Xen Test Framework

Advisory: XSA-123

An x86 instruction destination operand is either a memory reference or a register. Memory references always have an associated selector, and typically default to %ds if not specified. The selector is not relevant however for a destination register operand.

Before XSA-122, an enumeration representing an explicit segment override on a register destination instruction wasn't dropped, and would be stashed in a union, aliasing the lower half of a pointer into the register block on the stack.

Register-destination instructions don't usually trap for emulation, and explicit segment overrides are rare in general. Compilers also make it hard to accidentally have a segment override for a register-destination instruction.

This test explicitly forces a %cs:mov %reg, %reg instruction through the x86 instruction emulator. If the destination register doesn't match the source register, hypervisor memory corruption has occurred.

See also