From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mihai =?UTF-8?B?RG9uyJt1?= <mdontu@bitdefender.com>
Subject: Re: [PATCH v2 2/3] x86/emulate: add support of
 emulating SSE2 instruction {, v}movd mm, m32
Date: Tue, 19 Jul 2016 23:35:40 +0300
Message-ID: <20160719233540.785e1033@bitdefender.com>
References: <20160718143020.14828-1-mdontu@bitdefender.com>
 <20160718143020.14828-2-mdontu@bitdefender.com>
 <56b5ac14-49bf-bb28-b47b-23c40ca4336d@citrix.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8033227207636211573=="
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <56b5ac14-49bf-bb28-b47b-23c40ca4336d@citrix.com>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
To: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Zhi Wang <zhi.a.wang@intel.com>, Jan Beulich <jbeulich@suse.com>, xen-devel@lists.xen.org
List-Id: xen-devel@lists.xenproject.org

--===============8033227207636211573==
Content-Type: multipart/signed; micalg=pgp-sha1;
 boundary="Sig_/vlIOMrpOX6Y0H3mekxBKCf5"; protocol="application/pgp-signature"

--Sig_/vlIOMrpOX6Y0H3mekxBKCf5
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Monday 18 July 2016 15:57:09 Andrew Cooper wrote:
> On 18/07/16 15:30, Mihai Don=C8=9Bu wrote:
> > @@ -4409,6 +4409,10 @@ x86_emulate(
> >      case 0x6f: /* movq mm/m64,mm */
> >                 /* {,v}movdq{a,u} xmm/m128,xmm */
> >                 /* vmovdq{a,u} ymm/m256,ymm */
> > +    case 0x7e: /* movd mm,r/m32 */
> > +               /* movq mm,r/m64 */
> > +               /* {,v}movd xmm,r/m32 */
> > +               /* {,v}movq xmm,r/m64 */ =20
>=20
> This exposes a vulnerability where a guest can clobber local state in
> x86_emulate, by specifying registers such as %ebx as the destination.
>=20
> You must either
> 1) Move this case up above the fail_if(ea.type !=3D OP_MEM); check, or
> 2) modify the stub logic to convert a GPR destination to a memory
> address pointing into _regs.

I'm taking a look at (2) as it feels like the best approach. If I'm not
making any good progress in the coming days, I'll fallback to (1).

Thank you,

--=20
Mihai DON=C8=9AU

--Sig_/vlIOMrpOX6Y0H3mekxBKCf5
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAleOjx0ACgkQfOUeqrYRMKrbAQCePs1ZBCvm3xsFa9E25YpagsH8
fF0AnR5nJ041Ewu/y6MxnhoE3eLnkskD
=2gui
-----END PGP SIGNATURE-----

--Sig_/vlIOMrpOX6Y0H3mekxBKCf5--


--===============8033227207636211573==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWRldmVs
IG1haWxpbmcgbGlzdApYZW4tZGV2ZWxAbGlzdHMueGVuLm9yZwpodHRwczovL2xpc3RzLnhlbi5v
cmcveGVuLWRldmVsCg==

--===============8033227207636211573==--