[PATCH] x86: emulate lea with two register operands correctly

[PATCH] x86: emulate lea with two register operands correctly

[David Vrabel]

An lea instruction with two register operands should raise an
undefined instruction exception.

Skype does such a instruction and will crash when starting if it does
not get the exception.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>

diff -r efaa28639a71 -r e25b7798f13b xen/arch/x86/x86_emulate/x86_emulate.c
--- a/xen/arch/x86/x86_emulate/x86_emulate.c	Wed Jan 04 16:12:44 2012 +0000
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c	Thu Jan 05 14:58:56 2012 +0000
@@ -2240,6 +2240,7 @@ x86_emulate(
     }
 
     case 0x8d: /* lea */
+        generate_exception_if(modrm_mod == 3, EXC_UD, -1);
         dst.val = ea.mem.off;
         break;

Re: [PATCH] x86: emulate lea with two register operands correctly

[Keir Fraser]

On 05/01/2012 15:03, "David Vrabel" <david.vrabel@citrix.com> wrote:

> An lea instruction with two register operands should raise an
> undefined instruction exception.
> 
> Skype does such a instruction and will crash when starting if it does
> not get the exception.

Thanks. I think it is a little nicer to check ea.type != OP_MEM, so I made
that change before committing this patch. It's now in xen-unstable staging.

It's a bit concerning that we're emulating LEA at all, perhaps. I wonder if
a pagetable page has been reused as a code page and we didn't notice yet? Or
is there some other reason that skype is getting emulated? :-)

 -- Keir

> Signed-off-by: David Vrabel <david.vrabel@citrix.com>
> 
> diff -r efaa28639a71 -r e25b7798f13b xen/arch/x86/x86_emulate/x86_emulate.c
> --- a/xen/arch/x86/x86_emulate/x86_emulate.c Wed Jan 04 16:12:44 2012 +0000
> +++ b/xen/arch/x86/x86_emulate/x86_emulate.c Thu Jan 05 14:58:56 2012 +0000
> @@ -2240,6 +2240,7 @@ x86_emulate(
>      }
>  
>      case 0x8d: /* lea */
> +        generate_exception_if(modrm_mod == 3, EXC_UD, -1);
>          dst.val = ea.mem.off;
>          break;
>  
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel

Re: [PATCH] x86: emulate lea with two register operands correctly

[Tim Deegan]

At 15:49 +0000 on 05 Jan (1325778595), Keir Fraser wrote:
> On 05/01/2012 15:03, "David Vrabel" <david.vrabel@citrix.com> wrote:
> 
> > An lea instruction with two register operands should raise an
> > undefined instruction exception.
> > 
> > Skype does such a instruction and will crash when starting if it does
> > not get the exception.
> 
> Thanks. I think it is a little nicer to check ea.type != OP_MEM, so I made
> that change before committing this patch. It's now in xen-unstable staging.
> 
> It's a bit concerning that we're emulating LEA at all, perhaps. I wonder if
> a pagetable page has been reused as a code page and we didn't notice yet? Or
> is there some other reason that skype is getting emulated? :-)

#UD exceptions in HVM are passed to the emulator (IIRC as part of the
cross-vendor migration patches, so SYSENTER & friends could be managed).

Tim.

Re: [PATCH] x86: emulate lea with two register operands correctly

[David Vrabel]

On 05/01/12 15:49, Keir Fraser wrote:
> On 05/01/2012 15:03, "David Vrabel" <david.vrabel@citrix.com> wrote:
> 
>> An lea instruction with two register operands should raise an
>> undefined instruction exception.
>>
>> Skype does such a instruction and will crash when starting if it does
>> not get the exception.
> 
> Thanks. I think it is a little nicer to check ea.type != OP_MEM, so I made
> that change before committing this patch. It's now in xen-unstable staging.

That works for me, thanks.

I also think this patch should be a 4.1 candidate.

David

Re: [PATCH] x86: emulate lea with two register operands correctly

[Keir Fraser]

On 05/01/2012 16:06, "Tim Deegan" <tim@xen.org> wrote:

> At 15:49 +0000 on 05 Jan (1325778595), Keir Fraser wrote:
>> On 05/01/2012 15:03, "David Vrabel" <david.vrabel@citrix.com> wrote:
>> 
>>> An lea instruction with two register operands should raise an
>>> undefined instruction exception.
>>> 
>>> Skype does such a instruction and will crash when starting if it does
>>> not get the exception.
>> 
>> Thanks. I think it is a little nicer to check ea.type != OP_MEM, so I made
>> that change before committing this patch. It's now in xen-unstable staging.
>> 
>> It's a bit concerning that we're emulating LEA at all, perhaps. I wonder if
>> a pagetable page has been reused as a code page and we didn't notice yet? Or
>> is there some other reason that skype is getting emulated? :-)
> 
> #UD exceptions in HVM are passed to the emulator (IIRC as part of the
> cross-vendor migration patches, so SYSENTER & friends could be managed).

Duh, good point.

 -- Keir

> Tim.