| Message ID | 52d2b102-1285-41fc-a550-ca9437df612b@suse.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | x86emul: add missing EVEX.R' checks | expand |
On 21/02/2024 10:27 am, Jan Beulich wrote: > EVEX.R' is not ignored in 64-bit code when encoding a GPR or mask > register. While for mask registers suitable checks are in place (there > also covering EVEX.R), they were missing for the few cases where in > EVEX-encoded instructions ModR/M.reg encodes a GPR. While for VPEXTRW > the bit is replaced before an emulation stub is invoked, for > VCVT{,T}{S,D,H}2{,U}SI this actually would have led to #UD from inside > an emulation stub, in turn raising #UD to the guest, but accompanied by > log messages indicating something's wrong in Xen nevertheless. > > Fixes: 001bd91ad864 ("x86emul: support AVX512{F,BW,DQ} extract insns") > Fixes: baf4a376f550 ("x86emul: support AVX512F legacy-equivalent scalar int/FP conversion insns") > Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/x86_emulate/x86_emulate.c +++ b/xen/arch/x86/x86_emulate/x86_emulate.c @@ -3686,7 +3686,8 @@ x86_emulate( CASE_SIMD_SCALAR_FP(_EVEX, 0x0f, 0x2d): /* vcvts{s,d}2si xmm/mem,reg */ CASE_SIMD_SCALAR_FP(_EVEX, 0x0f, 0x78): /* vcvtts{s,d}2usi xmm/mem,reg */ CASE_SIMD_SCALAR_FP(_EVEX, 0x0f, 0x79): /* vcvts{s,d}2usi xmm/mem,reg */ - generate_exception_if((evex.reg != 0xf || !evex.RX || evex.opmsk || + generate_exception_if((evex.reg != 0xf || !evex.RX || !evex.R || + evex.opmsk || (ea.type != OP_REG && evex.brs)), X86_EXC_UD); host_and_vcpu_must_have(avx512f); @@ -7327,7 +7328,7 @@ x86_emulate( goto pextr; case X86EMUL_OPC_EVEX_66(0x0f, 0xc5): /* vpextrw $imm8,xmm,reg */ - generate_exception_if(ea.type != OP_REG, X86_EXC_UD); + generate_exception_if(ea.type != OP_REG || !evex.R, X86_EXC_UD); /* Convert to alternative encoding: We want to use a memory operand. */ evex.opcx = ext_0f3a; b = 0x15;
EVEX.R' is not ignored in 64-bit code when encoding a GPR or mask register. While for mask registers suitable checks are in place (there also covering EVEX.R), they were missing for the few cases where in EVEX-encoded instructions ModR/M.reg encodes a GPR. While for VPEXTRW the bit is replaced before an emulation stub is invoked, for VCVT{,T}{S,D,H}2{,U}SI this actually would have led to #UD from inside an emulation stub, in turn raising #UD to the guest, but accompanied by log messages indicating something's wrong in Xen nevertheless. Fixes: 001bd91ad864 ("x86emul: support AVX512{F,BW,DQ} extract insns") Fixes: baf4a376f550 ("x86emul: support AVX512F legacy-equivalent scalar int/FP conversion insns") Signed-off-by: Jan Beulich <jbeulich@suse.com> --- As to Fixes: tags - there are more affected commits, but they both only re-use the expression introduced by the 2nd of the ones mentioned.