binutils/0005-x86-64-properly-bounds-check-bnd-N-in-OP_G.patch

From bac11f2cfe7913ef4c37af608454451e27f78eff Mon Sep 17 00:00:00 2001
From: Jan Beulich <jbeulich@suse.com>
Date: Thu, 22 Jul 2021 13:03:16 +0200
Subject: [PATCH] x86-64: properly bounds-check %bnd<N> in OP_G()

The restriction to %bnd0-%bnd3 requires to also check REX.R is clear,
just like OP_E_Register() also includes REX.B in its check.

diff --git a/gas/testsuite/gas/i386/x86-64-mpx.d b/gas/testsuite/gas/i386/x86-64-mpx.d
index f3217e07016..2f45af0d6e4 100644
--- a/gas/testsuite/gas/i386/x86-64-mpx.d
+++ b/gas/testsuite/gas/i386/x86-64-mpx.d
@@ -191,5 +191,7 @@ Disassembly of section .text:
 [a-f0-9]+ <bad>:
 [ 	]*[a-f0-9]+:	0f 1a 30             	bndldx \(%rax\),\(bad\)
 [ 	]*[a-f0-9]+:	66 0f 1a c4          	bndmov \(bad\),%bnd0
+[ 	]*[a-f0-9]+:	66 41 0f 1a c0       	bndmov \(bad\),%bnd0
+[ 	]*[a-f0-9]+:	66 44 0f 1a c0       	bndmov %bnd0,\(bad\)
 [ 	]*[a-f0-9]+:	f3 0f 1b 05 90 90 90 90 	bndmk  \(bad\),%bnd0
 #pass
diff --git a/gas/testsuite/gas/i386/x86-64-mpx.s b/gas/testsuite/gas/i386/x86-64-mpx.s
index b113590cf76..3594d8e9c88 100644
--- a/gas/testsuite/gas/i386/x86-64-mpx.s
+++ b/gas/testsuite/gas/i386/x86-64-mpx.s
@@ -227,6 +227,20 @@ bad:
 	.byte 0x1a
 	.byte 0xc4
 
+	# bndmov with REX.B set
+	.byte 0x66
+	.byte 0x41
+	.byte 0x0f
+	.byte 0x1a
+	.byte 0xc0
+
+	# bndmov with REX.R set
+	.byte 0x66
+	.byte 0x44
+	.byte 0x0f
+	.byte 0x1a
+	.byte 0xc0
+
 	# bndmk (bad),%bnd0
 	.byte 0xf3
 	.byte 0x0f
diff --git a/opcodes/i386-dis.c b/opcodes/i386-dis.c
index e95d2ef9d64..203dcefa360 100644
--- a/opcodes/i386-dis.c
+++ b/opcodes/i386-dis.c
@@ -11966,7 +11966,7 @@ OP_G (int bytemode, int sizeflag)
       oappend (names64[modrm.reg + add]);
       break;
     case bnd_mode:
-      if (modrm.reg > 0x3)
+      if (modrm.reg + add > 0x3)
 	{
 	  oappend ("(bad)");
 	  return;
-- 
2.33.0