Advisory: XSA-186

Experimentally, Intel and AMD hardware is happy executing a 64bit instruction stream which crosses the -1 -> 0 virtual boundary, whether the instruction boundary is aligned on the virtual boundary, or is misaligned.

For 32bit, Intel processors are happy executing an instruction stream which crosses the -1 -> 0 virtual boundary, while AMD processors raise a segmentation fault.

For 16bit code, hardware does not ever truncated %ip. %eip is always used and behaves normally as a 32bit register, including in 16bit protected mode segments, as well as in Real and Unreal mode.

The upstream change 0640ffb6 broke this behaviour, and introduced conditions which resulted in x86 emulator state corruption.

This test sets up two situations in boundary conditions, and checks that the code gets executed as expected. In the case where execution doesn't proceed as expected, it is very likely that state corruption has occurred, even if Xen didn't crash immediately.

See also: tests/xsa-186/main.c