RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 12:38:12 +00:00
Code Issues Activity Actions

UserspaceEmulator: Fix incorrect shadowing on mov sign extend

Browse source 
Unlike zero-extend moves, the upper bytes are not just zeroed,
but rather are based on the sign bit of the source, which means
if the source is tainted, so should the upper bytes be.
This commit is contained in:
Gal Horowitz 2021-01-08 13:03:24 +02:00 committed by Andreas Kling
parent edc18ab4e6
commit 2fd2396d63
1 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
DevTools/UserspaceEmulator/SoftCPU.cpp
View file

@ -2449,19 +2449,19 @@ void SoftCPU::MOVSW(const X86::Instruction& insn)
void SoftCPU::MOVSX_reg16_RM8(const X86::Instruction& insn)
{
auto src = insn.modrm().read8(*this, insn);
gpr16(insn.reg16()) = ValueWithShadow<u16>(sign_extended_to<u16>(src.value()), 0x0100 | (src.shadow()));
gpr16(insn.reg16()) = shadow_wrap_with_taint_from<u16>(sign_extended_to<u16>(src.value()), src.shadow());
}
void SoftCPU::MOVSX_reg32_RM16(const X86::Instruction& insn)
{
auto src = insn.modrm().read16(*this, insn);
gpr32(insn.reg32()) = ValueWithShadow<u32>(sign_extended_to<u32>(src.value()), 0x01010000 | (src.shadow()));
gpr32(insn.reg32()) = shadow_wrap_with_taint_from<u32>(sign_extended_to<u32>(src.value()), src.shadow());
}
void SoftCPU::MOVSX_reg32_RM8(const X86::Instruction& insn)
{
auto src = insn.modrm().read8(*this, insn);
gpr32(insn.reg32()) = ValueWithShadow<u32>(sign_extended_to<u32>(src.value()), 0x01010100 | (src.shadow()));
gpr32(insn.reg32()) = shadow_wrap_with_taint_from<u32>(sign_extended_to<u32>(src.value()), src.shadow());
}
void SoftCPU::MOVZX_reg16_RM8(const X86::Instruction& insn)