On Monday 18 July 2016 15:57:09 Andrew Cooper wrote:
> On 18/07/16 15:30, Mihai Donțu wrote:
> > @@ -4409,6 +4409,10 @@ x86_emulate(
> > case 0x6f: /* movq mm/m64,mm */
> > /* {,v}movdq{a,u} xmm/m128,xmm */
> > /* vmovdq{a,u} ymm/m256,ymm */
> > + case 0x7e: /* movd mm,r/m32 */
> > + /* movq mm,r/m64 */
> > + /* {,v}movd xmm,r/m32 */
> > + /* {,v}movq xmm,r/m64 */
>
> This exposes a vulnerability where a guest can clobber local state in
> x86_emulate, by specifying registers such as %ebx as the destination.
>
> You must either
> 1) Move this case up above the fail_if(ea.type != OP_MEM); check, or
> 2) modify the stub logic to convert a GPR destination to a memory
> address pointing into _regs.I'm taking a look at (2) as it feels like the best approach. If I'm not making any good progress in the coming days, I'll fallback to (1). Thank you, -- Mihai DONȚU
pgpIf9CfX1gMD.pgp
Description: OpenPGP digital signature
_______________________________________________ Xen-devel mailing list [email protected] https://lists.xen.org/xen-devel
