On 22/12/2017 16:53, Liran Alon wrote: >> >> Yup, however EMULTYPE_VMWARE has filtered the opcodes, hasn't it? So in >> this case you shouldn't fail the decoding. > > In my current implementation EMULTYPE_VMWARE is considered only after > the disassembly engine (x86_decode_insn()) has succeeded. It is true I > could have filtered the opcodes before invoking the disassembly engine > but that will make code a bit more complex. In addition, I didn't saw a > lot of value in reducing the attack surface from the disassembly engine > itself. Only from the emulation. We've had oopses from incorrect decoding, so it can be useful. You're right that the RDPMC case has a two-byte opcode and therefore it makes decoding a bit more complex. I'd say, let's keep it simple and start with EMULTYPE_NO_UD_ON_FAIL. Thanks, Paolo > Therefore, I decided to make the EMULTYPE_NO_UD_ON_FAIL flag which may > be also useful in the future for other use cases.
