From beb82042447c5d6e7073d816d6afc25c5a423cde Mon Sep 17 00:00:00 2001
From: Jan Beulich <jbeulich@suse.com>
Date: Wed, 25 Jan 2017 15:08:59 +0100
Subject: [PATCH] x86emul: correct VEX/XOP/EVEX operand size handling for
 16-bit code

Operand size defaults to 32 bits in that case, but would not have been
set that way in the absence of an operand size override.

Reported-by: Wei Liu <wei.liu2@citrix.com> (by AFL fuzzing)
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
 xen/arch/x86/x86_emulate/x86_emulate.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
index 5bb5bdfe1c..6f81cc7904 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -2323,6 +2323,11 @@ x86_decode(
             case 8:
                 /* VEX / XOP / EVEX */
                 generate_exception_if(rex_prefix || vex.pfx, EXC_UD);
+                /*
+                 * With operand size override disallowed (see above), op_bytes
+                 * should not have changed from its default.
+                 */
+                ASSERT(op_bytes == def_op_bytes);
 
                 vex.raw[0] = modrm;
                 if ( b == 0xc5 )
@@ -2351,7 +2356,8 @@ x86_decode(
                     }
                     else
                     {
-                        ASSERT(op_bytes == 4);
+                        /* Operand size fixed at 4 (no override via W bit). */
+                        op_bytes = 4;
                         vex.b = 1;
                     }
                     switch ( b )
-- 
2.30.2