mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2024-09-22 10:59:51 +03:00
UserspaceEmulator: Fix incorrect shadowing on mov sign extend
Unlike zero-extend moves, the upper bytes are not just zeroed, but rather are based on the sign bit of the source, which means if the source is tainted, so should the upper bytes be.
This commit is contained in:
Gal Horowitz
Andreas Kling
parent
edc18ab4e6
commit
2fd2396d63
Notes:
sideshowbarker
2024-07-19 00:03:13 +09:00
Author: https://github.com/GalHorowitz Commit: https://github.com/SerenityOS/serenity/commit/2fd2396d638 Pull-request: https://github.com/SerenityOS/serenity/pull/4851
@ -2449,19 +2449,19 @@ void SoftCPU::MOVSW(const X86::Instruction& insn)
|
||||
void SoftCPU::MOVSX_reg16_RM8(const X86::Instruction& insn)
|
||||
{
|
||||
auto src = insn.modrm().read8(*this, insn);
|
||||
gpr16(insn.reg16()) = ValueWithShadow<u16>(sign_extended_to<u16>(src.value()), 0x0100 | (src.shadow()));
|
||||
gpr16(insn.reg16()) = shadow_wrap_with_taint_from<u16>(sign_extended_to<u16>(src.value()), src.shadow());
|
||||
}
|
||||
|
||||
void SoftCPU::MOVSX_reg32_RM16(const X86::Instruction& insn)
|
||||
{
|
||||
auto src = insn.modrm().read16(*this, insn);
|
||||
gpr32(insn.reg32()) = ValueWithShadow<u32>(sign_extended_to<u32>(src.value()), 0x01010000 | (src.shadow()));
|
||||
gpr32(insn.reg32()) = shadow_wrap_with_taint_from<u32>(sign_extended_to<u32>(src.value()), src.shadow());
|
||||
}
|
||||
|
||||
void SoftCPU::MOVSX_reg32_RM8(const X86::Instruction& insn)
|
||||
{
|
||||
auto src = insn.modrm().read8(*this, insn);
|
||||
gpr32(insn.reg32()) = ValueWithShadow<u32>(sign_extended_to<u32>(src.value()), 0x01010100 | (src.shadow()));
|
||||
gpr32(insn.reg32()) = shadow_wrap_with_taint_from<u32>(sign_extended_to<u32>(src.value()), src.shadow());
|
||||
}
|
||||
|
||||
void SoftCPU::MOVZX_reg16_RM8(const X86::Instruction& insn)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user