[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 04/42] target/i386: fix interrupt CPL error when usin
From: |
Paolo Bonzini |
Subject: |
[Qemu-devel] [PULL 04/42] target/i386: fix interrupt CPL error when using ist in x86-64 |
Date: |
Wed, 5 Jul 2017 09:14:07 +0200 |
From: Wu Xiang <address@hidden>
In do_interrupt64(), when interrupt stack table(ist) is enabled
and the the target code segment is conforming(e2 & DESC_C_MASK), the
old implementation always set new CPL to 0, and SS.RPL to 0.
This is incorrect for when CPL3 code access a CPL0 conforming code
segment, the CPL should remain unchanged. Otherwise higher privileged
code can be compromised.
The patch fix this for always set dpl = cpl when the target code segment
is conforming, and modify the last parameter `flags`, which contains
correct new CPL, in cpu_x86_load_seg_cache().
Signed-off-by: Wu Xiang <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
target/i386/seg_helper.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/target/i386/seg_helper.c b/target/i386/seg_helper.c
index 0374031..9af69c2 100644
--- a/target/i386/seg_helper.c
+++ b/target/i386/seg_helper.c
@@ -931,12 +931,14 @@ static void do_interrupt64(CPUX86State *env, int intno,
int is_int,
}
new_stack = 0;
esp = env->regs[R_ESP];
- dpl = cpl;
} else {
raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc);
new_stack = 0; /* avoid warning */
esp = 0; /* avoid warning */
}
+ if (e2 & DESC_C_MASK) {
+ dpl = cpl;
+ }
esp &= ~0xfLL; /* align stack */
PUSHQ(esp, env->segs[R_SS].selector);
@@ -956,7 +958,7 @@ static void do_interrupt64(CPUX86State *env, int intno, int
is_int,
if (new_stack) {
ss = 0 | dpl;
- cpu_x86_load_seg_cache(env, R_SS, ss, 0, 0, 0);
+ cpu_x86_load_seg_cache(env, R_SS, ss, 0, 0, dpl << DESC_DPL_SHIFT);
}
env->regs[R_ESP] = esp;
--
1.8.3.1
- [Qemu-devel] [PULL 00/42] Misc changes for 2017-07-05, Paolo Bonzini, 2017/07/05
- [Qemu-devel] [PULL 02/42] qemu-doc: Add missing "@c man end" statements, Paolo Bonzini, 2017/07/05
- [Qemu-devel] [PULL 04/42] target/i386: fix interrupt CPL error when using ist in x86-64,
Paolo Bonzini <=
- [Qemu-devel] [PULL 03/42] nbd: fix NBD over TLS, Paolo Bonzini, 2017/07/05
- [Qemu-devel] [PULL 06/42] include/exec/poison: Add some more missing TARGET and CONFIG defines, Paolo Bonzini, 2017/07/05
- [Qemu-devel] [PULL 05/42] target/i386: simplify handling of conforming code segments on interrupt, Paolo Bonzini, 2017/07/05
- [Qemu-devel] [PULL 01/42] vcpu_dirty: share the same field in CPUState for all accelerators, Paolo Bonzini, 2017/07/05
- [Qemu-devel] [PULL 08/42] include/exec/poison: Mark CONFIG_KVM as poisoned, too, Paolo Bonzini, 2017/07/05
- [Qemu-devel] [PULL 07/42] Move CONFIG_KVM related definitions to kvm_i386.h, Paolo Bonzini, 2017/07/05
- [Qemu-devel] [PULL 09/42] cpu: Introduce a wrapper for tlb_flush() that can be used in common code, Paolo Bonzini, 2017/07/05
- [Qemu-devel] [PULL 15/42] util/oslib-win32: Remove if conditional, Paolo Bonzini, 2017/07/05
- [Qemu-devel] [PULL 13/42] sockets: avoid formatting buffer that may not be NUL terminated, Paolo Bonzini, 2017/07/05
- [Qemu-devel] [PULL 11/42] Makefile: Move bootdevice.o to common-obj-y, Paolo Bonzini, 2017/07/05