From nobody Sat Nov 23 22:23:18 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=quarantine dis=none) header.from=suse.com ARC-Seal: i=1; a=rsa-sha256; t=1723553024; cv=none; d=zohomail.com; s=zohoarc; b=OCXTf6t1LMRFO4F4D26JO0AvZx41BTXqKCgde6IcxyIVZV5+sesYM1gUqKDMmsUmBtK+XgQHDtBv4j7VbE83POv7A+e99cdbAAO5wtQRDBW9tSLLFXcREoh59KJC/lZ0S9OsVKByj/UOtvNTTdZt/jG5BZwNYqbyK8Q4wZG1tXM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1723553024; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=bBFlkNqdIcaDTKI7Hj0DnxlgQqUGJhNIkJ18JFeV0Bo=; b=m3AHqqVyiI0NWlZqtBySjynZkPyCV5LR+2dAjCJXvDkQmH7UBbsw8iWGN5RlHF6bHC725DrYSalHVqFw1mXSusPs7+ksZ+ewJEJ3X6z/R8S/40phSGRlqA3feViSAr9FfwlPHAv916Ij+TOAnhkTW12jCaTQ0psC2BlThxFUZnc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1723553024575918.7021993104441; Tue, 13 Aug 2024 05:43:44 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.776215.1186352 (Exim 4.92) (envelope-from ) id 1sdqs6-0001O7-IR; Tue, 13 Aug 2024 12:43:30 +0000 Received: by outflank-mailman (output) from mailman id 776215.1186352; Tue, 13 Aug 2024 12:43:30 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1sdqs6-0001O0-EZ; Tue, 13 Aug 2024 12:43:30 +0000 Received: by outflank-mailman (input) for mailman id 776215; Tue, 13 Aug 2024 12:43:29 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1sdqs4-0001Nu-W7 for xen-devel@lists.xenproject.org; Tue, 13 Aug 2024 12:43:28 +0000 Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [2a00:1450:4864:20::22a]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id a34cfe82-5971-11ef-a505-bb4a2ccca743; Tue, 13 Aug 2024 14:43:27 +0200 (CEST) Received: by mail-lj1-x22a.google.com with SMTP id 38308e7fff4ca-2f16d2f2b68so76132911fa.3 for ; Tue, 13 Aug 2024 05:43:27 -0700 (PDT) Received: from [10.156.60.236] (ip-037-024-206-209.um08.pools.vodafone-ip.de. [37.24.206.209]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a80f4184ebesm66520666b.207.2024.08.13.05.43.26 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 13 Aug 2024 05:43:26 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: a34cfe82-5971-11ef-a505-bb4a2ccca743 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=google; t=1723553007; x=1724157807; darn=lists.xenproject.org; h=content-transfer-encoding:autocrypt:subject:from:cc:to :content-language:user-agent:mime-version:date:message-id:from:to:cc :subject:date:message-id:reply-to; bh=bBFlkNqdIcaDTKI7Hj0DnxlgQqUGJhNIkJ18JFeV0Bo=; b=JRr+lGeXSuU95pTC5Mr+orj4Ry4bzEiZCzqWZIBJtwdzmj+GKIEqt31V74vg8+4Oa7 2n0J09+iGyJcaT26lUYyqVI6AEt7avS1+/ZftC9kwsDfJWf92PaFynmJQRI18PRjj/p7 X4yTpom+UFOgsH1kuhysm3m7h/3E4pkEh84qPVqZsnPtcRc/43q3R0bK0QqrkldMgyKD l0CCacaqUCSfJftwTe/iOvDt+yJ42TLRzIHiZBDUe2v5hM2Ya8qAgVJXQ0fQpOR7//P4 WHOtPEK+r3E45jsOzM6lVjNu0mFFFBQna08e1SPvcgjQSm76LxBSoec9Vf1S/Tk2S8IE pc8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723553007; x=1724157807; h=content-transfer-encoding:autocrypt:subject:from:cc:to :content-language:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=bBFlkNqdIcaDTKI7Hj0DnxlgQqUGJhNIkJ18JFeV0Bo=; b=sGPAqJYOrTHW5tyrtnqErBBuXefa9QqBSEhwejgrdqvnAQwzcJACyOPw87RCa7YIoq vBt6JnlxT1yPP8/F2fIRX33ac1iCrrnEP5Oa9xe/LKYKBp/c8wTNlsPP6I8wYsKd9uO5 A98NjaMau67ItGQZGxOd/4IyIJWdAlxX5L1O2Efj7y5ZJHSVUObrLBOJK+ommgzn0Pig 5uHxE+xjSbY8SSB2N/bvDu7/nHtZ5Q15ZmLbIM2fpSl4MS94jtYG/Lj7ld3MDaTRshKs