[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] Bug in emulation of 'bound' x86 instruction?

From: Fabrice Bellard
Subject: Re: [Qemu-devel] Bug in emulation of 'bound' x86 instruction?
Date: Sun, 15 Aug 2004 16:51:49 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624


I just fixed the bug you mentionned regarding the 'bound' instruction. Any code using the bound instruction was likely to fail, so this fix may allow new OSes or programs to run...

Thank you for the bug report !


Frode Vatvedt Fjeld wrote:
I'm suspecting that there's a bug in Qemu's emulation of the x86
'bound' instruction. The effect of this bug seems to be to add 1 to
the ESP register, which of course havocs everything.

I'm not confident I understand the information in /tmp/qemu.log, but
as I said I suspect that the following in_asm is the culprit:

  0x0015d716:  bound  %esp,%fs:0xffffffe7(%edi)

This instruction, in 32-bit protected mode, is intended to verify that
ESP is within some bounds. These bounds are located at the physical
address 0x100054, which is the result of the instruction's address
because EDI=0x6d and the FS selector points to a segment that starts
at 0x100000.

I have verified that the exact same thing happens when the FS-override
instruction prefix is removed from the bounds instruction above, so
that the DS segment, which happens to be identical to the FS segment,
is used.

The following is a piece of /tmp/qemu.log that I hope provides the
relevant context. As you can see, the value of ESP appears to change
to an odd value for no good reason.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]