From: "Philippe Mathieu-Daudé via" <qemu-devel@nongnu.org>
To: Cameron Esfahani <dirty@apple.com>
Cc: qemu-devel@nongnu.org, "Peter Maydell" <peter.maydell@linaro.org>,
"Will Cohen" <wwcohen@gmail.com>,
"Akihiko Odaki" <akihiko.odaki@gmail.com>,
"Alex Bennée" <alex.bennee@linaro.org>,
"Christian Schoenebeck" <qemu_oss@crudebyte.com>,
"Roman Bolshakov" <r.bolshakov@yadro.com>,
"Li Zhang" <lizhang@suse.de>,
"Julian Stecklina" <julian.stecklina@cyberus-technology.de>
Subject: Re: [PATCH v4 05/13] hvf: Fix OOB write in RDTSCP instruction decode
Date: Mon, 14 Feb 2022 13:49:03 +0100 [thread overview]
Message-ID: <5af1437c-37a9-d2bf-6864-010f2ac52d3f@amsat.org> (raw)
In-Reply-To: <20220211163434.58423-6-f4bug@amsat.org>
Hi Cameron,
On 11/2/22 17:34, Philippe Mathieu-Daudé wrote:
> From: Cameron Esfahani <dirty@apple.com>
>
> A guest could craft a specific stream of instructions that will have QEMU
> write 0xF9 to inappropriate locations in memory. Add additional asserts
> to check for this. Generate a #UD if there are more than 14 prefix bytes.
>
> Found by Julian Stecklina <julian.stecklina@cyberus-technology.de>
>
> Signed-off-by: Cameron Esfahani <dirty@apple.com>
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
> target/i386/hvf/x86_decode.c | 11 +++++++++--
> target/i386/hvf/x86hvf.c | 8 ++++++++
> target/i386/hvf/x86hvf.h | 1 +
> 3 files changed, 18 insertions(+), 2 deletions(-)
> @@ -1847,7 +1849,8 @@ void calc_modrm_operand(CPUX86State *env, struct x86_decode *decode,
>
> static void decode_prefix(CPUX86State *env, struct x86_decode *decode)
> {
> - while (1) {
> + /* At most 14 prefix bytes. */
> + for (int i = 0; i < 14; i++) {
Could we have a definition instead of this magic '14' number?
> /*
> * REX prefix must come after legacy prefixes.
> * REX before legacy is ignored.
> @@ -1892,6 +1895,8 @@ static void decode_prefix(CPUX86State *env, struct x86_decode *decode)
> return;
> }
> }
> + /* Too many prefixes! Generate #UD. */
> + hvf_inject_ud(env);
> }
next prev parent reply other threads:[~2022-02-14 13:39 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-11 16:34 [PATCH v4 00/13] host: Support macOS 12 Philippe Mathieu-Daudé via
2022-02-11 16:34 ` [PATCH v4 01/13] lcitool: refresh Philippe Mathieu-Daudé via
2022-02-12 15:14 ` Akihiko Odaki
2022-02-14 12:10 ` Philippe Mathieu-Daudé via
2022-02-11 16:34 ` [PATCH v4 02/13] configure: Allow passing extra Objective C compiler flags Philippe Mathieu-Daudé via
2022-02-11 16:34 ` [PATCH v4 03/13] tests/fp/berkeley-testfloat-3: Ignore ignored #pragma directives Philippe Mathieu-Daudé via
2022-02-11 16:34 ` [PATCH v4 04/13] hvf: Use standard CR0 and CR4 register definitions Philippe Mathieu-Daudé via
2022-02-11 16:34 ` [PATCH v4 05/13] hvf: Fix OOB write in RDTSCP instruction decode Philippe Mathieu-Daudé via
2022-02-14 12:49 ` Philippe Mathieu-Daudé via [this message]
2022-02-11 16:34 ` [PATCH v4 06/13] hvf: Enable RDTSCP support Philippe Mathieu-Daudé via
2022-02-11 16:34 ` [PATCH v4 07/13] hvf: Make hvf_get_segments() / hvf_put_segments() local Philippe Mathieu-Daudé via
2022-02-11 16:34 ` [PATCH v4 08/13] hvf: Remove deprecated hv_vcpu_flush() calls Philippe Mathieu-Daudé via
2022-02-11 16:34 ` [PATCH v4 09/13] block/file-posix: Remove a deprecation warning on macOS 12 Philippe Mathieu-Daudé via
2022-02-12 13:35 ` Christian Schoenebeck
2022-02-14 3:27 ` Cameron Esfahani
2022-02-11 16:34 ` [PATCH v4 10/13] audio/coreaudio: " Philippe Mathieu-Daudé via
2022-02-12 13:15 ` Christian Schoenebeck
2022-02-12 15:23 ` Akihiko Odaki
2022-02-12 17:27 ` Christian Schoenebeck
2022-02-12 17:41 ` Christian Schoenebeck
2022-02-14 12:43 ` Philippe Mathieu-Daudé via
2022-02-11 16:34 ` [PATCH v4 11/13] audio/dbus: Fix building with modules on macOS Philippe Mathieu-Daudé via
2022-02-11 16:34 ` [PATCH v4 12/13] ui/cocoa: Remove allowedFileTypes restriction in SavePanel Philippe Mathieu-Daudé via
2022-02-12 13:25 ` Christian Schoenebeck
2022-02-14 3:26 ` Cameron Esfahani
2022-02-11 16:34 ` [PATCH v4 13/13] gitlab-ci: Support macOS 12 via cirrus-run Philippe Mathieu-Daudé via
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5af1437c-37a9-d2bf-6864-010f2ac52d3f@amsat.org \
--to=qemu-devel@nongnu.org \
--cc=akihiko.odaki@gmail.com \
--cc=alex.bennee@linaro.org \
--cc=dirty@apple.com \
--cc=f4bug@amsat.org \
--cc=julian.stecklina@cyberus-technology.de \
--cc=lizhang@suse.de \
--cc=peter.maydell@linaro.org \
--cc=qemu_oss@crudebyte.com \
--cc=r.bolshakov@yadro.com \
--cc=wwcohen@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.