[PATCH 1/2] i386: Generate lfence with load/indirect branch/ret [CVE-2020-0551]

Fri Apr 24 06:00:52 GMT 2020

On 24.04.2020 07:30, Hongtao Liu wrote:
> Change to
> 
> +      /* lret or iret.  */
> +      bfd_boolean lret = (i.tm.base_opcode | 0x5) == 0xcf;
> +      bfd_boolean has_rexw = i.prefix[REX_PREFIX] & REX_W;
> +      char prefix = 0x0;
> +      /* Default operand size for far return is 32 bits,
> +         64 bits for near return.  */
> +      /* Near ret ingore operand size override under CPU64.  */
> +      if ((!lret && flag_code == CODE_64BIT) || has_rexw)
> +        prefix = 0x48;
>        else
> +        prefix = i.prefix[DATA_PREFIX] ? 0x66 : 0x0;

One minor remark on this one - I'd suggest to either omit the
initializer for prefix, or make the last two lines

      else if (i.prefix[DATA_PREFIX])
        prefix = 0x66;

as there's no point assigning 0 twice.

> Update total patch:

Looks okay to me now, thanks.

Jan