Skip to content

x86 BZHI semantic bug

Host environment

  • Operating system: Windows 10 20H2
  • OS/kernel version: WSL2 Ubuntu 20.04.4 LTS (GNU/Linux 5.10.102.1-microsoft-standard-WSL2 x86_64)
  • Architecture: x86
  • QEMU flavor: qemu-x86_64
  • QEMU version: 7.1.90 (v7.2.0-rc0)
  • QEMU command line: qemu-x86_64 -cpu max a.out

Emulated/Virtualized environment

  • Operating system: None
  • OS/kernel version: None
  • Architecture: x86

Description of problem

The result of instruction BZHI is different from the CPU. The value of destination register and SF of EFLAGS are different.

Steps to reproduce

  1. Compile this code
void main() {
    asm("mov rax, 0xb1aa9da2fe33fe3");
    asm("mov rbx, 0x80000000ffffffff");
    asm("mov rcx, 0xf3fce8829b99a5c6");
    asm("bzhi rax, rbx, rcx");
}
  1. Execute and compare the result with the CPU.
    • CPU
      • RAX = 0x0x80000000ffffffff
      • SF = 1
    • QEMU
      • RAX = 0xffffffff
      • SF = 0

Additional information

This bug is discovered by research conducted by KAIST SoftSec.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information