On 14/08/2024 2:10 pm, Jan Beulich wrote:
> On 14.08.2024 14:49, Andrew Cooper wrote:
>> On 12/08/2024 3:05 pm, Jan Beulich wrote:
>>> On 12.08.2024 15:04, Andrew Cooper wrote:
>>>> On 05/08/2024 2:26 pm, Jan Beulich wrote:
>>>>> --- a/xen/arch/x86/x86_emulate/x86_emulate.c
>>>>> +++ b/xen/arch/x86/x86_emulate/x86_emulate.c
>>>>> @@ -839,7 +839,8 @@ protmode_load_seg(
>>>>> case x86_seg_tr:
>>>>> goto raise_exn;
>>>>> }
>>>>> - if ( !_amd_like(cp) || vcpu_has_nscb() || !ops->read_segment ||
>>>>> + if ( seg == x86_seg_none || !_amd_like(cp) || vcpu_has_nscb() ||
>>>>> + !ops->read_segment ||
>>>>> ops->read_segment(seg, sreg, ctxt) != X86EMUL_OKAY )
>>>>> memset(sreg, 0, sizeof(*sreg));
>>>>> else
>>>> While this fixes the crash, I'm not sure it will behave correctly for
>>>> VERR/VERW.
>>>>
>>>> protmode_load_seg() is unconditionally X86EMUL_OKAY for a NULL selector,
>>>> and VERW checks for type != 0x8 which an empty attr will pass.
>>> That's past an sreg.s check, which will have failed (for sreg coming back
>>> all clear).
>> Oh, so it is.
>>
>> Any chance I could talk you into folding this hunk in too?
>>
>> diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c
>> b/xen/arch/x86/x86_emulate/x86_emulate.c
>> index 902538267051..d4d02c3e2eb3 100644
>> --- a/xen/arch/x86/x86_emulate/x86_emulate.c
>> +++ b/xen/arch/x86/x86_emulate/x86_emulate.c
>> @@ -2852,7 +2852,7 @@ x86_emulate(
>> &sreg, ctxt, ops) )
>> {
>> case X86EMUL_OKAY:
>> - if ( sreg.s &&
>> + if ( sreg.s /* Excludes NULL selector too */ &&
>> ((modrm_reg & 1) ? ((sreg.type & 0xa) == 0x2)
>> : ((sreg.type & 0xa) != 0x8)) )
>> _regs.eflags |= X86_EFLAGS_ZF;
>>
>>
>> because it is relevant to judging whether the subsequent logic is
>> correct or not.
> No problem at all. Am I okay to commit then, with Stefano's R-b?
Acked-by: Andrew Cooper <andrew.coop...@citrix.com>
and don't forget the conversion to
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=70918
~Andrew
