From: Cameron Esfahani <dirty@apple.com>
A guest could craft a specific stream of instructions that will have QEMU
write 0xF9 to inappropriate locations in memory. Add additional asserts
to check for this. Generate a #UD if there are more than 14 prefix bytes.
Found by Julian Stecklina <julian.stecklina@cyberus-technology.de>
Signed-off-by: Cameron Esfahani <dirty@apple.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
target/i386/hvf/x86_decode.c | 11 +++++++++--
target/i386/hvf/x86hvf.c | 8 ++++++++
target/i386/hvf/x86hvf.h | 1 +
3 files changed, 18 insertions(+), 2 deletions(-)
@@ -1847,7 +1849,8 @@ void calc_modrm_operand(CPUX86State *env, struct
x86_decode *decode,
static void decode_prefix(CPUX86State *env, struct x86_decode *decode)
{
- while (1) {
+ /* At most 14 prefix bytes. */
+ for (int i = 0; i < 14; i++) {
/*
* REX prefix must come after legacy prefixes.
* REX before legacy is ignored.
@@ -1892,6 +1895,8 @@ static void decode_prefix(CPUX86State *env, struct
x86_decode *decode)
return;
}
}
+ /* Too many prefixes! Generate #UD. */
+ hvf_inject_ud(env);
}