On 4/16/25 15:52, Jan Beulich wrote:
On 15.04.2025 23:52, Manuel Andreas wrote:
my fuzzing infrastructure discovered that an assert in
x86_emulate_wrapper is able to be triggered by an HVM domain executing a
specially crafted repeating movs instruction.
Specifically, if the emulation of the rep movs instruction triggers an
exception (e.g. by accessing invalid memory after some amount of
iterations), the emulation will be halted at that point.
However, the instruction manual requires that _some_ register state
(namely the updated value of rcx) shall be commited, whereas the
instruction pointer needs to be rolled back to point to the address of
the instruction itself. The assert checks for the latter. Problematic is
the fact that for these type of repeating instructions, Xen seems to
eventually just commit all register state when it encounters an exception:
If my analysis is correct, none of this matters here; the core emulator
is working correctly. Hence also why the in-tree fuzzer wouldn't have
caught it. Would you please give the patch a try that I just sent, with
Cc to you (sorry, the list archive didn't pick it up yet, hence no link)?
Jan
Sorry about the late reply, just got around to applying your patch a few
days ago.
I verified that the provided XTF test does not trigger the assert anymore.
Moreover, I fuzzed the patched version for a few days and the bug (or
possibly newly introduced ones) did not pop up, so I believe the root
cause was fixed correctly.
Best,
Manuel