hsnSIBuhZO8dwUihX5IK/jGW+7+TNe62M0i0FrH3e0xdh/DdoZANXAtLcRATxVkiKu+F x4Mw== X-Gm-Message-State: AOJu0YycxOijHi6yzCbWnNFqZMVybfr2YEkkLOIKpNsILnBS/CcNZ9WK CwVlCNATBYMcopa5mzkB5qjMtuQEXQuo/DOzKmEQm9ZlxAkb8c+uHq5unTg2ddoXJ032tOFWUHE = X-Google-Smtp-Source: AGHT+IHUh4Rh34TvvE4e+LI0ah55p+cV38rlYwp+hW8d31tGgvp+ztqWu1J0aKV+O9rGWgmxXrSFBA== X-Received: by 2002:a2e:9e57:0:b0:2f0:1f15:5a16 with SMTP id 38308e7fff4ca-2f2b714f489mr27958471fa.13.1723553007037; Tue, 13 Aug 2024 05:43:27 -0700 (PDT) Message-ID: <7c4cb0ee-cddf-434a-95d9-58cec0efd976@suse.com> Date: Tue, 13 Aug 2024 14:43:25 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: "xen-devel@lists.xenproject.org" Cc: Andrew Cooper , =?UTF-8?Q?Roger_Pau_Monn=C3=A9?= From: Jan Beulich Subject: [PATCH] x86emul: fix UB multiplications in S/G handling Autocrypt: addr=jbeulich@suse.com; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @suse.com) X-ZM-MESSAGEID: 1723553025931116600 Content-Type: text/plain; charset="utf-8" The conversion of the shifts to multiplications by the commits tagged below still wasn't quite right: The multiplications (of signed values) can overflow, too. As of 298556c7b5f8 ("x86emul: correct 32-bit address handling for AVX2 gathers") signed multiplication wasn't necessary anymore, though: The necessary sign-extension (if any) will happen as well when using intermediate variables of unsigned long types, and excess address bits are chopped off by truncate_ea(). Fixes: b6a907f8c83d ("x86emul: replace UB shifts") Fixes: 21de9680eb59 ("x86emul: replace further UB shifts") Oss-fuzz: 71138 Signed-off-by: Jan Beulich Acked-by: Andrew Cooper --- a/xen/arch/x86/x86_emulate/x86_emulate.c +++ b/xen/arch/x86/x86_emulate/x86_emulate.c @@ -6369,11 +6369,11 @@ x86_emulate( { if ( (vex.w ? mask.qw[i] : mask.dw[i]) < 0 ) { - signed long idx =3D b & 1 ? index.qw[i] : index.dw[i]; + unsigned long idx =3D b & 1 ? index.qw[i] : index.dw[i]; =20 rc =3D ops->read(ea.mem.seg, truncate_ea(ea.mem.off + - idx * (1 << state->sib_scale)), + (idx << state->sib_scale)), (void *)mmvalp + i * op_bytes, op_bytes, ct= xt); if ( rc !=3D X86EMUL_OKAY ) { @@ -6489,14 +6489,14 @@ x86_emulate( =20 for ( i =3D 0; op_mask; ++i ) { - long idx =3D b & 1 ? index.qw[i] : index.dw[i]; + unsigned long idx =3D b & 1 ? index.qw[i] : index.dw[i]; =20 if ( !(op_mask & (1 << i)) ) continue; =20 rc =3D ops->read(ea.mem.seg, truncate_ea(ea.mem.off + - idx * (1 << state->sib_scale)), + (idx << state->sib_scale)), (void *)mmvalp + i * op_bytes, op_bytes, ctxt); if ( rc !=3D X86EMUL_OKAY ) { @@ -6643,9 +6643,9 @@ x86_emulate( =20 for ( i =3D 0; op_mask; ++i ) { - long idx =3D (b & 1 ? index.qw[i] - : index.dw[i]) * (1 << state->sib_scale); - unsigned long offs =3D truncate_ea(ea.mem.off + idx); + unsigned long idx =3D b & 1 ? index.qw[i] : index.dw[i]; + unsigned long offs =3D truncate_ea(ea.mem.off + + (idx << state->sib_scale)); unsigned int j, slot; =20 if ( !(op_mask & (1 << i)) ) @@ -6663,11 +6663,10 @@ x86_emulate( */ for ( j =3D (slot =3D i) + 1; j < n; ++j ) { - long idx2 =3D (b & 1 ? index.qw[j] - : index.dw[j]) * (1 << state->sib_scale= ); - + idx =3D b & 1 ? index.qw[j] : index.dw[j]; if ( (op_mask & (1 << j)) && - truncate_ea(ea.mem.off + idx2) =3D=3D offs ) + truncate_ea(ea.mem.off + + (idx << state->sib_scale)) =3D=3D offs ) slot =3D j; }