On 16.04.2025 15:52, Jan Beulich wrote: > On 15.04.2025 23:52, Manuel Andreas wrote: >> my fuzzing infrastructure discovered that an assert in >> x86_emulate_wrapper is able to be triggered by an HVM domain executing a >> specially crafted repeating movs instruction. >> >> Specifically, if the emulation of the rep movs instruction triggers an >> exception (e.g. by accessing invalid memory after some amount of >> iterations), the emulation will be halted at that point. >> However, the instruction manual requires that _some_ register state >> (namely the updated value of rcx) shall be commited, whereas the >> instruction pointer needs to be rolled back to point to the address of >> the instruction itself. The assert checks for the latter. Problematic is >> the fact that for these type of repeating instructions, Xen seems to >> eventually just commit all register state when it encounters an exception: > > If my analysis is correct, none of this matters here; the core emulator > is working correctly. Hence also why the in-tree fuzzer wouldn't have > caught it. Would you please give the patch a try that I just sent, with > Cc to you (sorry, the list archive didn't pick it up yet, hence no link)?
https://lists.xen.org/archives/html/xen-devel/2025-04/msg01283.html
