x86 BZHI semantic bug
Host environment
- Operating system: Windows 10 20H2
- OS/kernel version: WSL2 Ubuntu 20.04.4 LTS (GNU/Linux 5.10.102.1-microsoft-standard-WSL2 x86_64)
- Architecture: x86
- QEMU flavor: qemu-x86_64
- QEMU version: 7.1.90 (v7.2.0-rc0)
- QEMU command line:
qemu-x86_64 -cpu max a.out
Emulated/Virtualized environment
- Operating system: None
- OS/kernel version: None
- Architecture: x86
Description of problem
The result of instruction BZHI is different from the CPU. The value of destination register and SF of EFLAGS are different.
Steps to reproduce
- Compile this code
void main() {
asm("mov rax, 0xb1aa9da2fe33fe3");
asm("mov rbx, 0x80000000ffffffff");
asm("mov rcx, 0xf3fce8829b99a5c6");
asm("bzhi rax, rbx, rcx");
}
- Execute and compare the result with the CPU.
- CPU
- RAX = 0x0x80000000ffffffff
- SF = 1
- QEMU
- RAX = 0xffffffff
- SF = 0
- CPU
Additional information
This bug is discovered by research conducted by KAIST SoftSec.