From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Cc: paul@nowt.org, richard.henderson@linaro.org
Subject: [PATCH v3 11/23] i386: Add CHECK_NO_VEX
Date: Thu, 1 Sep 2022 09:48:30 +0200 [thread overview]
Message-ID: <20220901074842.57424-12-pbonzini@redhat.com> (raw)
In-Reply-To: <20220901074842.57424-1-pbonzini@redhat.com>
From: Paul Brook <paul@nowt.org>
Reject invalid VEX encodings on MMX instructions.
Signed-off-by: Paul Brook <paul@nowt.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220424220204.2493824-7-paul@nowt.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
target/i386/tcg/translate.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index c6a9a5b1d4..99c84473f4 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -3186,6 +3186,12 @@ static const struct SSEOpHelper_table7 sse_op_table7[256] = {
#undef BLENDV_OP
#undef SPECIAL_OP
+/* VEX prefix not allowed */
+#define CHECK_NO_VEX(s) do { \
+ if (s->prefix & PREFIX_VEX) \
+ goto illegal_op; \
+ } while (0)
+
static void gen_sse(CPUX86State *env, DisasContext *s, int b,
target_ulong pc_start)
{
@@ -3272,6 +3278,7 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
b |= (b1 << 8);
switch(b) {
case 0x0e7: /* movntq */
+ CHECK_NO_VEX(s);
if (mod == 3) {
goto illegal_op;
}
@@ -3307,6 +3314,7 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
}
break;
case 0x6e: /* movd mm, ea */
+ CHECK_NO_VEX(s);
#ifdef TARGET_X86_64
if (s->dflag == MO_64) {
gen_ldst_modrm(env, s, modrm, MO_64, OR_TMP0, 0);
@@ -3338,6 +3346,7 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
}
break;
case 0x6f: /* movq mm, ea */
+ CHECK_NO_VEX(s);
if (mod != 3) {
gen_lea_modrm(env, s, modrm);
gen_ldq_env_A0(s, offsetof(CPUX86State, fpregs[reg].mmx));
@@ -3473,6 +3482,7 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
break;
case 0x178:
case 0x378:
+ CHECK_NO_VEX(s);
{
int bit_index, field_length;
@@ -3492,6 +3502,7 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
}
break;
case 0x7e: /* movd ea, mm */
+ CHECK_NO_VEX(s);
#ifdef TARGET_X86_64
if (s->dflag == MO_64) {
tcg_gen_ld_i64(s->T0, cpu_env,
@@ -3532,6 +3543,7 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
gen_op_movq_env_0(s, offsetof(CPUX86State, xmm_regs[reg].ZMM_Q(1)));
break;
case 0x7f: /* movq ea, mm */
+ CHECK_NO_VEX(s);
if (mod != 3) {
gen_lea_modrm(env, s, modrm);
gen_stq_env_A0(s, offsetof(CPUX86State, fpregs[reg].mmx));
@@ -3614,6 +3626,7 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
offsetof(CPUX86State, xmm_t0.ZMM_L(1)));
op1_offset = offsetof(CPUX86State,xmm_t0);
} else {
+ CHECK_NO_VEX(s);
tcg_gen_movi_tl(s->T0, val);
tcg_gen_st32_tl(s->T0, cpu_env,
offsetof(CPUX86State, mmx_t0.MMX_L(0)));
@@ -3653,6 +3666,7 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
break;
case 0x02a: /* cvtpi2ps */
case 0x12a: /* cvtpi2pd */
+ CHECK_NO_VEX(s);
gen_helper_enter_mmx(cpu_env);
if (mod != 3) {
gen_lea_modrm(env, s, modrm);
@@ -3698,6 +3712,7 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
case 0x12c: /* cvttpd2pi */
case 0x02d: /* cvtps2pi */
case 0x12d: /* cvtpd2pi */
+ CHECK_NO_VEX(s);
gen_helper_enter_mmx(cpu_env);
if (mod != 3) {
gen_lea_modrm(env, s, modrm);
@@ -3771,6 +3786,7 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
tcg_gen_st16_tl(s->T0, cpu_env,
offsetof(CPUX86State,xmm_regs[reg].ZMM_W(val)));
} else {
+ CHECK_NO_VEX(s);
val &= 3;
tcg_gen_st16_tl(s->T0, cpu_env,
offsetof(CPUX86State,fpregs[reg].mmx.MMX_W(val)));
@@ -3810,6 +3826,7 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
}
break;
case 0x2d6: /* movq2dq */
+ CHECK_NO_VEX(s);
gen_helper_enter_mmx(cpu_env);
rm = (modrm & 7);
gen_op_movq(s, offsetof(CPUX86State, xmm_regs[reg].ZMM_Q(0)),
@@ -3817,6 +3834,7 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
gen_op_movq_env_0(s, offsetof(CPUX86State, xmm_regs[reg].ZMM_Q(1)));
break;
case 0x3d6: /* movdq2q */
+ CHECK_NO_VEX(s);
gen_helper_enter_mmx(cpu_env);
rm = (modrm & 7) | REX_B(s);
gen_op_movq(s, offsetof(CPUX86State, fpregs[reg & 7].mmx),
@@ -3831,6 +3849,7 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
tcg_gen_addi_ptr(s->ptr0, cpu_env, ZMM_OFFSET(rm));
gen_helper_pmovmskb_xmm(s->tmp2_i32, cpu_env, s->ptr0);
} else {
+ CHECK_NO_VEX(s);
rm = (modrm & 7);
