From patchwork Mon Mar 27 09:56:29 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Cooper <andrew.cooper3@citrix.com>
X-Patchwork-Id: 9646131
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	CE95860328 for <patchwork-xen-devel@patchwork.kernel.org>;
	Mon, 27 Mar 2017 09:59:05 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A5E822833B
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Mon, 27 Mar 2017 09:59:05 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 9AA2328358; Mon, 27 Mar 2017 09:59:05 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 147242835B
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Mon, 27 Mar 2017 09:59:05 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1csROK-0003dx-FD; Mon, 27 Mar 2017 09:56:48 +0000
Received: from mail6.bemta6.messagelabs.com ([193.109.254.103])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <prvs=252526eb1=Andrew.Cooper3@citrix.com>)
	id 1csROJ-0003do-R2
	for xen-devel@lists.xen.org; Mon, 27 Mar 2017 09:56:47 +0000
Received: from [193.109.254.147] by server-5.bemta-6.messagelabs.com id
	27/0B-27545-FD1E8D85; Mon, 27 Mar 2017 09:56:47 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpikeJIrShJLcpLzFFi42JxWrohUvfewxs
	RBksvmlgs+biYxYHR4+ju30wBjFGsmXlJ+RUJrBmHbz9nLLgjXtGyfhVrA+NTwS5GTg4JgWCJ
	A3/6WEFsNgF9id0vPjGB2CIC6hKnOy4CxTk4mAX8JA498AUJCwvYS7zd9JsNxGYRUJX4828zW
	AmvgKfEufcVEBPlJM4f/8kMYnMKeEmsPX2LBcQWAirZ3HifDcJWk7jWf4kdxOYVEJQ4OfMJWA
	2zgITEwRcvmCcw8s5CkpqFJLWAkWkVo3pxalFZapGuuV5SUWZ6RkluYmaOrqGBmV5uanFxYnp
	qTmJSsV5yfu4mRmDYMADBDsaZl/0PMUpyMCmJ8n44fSNCiC8pP6UyI7E4I76oNCe1+BCjDAeH
	kgTvqQdAOcGi1PTUirTMHGAAw6QlOHiURHgZgUEsxFtckJhbnJkOkTrFqCglznsSpE8AJJFRm
	gfXBouaS4yyUsK8jECHCPEUpBblZpagyr9iFOdgVBLmPQYyhSczrwRu+iugxUxAiw/PB1tcko
	iQkmpgXMeouMort/nyz5tOt9WDhHPcnwiUPD17T0FKV/V08MNdi72/qoqYBfBybPcNerSwT1t
	tSWRvw7eDCsldxmw/53gxGLvLcjGLf5Zm44htWLXWVWR9VpqPxqpXi6+ev8zMb5vH3Gds8DnS
	+sOM0O98iU9P8gRzWzxqvr5uR/nq1Ww/PF+lH36rxFKckWioxVxUnAgAx+iaNZUCAAA=
X-Env-Sender: prvs=252526eb1=Andrew.Cooper3@citrix.com
X-Msg-Ref: server-3.tower-27.messagelabs.com!1490608604!93578819!1
X-Originating-IP: [66.165.176.89]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor:
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 9.2.3; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 49262 invoked from network); 27 Mar 2017 09:56:46 -0000
Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89)
	by server-3.tower-27.messagelabs.com with RC4-SHA encrypted SMTP;
	27 Mar 2017 09:56:46 -0000
X-IronPort-AV: E=Sophos;i="5.36,231,1486425600";
	d="scan'208,223";a="416035563"
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xen.org>
Date: Mon, 27 Mar 2017 10:56:29 +0100
Message-ID: <1490608598-11197-2-git-send-email-andrew.cooper3@citrix.com>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1490608598-11197-1-git-send-email-andrew.cooper3@citrix.com>
References: <1490608598-11197-1-git-send-email-andrew.cooper3@citrix.com>
MIME-Version: 1.0
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	Jan Beulich <JBeulich@suse.com>
Subject: [Xen-devel] [PATCH 01/10] x86/emul: Correct the decoding of vlddqu
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

vlddqu is encoded with 0xf2 which causes it to fall into the Scalar general
case in x86_decode_twobyte().  However, it really does have just two operands,
so must remain TwoOp

AFL discovered that the instruction c5 5b f0 3c e5 95 0a cd 63 was considered
valid despite it being a two operand instruction and VEX.vvvv having the value
11.  The resulting use in a stub yielded #UD.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
---
CC: Jan Beulich <JBeulich@suse.com>

From manually decoding the instruciton, I believe Xen's interpretation of
disp32(none*8) is correct.  binutils 2.25 (Debian Jessie) yields:

   0:       c5 5b f0 3c e5 95 0a        vlddqu 0x63cd0a95(,%riz,8),%xmm15
   7:       cd 63

where it has accounted for disp32 in its decode of instruction, but failed to
properly move its instruction pointer on.

Intel XED OTOH simply gives up with:

  ERROR: GENERAL_ERROR Could not decode at offset: 0x0 PC: 0x0:
  [C55BF03CE5950ACD63000000000000]
---
 xen/arch/x86/x86_emulate/x86_emulate.c | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
index bb67be6..497cc77 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -2310,7 +2310,8 @@ x86_decode_twobyte(
     case 0x7f:
     case 0xc2 ... 0xc3:
     case 0xc5 ... 0xc6:
-    case 0xd0 ... 0xfe:
+    case 0xd0 ... 0xef:
+    case 0xf1 ... 0xfe:
         ctxt->opcode |= MASK_INSR(vex.pfx, X86EMUL_OPC_PFX_MASK);
         break;
 
@@ -2332,9 +2333,9 @@ x86_decode_twobyte(
         if ( vex.pfx == vex_f3 ) /* movq xmm/m64,xmm */
         {
     case X86EMUL_OPC_VEX_F3(0, 0x7e): /* vmovq xmm/m64,xmm */
-            state->desc = DstImplicit | SrcMem | Mov;
+            state->desc = DstImplicit | SrcMem | TwoOp;
             state->simd_size = simd_other;
-            /* Avoid the state->desc adjustment below. */
+            /* Avoid the state->desc clobbering of TwoOp below. */
             return X86EMUL_OKAY;
         }
         break;
@@ -2374,11 +2375,25 @@ x86_decode_twobyte(
     case X86EMUL_OPC_VEX_66(0, 0xc4): /* vpinsrw */
         state->desc = DstReg | SrcMem16;
         break;
+
+    case 0xf0:
+        ctxt->opcode |= MASK_INSR(vex.pfx, X86EMUL_OPC_PFX_MASK);
+        if ( vex.pfx == vex_f2 ) /* lddqu mem,xmm */
+        {
+        /* fall through */
+    case X86EMUL_OPC_VEX_F2(0, 0xf0): /* vlddqu mem,{x,y}mm */
+            state->desc = DstImplicit | SrcMem | TwoOp;
+            state->simd_size = simd_other;
+            /* Avoid the state->desc clobbering of TwoOp below. */
+            return X86EMUL_OKAY;
+        }
+        break;
     }
 
     /*
      * Scalar forms of most VEX-encoded TwoOp instructions have
-     * three operands.
+     * three operands.  Those which do really have two operands
+     * should have exited earlier.
      */
     if ( state->simd_size && vex.opcx &&
          (vex.pfx & VEX_PREFIX_SCALAR_MASK) )