From: Paolo Bonzini <[email protected]>
Correctly reject invalid segment registers, including CS when used as
the destination of a MOV. Ignore the REX prefix as well.
Fixes: 5e9e21bcc4d ("target/i386: move 60-BF opcodes to new decoder",
2024-05-07)
Cc: [email protected]
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3195
Signed-off-by: Paolo Bonzini <[email protected]>
(cherry picked from commit ebb46ba6a4a20d393a6889c21e8a80dabab4cc8e)
Signed-off-by: Michael Tokarev <[email protected]>
diff --git a/target/i386/tcg/decode-new.c.inc b/target/i386/tcg/decode-new.c.inc
index 805cfd08e8..0f8c5d1693 100644
--- a/target/i386/tcg/decode-new.c.inc
+++ b/target/i386/tcg/decode-new.c.inc
@@ -2059,7 +2059,12 @@ static bool decode_op(DisasContext *s, CPUX86State *env,
X86DecodedInsn *decode,
case X86_TYPE_S: /* reg selects a segment register */
op->unit = X86_OP_SEG;
- goto get_reg;
+ op->n = (get_modrm(s, env) >> 3) & 7;
+ /* Values outside [CDEFGS]S, as well as storing to CS, are invalid. */
+ if (op->n >= 6 || (op->n == R_CS && op == &decode->op[0])) {
+ return false;
+ }
+ break;
case X86_TYPE_P:
op->unit = X86_OP_MMX;
--
2.47.3
