semantic: 0.534
device: 0.090
graphic: 0.089
debug: 0.048
other: 0.042
vnc: 0.033
permissions: 0.026
performance: 0.026
boot: 0.023
PID: 0.021
socket: 0.020
network: 0.020
files: 0.020
KVM: 0.009
semantic: 0.852
debug: 0.057
other: 0.017
files: 0.014
performance: 0.013
PID: 0.008
device: 0.008
network: 0.005
KVM: 0.005
socket: 0.005
permissions: 0.005
boot: 0.004
graphic: 0.004
vnc: 0.003

x86 BZHI semantic bug
Description of problem
The result of instruction BZHI is different from the CPU. The value of destination register and SF of EFLAGS are different.

Steps to reproduce

Compile this code


void main() {
    asm("mov rax, 0xb1aa9da2fe33fe3");
    asm("mov rbx, 0x80000000ffffffff");
    asm("mov rcx, 0xf3fce8829b99a5c6");
    asm("bzhi rax, rbx, rcx");
}



Execute and compare the result with the CPU.

CPU

RAX = 0x0x80000000ffffffff
SF = 1


QEMU

RAX = 0xffffffff
SF = 0






Additional information
This bug is discovered by research conducted by KAIST SoftSec.