[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UBSan bug in real mode fpu emulation

  • To: xen-devel@xxxxxxxxxxxxxxxxxxxx
  • From: Fabian Specht <f.specht@xxxxxx>
  • Date: Thu, 24 Apr 2025 03:08:50 +0200
  • Authentication-results: postout.lrz.de (amavis); dkim=pass (2048-bit key) reason="pass (just generated, assumed good)" header.d=tum.de
  • Cc: manuel.andreas@xxxxxx
  • Delivery-date: Thu, 24 Apr 2025 01:09:30 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
Dear Xen-Devel team,

we discovered a bug regarding undefined behaviour in the FPU emulation
unit.

if ( !s->rex_prefix )
{
        /* Convert 32-bit real/vm86 to 32-bit prot format. */
        unsigned int fip = fpstate.env.mode.real.fip_lo +
                                           (fpstate.env.mode.real.fip_hi << 16);
        unsigned int fdp = fpstate.env.mode.real.fdp_lo +
                                           (fpstate.env.mode.real.fdp_hi << 16);
        unsigned int fop = fpstate.env.mode.real.fop;

        fpstate.env.mode.prot.fip = fip & 0xf;
        fpstate.env.mode.prot.fcs = fip >> 4;
        fpstate.env.mode.prot.fop = fop;
        fpstate.env.mode.prot.fdp = fdp & 0xf;
        fpstate.env.mode.prot.fds = fdp >> 4;
}

It occurs at arch/x86/arch/x86/x86_emulate/blk.c:85 of the v4.20.0
release during the bit shift and can be triggered using the attached xtf
test. We are not aware of any security consequences.
Simply shifting by 4 should do the trick in my opinion.

Similar code resides in the same file in lines 87, 125 and 127.
The attached xtf test is run for hvm32.

~Fabian

Attachment: main.c
Description: Text document

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.