On 14.08.2024 14:49, Andrew Cooper wrote:
> On 12/08/2024 3:05 pm, Jan Beulich wrote:
>> On 12.08.2024 15:04, Andrew Cooper wrote:
>>> Also, looking at the emulator logic, we're missing the DPL vs
>>> CPL/RPL/Conforming checks.
>> There's surely nothing "conforming" for a nul selector. Hence perhaps you
>> refer to something entirely unrelated?
>
> Sorry, yes. I think this is a general bug in how we emulate VERW/VERR,
> unrelated to this specific OSS-fuzz report.
In protmode_load_seg() we have
case x86_seg_none:
/* Non-conforming segment: check DPL against RPL and CPL. */
if ( ((desc.b & (0x1c << 8)) != (0x1c << 8)) &&
((dpl < cpl) || (dpl < rpl)) )
return X86EMUL_EXCEPTION;
a_flag = 0;
break;
Is there anything else you think is needed?
Jan