tcg_gen_addi_ptr(s->ptr0, cpu_env,
offsetof(CPUX86State, fpregs[rm].mmx));
@@ -3901,6 +3920,7 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
tcg_gen_addi_ptr(s->ptr1, cpu_env, op2_offset);
op6->fn[b1].op1(cpu_env, s->ptr0, s->ptr1);
} else {
+ CHECK_NO_VEX(s);
if ((op6->flags & SSE_OPF_MMX) == 0) {
goto unknown_op;
}
@@ -3934,6 +3954,7 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
case 0x3f0: /* crc32 Gd,Eb */
case 0x3f1: /* crc32 Gd,Ey */
do_crc32:
+ CHECK_NO_VEX(s);
if (!(s->cpuid_ext_features & CPUID_EXT_SSE42)) {
goto illegal_op;
}
@@ -3956,6 +3977,7 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
case 0x1f0: /* crc32 or movbe */
case 0x1f1:
+ CHECK_NO_VEX(s);
/* For these insns, the f3 prefix is supposed to have priority
over the 66 prefix, but that's not what we implement above
setting b1. */
@@ -3965,6 +3987,7 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
/* FALLTHRU */
case 0x0f0: /* movbe Gy,My */
case 0x0f1: /* movbe My,Gy */
+ CHECK_NO_VEX(s);
if (!(s->cpuid_ext_features & CPUID_EXT_MOVBE)) {
goto illegal_op;
}
@@ -4131,6 +4154,7 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
case 0x1f6: /* adcx Gy, Ey */
case 0x2f6: /* adox Gy, Ey */
+ CHECK_NO_VEX(s);
if (!(s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_ADX)) {
goto illegal_op;
} else {
@@ -4436,6 +4460,7 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
}
if (b1 == 0) {
+ CHECK_NO_VEX(s);
/* MMX */
if ((op7->flags & SSE_OPF_MMX) == 0) {
goto illegal_op;
@@ -4582,6 +4607,7 @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
op2_offset = ZMM_OFFSET(rm);
}
} else {
+ CHECK_NO_VEX(s);
op1_offset = offsetof(CPUX86State,fpregs[reg].mmx);
if (mod != 3) {
gen_lea_modrm(env, s, modrm);
--
2.37.1
next prev parent reply other threads:[~2022-09-01 8:24 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-01 7:48 [PATCH v3 00/23] target/i386: make SSE helpers generic in the vector size Paolo Bonzini
2022-09-01 7:48 ` [PATCH v3 01/23] i386: do not use MOVL to move data between SSE registers Paolo Bonzini
2022-09-01 7:48 ` [PATCH v3 02/23] i386: formatting fixes Paolo Bonzini
2022-09-01 7:48 ` [PATCH v3 03/23] i386: Add ZMM_OFFSET macro Paolo Bonzini
2022-09-01 7:48 ` [PATCH v3 04/23] i386: Rework sse_op_table1 Paolo Bonzini
2022-09-01 7:48 ` [PATCH v3 05/23] i386: Rework sse_op_table6/7 Paolo Bonzini
2022-09-01 7:48 ` [PATCH v3 06/23] i386: Move 3DNOW decoder Paolo Bonzini
2022-09-01 7:48 ` [PATCH v3 07/23] i386: check SSE table flags instead of hardcoding opcodes Paolo Bonzini
2022-09-01 8:05 ` Richard Henderson
2022-09-01 7:48 ` [PATCH v3 08/23] i386: isolate MMX code more Paolo Bonzini
2022-09-01 7:48 ` [PATCH v3 09/23] i386: Add size suffix to vector FP helpers Paolo Bonzini
2022-09-01 7:48 ` [PATCH v3 10/23] i386: do not cast gen_helper_* function pointers Paolo Bonzini
2022-09-01 8:10 ` Richard Henderson
2022-09-01 7:48 ` Paolo Bonzini [this message]
2022-09-01 7:48 ` [PATCH v3 12/23] i386: Rewrite vector shift helper Paolo Bonzini
2022-09-01 8:11 ` Richard Henderson
2022-09-01 7:48 ` [PATCH v3 13/23] i386: Rewrite simple integer vector helpers Paolo Bonzini
2022-09-01 7:48 ` [PATCH v3 14/23] i386: Misc integer AVX helper prep Paolo Bonzini
2022-09-01 7:48 ` [PATCH v3 15/23] i386: Destructive vector helpers for AVX Paolo Bonzini
2022-09-01 8:16 ` Richard Henderson
2022-09-01 7:48 ` [PATCH v3 16/23] i386: Floating point arithmetic helper AVX prep Paolo Bonzini
2022-09-01 7:48 ` [PATCH v3 17/23] i386: reimplement AVX comparison helpers Paolo Bonzini
2022-09-01 7:48 ` [PATCH v3 18/23] i386: Dot product AVX helper prep Paolo Bonzini
2022-09-01 7:48 ` [PATCH v3 19/23] i386: Destructive FP helpers for AVX Paolo Bonzini
2022-09-01 7:48 ` [PATCH v3 20/23] i386: Misc AVX helper prep Paolo Bonzini
2022-09-01 7:48 ` [PATCH v3 21/23] i386: Rewrite blendv helpers Paolo Bonzini
2022-09-01 7:48 ` [PATCH v3 22/23] i386: AVX pclmulqdq prep Paolo Bonzini
2022-09-01 7:48 ` [PATCH v3 23/23] i386: AVX+AES helpers prep Paolo Bonzini
2022-09-01 8:19 ` Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220901074842.57424-12-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=paul@nowt.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).