Advisory: XSA-195

The bt family of instructions can reference an arbitrary bit offset from their memory operand. The x86 instruction emulator accounts for this by mutually modifying the both the bit index and the memory operand to make an equivalent instruction, but with the bit index strictly in the range 0 to op_bytes * 8.

Before XSA-195, there was a bug with the handling of negative bit indices when contained in 64bit registers. Xen mis-adjusted both the memory operand and the bit offset.

If vulnerable, this test will cause Xen to because of accessing a non-canonical address. If Xen isn't vulnerable, the instruction will be emulated correctly with no problems.

See also: tests/xsa-195/main.c