blob: d32cca9bd1628f58a44b4a5eb2d60eec84fd3c02 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
x86: 0.983
semantic: 0.920
graphic: 0.652
device: 0.589
architecture: 0.518
register: 0.406
assembly: 0.406
arm: 0.318
ppc: 0.310
kernel: 0.308
vnc: 0.287
debug: 0.256
operating system: 0.234
boot: 0.220
risc-v: 0.211
network: 0.203
socket: 0.198
mistranslation: 0.171
performance: 0.165
PID: 0.130
peripherals: 0.094
i386: 0.091
alpha: 0.089
permissions: 0.069
KVM: 0.064
VMM: 0.056
TCG: 0.053
files: 0.051
virtual: 0.048
hypervisor: 0.031
user-level: 0.025
--------------------
x86: 1.000
i386: 0.989
assembly: 0.989
semantic: 0.987
debug: 0.282
register: 0.159
operating system: 0.067
kernel: 0.025
files: 0.022
TCG: 0.021
performance: 0.021
virtual: 0.020
user-level: 0.013
hypervisor: 0.010
architecture: 0.009
PID: 0.008
device: 0.008
peripherals: 0.007
KVM: 0.004
network: 0.004
VMM: 0.003
risc-v: 0.003
socket: 0.003
permissions: 0.003
boot: 0.003
alpha: 0.002
graphic: 0.002
vnc: 0.001
ppc: 0.001
mistranslation: 0.001
arm: 0.000
x86 BZHI semantic bug
Description of problem
The result of instruction BZHI is different from the CPU. The value of destination register and SF of EFLAGS are different.
Steps to reproduce
Compile this code
void main() {
asm("mov rax, 0xb1aa9da2fe33fe3");
asm("mov rbx, 0x80000000ffffffff");
asm("mov rcx, 0xf3fce8829b99a5c6");
asm("bzhi rax, rbx, rcx");
}
Execute and compare the result with the CPU.
CPU
RAX = 0x0x80000000ffffffff
SF = 1
QEMU
RAX = 0xffffffff
SF = 0
Additional information
This bug is discovered by research conducted by KAIST SoftSec.
|