diff options
Diffstat (limited to 'classification_output/01/semantic')
14 files changed, 199 insertions, 0 deletions
diff --git a/classification_output/01/semantic/3847403 b/classification_output/01/semantic/05479587 index be4dcd774..be4dcd774 100644 --- a/classification_output/01/semantic/3847403 +++ b/classification_output/01/semantic/05479587 diff --git a/classification_output/01/semantic/8511484 b/classification_output/01/semantic/12360755 index 1340f1aa7..1340f1aa7 100644 --- a/classification_output/01/semantic/8511484 +++ b/classification_output/01/semantic/12360755 diff --git a/classification_output/01/semantic/7837801 b/classification_output/01/semantic/28596630 index 8816300a8..8816300a8 100644 --- a/classification_output/01/semantic/7837801 +++ b/classification_output/01/semantic/28596630 diff --git a/classification_output/01/semantic/0504199 b/classification_output/01/semantic/30680944 index 1d5b4d118..1d5b4d118 100644 --- a/classification_output/01/semantic/0504199 +++ b/classification_output/01/semantic/30680944 diff --git a/classification_output/01/semantic/3242247 b/classification_output/01/semantic/46572227 index d8352e564..d8352e564 100644 --- a/classification_output/01/semantic/3242247 +++ b/classification_output/01/semantic/46572227 diff --git a/classification_output/01/semantic/1452608 b/classification_output/01/semantic/53568181 index 6750978a6..6750978a6 100644 --- a/classification_output/01/semantic/1452608 +++ b/classification_output/01/semantic/53568181 diff --git a/classification_output/01/semantic/0891566 b/classification_output/01/semantic/80570214 index f2e9cca08..f2e9cca08 100644 --- a/classification_output/01/semantic/0891566 +++ b/classification_output/01/semantic/80570214 diff --git a/classification_output/01/semantic/2047990 b/classification_output/01/semantic/96782458 index d0391c1e7..d0391c1e7 100644 --- a/classification_output/01/semantic/2047990 +++ b/classification_output/01/semantic/96782458 diff --git a/classification_output/01/semantic/gitlab_semantic_addsubps b/classification_output/01/semantic/gitlab_semantic_addsubps new file mode 100644 index 000000000..cbd5eeb7c --- /dev/null +++ b/classification_output/01/semantic/gitlab_semantic_addsubps @@ -0,0 +1,28 @@ +semantic: 0.974 +instruction: 0.931 +other: 0.732 +mistranslation: 0.299 + +x86 SSE/SSE2/SSE3 instruction semantic bugs with NaN + +Description of problem +The result of SSE/SSE2/SSE3 instructions with NaN is different from the CPU. From Intel manual Volume 1 Appendix D.4.2.2, they defined the behavior of such instructions with NaN. But I think QEMU did not implement this semantic exactly because the byte result is different. + +Steps to reproduce + +Compile this code + +void main() { + asm("mov rax, 0x000000007fffffff; push rax; mov rax, 0x00000000ffffffff; push rax; movdqu XMM1, [rsp];"); + asm("mov rax, 0x2e711de7aa46af1a; push rax; mov rax, 0x7fffffff7fffffff; push rax; movdqu XMM2, [rsp];"); + asm("addsubps xmm1, xmm2"); +} + +Execute and compare the result with the CPU. This problem happens with other SSE/SSE2/SSE3 instructions specified in the manual, Volume 1 Appendix D.4.2.2. + +CPU xmm1[3] = 0xffffffff + +QEMU xmm1[3] = 0x7fffffff + +Additional information +This bug is discovered by research conducted by KAIST SoftSec. diff --git a/classification_output/01/semantic/gitlab_semantic_adox b/classification_output/01/semantic/gitlab_semantic_adox new file mode 100644 index 000000000..c30dc4107 --- /dev/null +++ b/classification_output/01/semantic/gitlab_semantic_adox @@ -0,0 +1,41 @@ +semantic: 0.990 +instruction: 0.944 +mistranslation: 0.452 +other: 0.286 + +x86 ADOX and ADCX semantic bug +Description of problem +The result of instruction ADOX and ADCX are different from the CPU. The value of one of EFLAGS is different. + +Steps to reproduce + +Compile this code + + +void main() { + asm("push 512; popfq;"); + asm("mov