]

On 4/16/25 15:52, Jan Beulich wrote:

> On 15.04.2025 23:52, Manuel Andreas wrote:
> > my fuzzing infrastructure discovered that an assert in
> > x86_emulate_wrapper is able to be triggered by an HVM domain executing a
> > specially crafted repeating movs instruction.
> >
> > Specifically, if the emulation of the rep movs instruction triggers an
> > exception (e.g. by accessing invalid memory after some amount of
> > iterations), the emulation will be halted at that point.
> > However, the instruction manual requires that _some_ register state
> > (namely the updated value of rcx) shall be commited, whereas the
> > instruction pointer needs to be rolled back to point to the address of
> > the instruction itself. The assert checks for the latter. Problematic is
> > the fact that for these type of repeating instructions, Xen seems to
> > eventually just commit all register state when it encounters an exception:
> If my analysis is correct, none of this matters here; the core emulator
> is working correctly. Hence also why the in-tree fuzzer wouldn't have
> caught it. Would you please give the patch a try that I just sent, with
> Cc to you (sorry, the list archive didn't pick it up yet, hence no link)?
>
> Jan
Sorry about the late reply, just got around to applying your patch a few 
days ago.
I verified that the provided XTF test does not trigger the assert anymore.
Moreover, I fuzzed the patched version for a few days and the bug (or 
possibly newly introduced ones) did not pop up, so I believe the root 
cause was fixed correctly.
Best,
Manuel