blob: 0ab6c7c4cb8ab9317a440e35048bd316946175ef (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
x86: 0.983
semantic: 0.920
system: 0.669
graphic: 0.652
device: 0.589
architecture: 0.518
register: 0.406
assembly: 0.406
arm: 0.318
ppc: 0.310
kernel: 0.308
vnc: 0.287
debug: 0.256
operating system: 0.234
boot: 0.220
risc-v: 0.211
network: 0.203
socket: 0.198
mistranslation: 0.171
performance: 0.165
PID: 0.130
peripherals: 0.094
i386: 0.091
alpha: 0.089
permissions: 0.069
KVM: 0.064
VMM: 0.056
TCG: 0.053
files: 0.051
virtual: 0.048
hypervisor: 0.031
user-level: 0.025
x86 BZHI semantic bug
Description of problem
The result of instruction BZHI is different from the CPU. The value of destination register and SF of EFLAGS are different.
Steps to reproduce
Compile this code
void main() {
asm("mov rax, 0xb1aa9da2fe33fe3");
asm("mov rbx, 0x80000000ffffffff");
asm("mov rcx, 0xf3fce8829b99a5c6");
asm("bzhi rax, rbx, rcx");
}
Execute and compare the result with the CPU.
CPU
RAX = 0x0x80000000ffffffff
SF = 1
QEMU
RAX = 0xffffffff
SF = 0
Additional information
This bug is discovered by research conducted by KAIST SoftSec.
|