For widening and narrowing moves, operand (vector) size is calculated
from a table. This calculation, for the AVX512 cases, lives ahead of
validation of EVEX.L'L (which cannot be 3 without raising #UD). Account
for the later checking by adjusting the constants in the expression such
that even EVEX.L'L == 3 will yield a non-UB shift (read: shift count
reliably >= 0).
Fixes: 3988beb08 ("x86emul: support AVX512{F,BW} zero- and sign-extending moves")
Oss-fuzz: 70914
Signed-off-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -5788,7 +5788,7 @@ x86_emulate(
d = DstMem | SrcReg | TwoOp;
}
generate_exception_if(evex.brs, X86_EXC_UD);
- op_bytes = 32 >> (pmov_convert_delta[b & 7] + 1 - evex.lr);
+ op_bytes = 64 >> (pmov_convert_delta[b & 7] + 2 - evex.lr);
elem_bytes = (b & 7) < 3 ? 1 : (b & 7) != 5 ? 2 : 4;
goto avx512f_no_sae;On Mon, 5 Aug 2024, Jan Beulich wrote:
> For widening and narrowing moves, operand (vector) size is calculated
> from a table. This calculation, for the AVX512 cases, lives ahead of
> validation of EVEX.L'L (which cannot be 3 without raising #UD). Account
> for the later checking by adjusting the constants in the expression such
> that even EVEX.L'L == 3 will yield a non-UB shift (read: shift count
> reliably >= 0).
>
> Fixes: 3988beb08 ("x86emul: support AVX512{F,BW} zero- and sign-extending moves")
> Oss-fuzz: 70914
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
> --- a/xen/arch/x86/x86_emulate/x86_emulate.c
> +++ b/xen/arch/x86/x86_emulate/x86_emulate.c
> @@ -5788,7 +5788,7 @@ x86_emulate(
> d = DstMem | SrcReg | TwoOp;
> }
> generate_exception_if(evex.brs, X86_EXC_UD);
> - op_bytes = 32 >> (pmov_convert_delta[b & 7] + 1 - evex.lr);
> + op_bytes = 64 >> (pmov_convert_delta[b & 7] + 2 - evex.lr);
> elem_bytes = (b & 7) < 3 ? 1 : (b & 7) != 5 ? 2 : 4;
> goto avx512f_no_sae;
>
>
© 2016 - 2026 Red Hat, Inc.