rax, 0xffffffff84fdbf24"); + asm("mov rbx, 0xb197d26043bec15d"); + asm("adox eax, ebx"); +} + + + +Execute and compare the result with the CPU. This problem happens with ADCX, too (with CF). + +CPU + +OF = 0 + + +QEMU + +OF = 1 + + + + + + +Additional information +This bug is discovered by research conducted by KAIST SoftSec. diff --git a/classification_output/01/semantic/gitlab_semantic_bextr b/classification_output/01/semantic/gitlab_semantic_bextr new file mode 100644 index 000000000..436e0ec95 --- /dev/null +++ b/classification_output/01/semantic/gitlab_semantic_bextr @@ -0,0 +1,30 @@ +semantic: 0.993 +instruction: 0.944 +mistranslation: 0.337 +other: 0.099 + +x86 BEXTR semantic bug +Description of problem +The result of instruction BEXTR is different with from the CPU. The value of destination register is different. I think QEMU does not consider the operand size limit. + +Steps to reproduce + +Compile this code + +void main() { + asm("mov rax, 0x17b3693f77fb6e9"); + asm("mov rbx, 0x8f635a775ad3b9b4"); + asm("mov rcx, 0xb717b75da9983018"); + asm("bextr eax, ebx, ecx"); +} + +Execute and compare the result with the CPU. + +CPU +RAX = 0x5a + +QEMU +RAX = 0x635a775a + +Additional information +This bug is discovered by research conducted by KAIST SoftSec. diff --git a/classification_output/01/semantic/gitlab_semantic_blsi b/classification_output/01/semantic/gitlab_semantic_blsi new file mode 100644 index 000000000..84c589fb4 --- /dev/null +++ b/classification_output/01/semantic/gitlab_semantic_blsi @@ -0,0 +1,25 @@ +semantic: 0.983 +instruction: 0.964 +other: 0.609 +mistranslation: 0.606 + +x86 BLSI and BLSR semantic bug +Description of problem +The result of instruction BLSI and BLSR is different from the CPU. The value of CF is different. + +Steps to reproduce + +Compile this code + + +void main() { + asm("blsi rax, rbx"); +} + + + +Execute and compare the result with the CPU. The value of CF is exactly the opposite. This problem happens with BLSR, too. + + +Additional information +This bug is discovered by research conducted by KAIST SoftSec. diff --git a/classification_output/01/semantic/gitlab_semantic_blsmsk b/classification_output/01/semantic/gitlab_semantic_blsmsk new file mode 100644 index 000000000..7f9621893 --- /dev/null +++ b/classification_output/01/semantic/gitlab_semantic_blsmsk @@ -0,0 +1,32 @@ +semantic: 0.987 +instruction: 0.962 +mistranslation: 0.603 +other: 0.269 + +x86 BLSMSK semantic bug +Description of problem +The result of instruction BLSMSK is different with from the CPU. The value of CF is different. + +Steps to reproduce + +Compile this code + +void main() { + asm("mov rax, 0x65b2e276ad27c67"); + asm("mov rbx, 0x62f34955226b2b5d"); + asm("blsmsk eax, ebx"); +} + +Execute and compare the result with the CPU. + +CPU + +CF = 0 + + +QEMU + +CF = 1 + +Additional information +This bug is discovered by research conducted by KAIST SoftSec. diff --git a/classification_output/01/semantic/gitlab_semantic_bzhi b/classification_output/01/semantic/gitlab_semantic_bzhi new file mode 100644 index 000000000..09ab02dcc --- /dev/null +++ b/classification_output/01/semantic/gitlab_semantic_bzhi @@ -0,0 +1,43 @@ +semantic: 0.920 +instruction: 0.623 +mistranslation: 0.171 +other: 0.064 + +x86 BZHI semantic bug +Description of problem +The result of instruction BZHI is different from the CPU. The value of destination register and SF of EFLAGS are different. + +Steps to reproduce + +Compile this code + + +void main() { + asm("mov rax, 0xb1aa9da2fe33fe3"); + asm("mov rbx, 0x80000000ffffffff"); + asm("mov rcx, 0xf3fce8829b99a5c6"); + asm("bzhi rax, rbx, rcx"); +} + + + +Execute and compare the result with the CPU. + +CPU + +RAX = 0x0x80000000ffffffff +SF = 1 + + +QEMU + +RAX = 0xffffffff +SF = 0 + + + + + + +Additional information +This bug is discovered by research conducted by KAIST SoftSec. |