diff mbox series

x86emul: avoid UB shift in AVX512 VPMOV* handling

Message ID 9f73c7bd-4aa3-4a66-a12c-4bfda6aa233a@suse.com (mailing list archive)
State New
Headers show
Series x86emul: avoid UB shift in AVX512 VPMOV* handling | expand

Commit Message

Jan Beulich Aug. 5, 2024, 1:46 p.m. UTC 
For widening and narrowing moves, operand (vector) size is calculated
from a table. This calculation, for the AVX512 cases, lives ahead of
validation of EVEX.L'L (which cannot be 3 without raising #UD). Account
for the later checking by adjusting the constants in the expression such
that even EVEX.L'L == 3 will yield a non-UB shift (read: shift count
reliably >= 0).

Fixes: 3988beb08 ("x86emul: support AVX512{F,BW} zero- and sign-extending moves")
Oss-fuzz: 70914
Signed-off-by: Jan Beulich <jbeulich@suse.com>

Comments

Stefano Stabellini Aug. 6, 2024, 5:59 p.m. UTC | #1 
On Mon, 5 Aug 2024, Jan Beulich wrote:
> For widening and narrowing moves, operand (vector) size is calculated
> from a table. This calculation, for the AVX512 cases, lives ahead of
> validation of EVEX.L'L (which cannot be 3 without raising #UD). Account
> for the later checking by adjusting the constants in the expression such
> that even EVEX.L'L == 3 will yield a non-UB shift (read: shift count
> reliably >= 0).
> 
> Fixes: 3988beb08 ("x86emul: support AVX512{F,BW} zero- and sign-extending moves")
> Oss-fuzz: 70914
> Signed-off-by: Jan Beulich <jbeulich@suse.com>

Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>


> --- a/xen/arch/x86/x86_emulate/x86_emulate.c
> +++ b/xen/arch/x86/x86_emulate/x86_emulate.c
> @@ -5788,7 +5788,7 @@ x86_emulate(
>              d = DstMem | SrcReg | TwoOp;
>          }
>          generate_exception_if(evex.brs, X86_EXC_UD);
> -        op_bytes = 32 >> (pmov_convert_delta[b & 7] + 1 - evex.lr);
> +        op_bytes = 64 >> (pmov_convert_delta[b & 7] + 2 - evex.lr);
>          elem_bytes = (b & 7) < 3 ? 1 : (b & 7) != 5 ? 2 : 4;
>          goto avx512f_no_sae;
>  
>
diff mbox series

Patch

--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -5788,7 +5788,7 @@  x86_emulate(
             d = DstMem | SrcReg | TwoOp;
         }
         generate_exception_if(evex.brs, X86_EXC_UD);
-        op_bytes = 32 >> (pmov_convert_delta[b & 7] + 1 - evex.lr);
+        op_bytes = 64 >> (pmov_convert_delta[b & 7] + 2 - evex.lr);
         elem_bytes = (b & 7) < 3 ? 1 : (b & 7) != 5 ? 2 : 4;
         goto avx512f_no_sae;