semantic: 0.920
graphic: 0.652
device: 0.589
vnc: 0.287
debug: 0.256
boot: 0.220
network: 0.203
socket: 0.198
performance: 0.165
PID: 0.130
permissions: 0.069
other: 0.064
KVM: 0.064
files: 0.051
semantic: 0.987
debug: 0.282
other: 0.033
files: 0.022
performance: 0.021
PID: 0.008
device: 0.008
KVM: 0.004
network: 0.004
socket: 0.003
permissions: 0.003
boot: 0.003
graphic: 0.002
vnc: 0.001

x86 BZHI semantic bug
Description of problem
The result of instruction BZHI is different from the CPU. The value of destination register and SF of EFLAGS are different.

Steps to reproduce

Compile this code


void main() {
    asm("mov rax, 0xb1aa9da2fe33fe3");
    asm("mov rbx, 0x80000000ffffffff");
    asm("mov rcx, 0xf3fce8829b99a5c6");
    asm("bzhi rax, rbx, rcx");
}



Execute and compare the result with the CPU.

CPU

RAX = 0x0x80000000ffffffff
SF = 1


QEMU

RAX = 0xffffffff
SF = 0






Additional information
This bug is discovered by research conducted by KAIST SoftSec.