[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 11/22] target/i386: Throw a #SS when loading a non-canonical IST
From: |
Paolo Bonzini |
Subject: |
[PULL 11/22] target/i386: Throw a #SS when loading a non-canonical IST |
Date: |
Tue, 8 Mar 2022 12:34:34 +0100 |
From: Gareth Webb <gareth.webb@umbralsoftware.co.uk>
Loading a non-canonical address into rsp when handling an interrupt or
performing a far call should raise a #SS not a #GP.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/870
Signed-off-by: Gareth Webb <gareth.webb@umbralsoftware.co.uk>
Message-Id: <164529651121.25406.15337137068584246397-0@git.sr.ht>
[Move get_pg_mode to seg_helper.c for user-mode emulators. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
target/i386/tcg/seg_helper.c | 49 +++++++++++++++++++++++++++-
target/i386/tcg/sysemu/excp_helper.c | 36 --------------------
2 files changed, 48 insertions(+), 37 deletions(-)
diff --git a/target/i386/tcg/seg_helper.c b/target/i386/tcg/seg_helper.c
index baa905a0cd..4cf1f973cf 100644
--- a/target/i386/tcg/seg_helper.c
+++ b/target/i386/tcg/seg_helper.c
@@ -28,6 +28,42 @@
#include "helper-tcg.h"
#include "seg_helper.h"
+int get_pg_mode(CPUX86State *env)
+{
+ int pg_mode = 0;
+ if (!(env->cr[0] & CR0_PG_MASK)) {
+ return 0;
+ }
+ if (env->cr[0] & CR0_WP_MASK) {
+ pg_mode |= PG_MODE_WP;
+ }
+ if (env->cr[4] & CR4_PAE_MASK) {
+ pg_mode |= PG_MODE_PAE;
+ if (env->efer & MSR_EFER_NXE) {
+ pg_mode |= PG_MODE_NXE;
+ }
+ }
+ if (env->cr[4] & CR4_PSE_MASK) {
+ pg_mode |= PG_MODE_PSE;
+ }
+ if (env->cr[4] & CR4_SMEP_MASK) {
+ pg_mode |= PG_MODE_SMEP;
+ }
+ if (env->hflags & HF_LMA_MASK) {
+ pg_mode |= PG_MODE_LMA;
+ if (env->cr[4] & CR4_PKE_MASK) {
+ pg_mode |= PG_MODE_PKE;
+ }
+ if (env->cr[4] & CR4_PKS_MASK) {
+ pg_mode |= PG_MODE_PKS;
+ }
+ if (env->cr[4] & CR4_LA57_MASK) {
+ pg_mode |= PG_MODE_LA57;
+ }
+ }
+ return pg_mode;
+}
+
/* return non zero if error */
static inline int load_segment_ra(CPUX86State *env, uint32_t *e1_ptr,
uint32_t *e2_ptr, int selector,
@@ -795,6 +831,8 @@ static inline target_ulong get_rsp_from_tss(CPUX86State
*env, int level)
{
X86CPU *cpu = env_archcpu(env);
int index;
+ target_ulong rsp;
+ int32_t sext;
#if 0
printf("TR: base=" TARGET_FMT_lx " limit=%x\n",
@@ -808,7 +846,16 @@ static inline target_ulong get_rsp_from_tss(CPUX86State
*env, int level)
if ((index + 7) > env->tr.limit) {
raise_exception_err(env, EXCP0A_TSS, env->tr.selector & 0xfffc);
}
- return cpu_ldq_kernel(env, env->tr.base + index);
+
+ rsp = cpu_ldq_kernel(env, env->tr.base + index);
+
+ /* test virtual address sign extension */
+ sext = rsp >> (get_pg_mode(env) & PG_MODE_LA57 ? 56 : 47);
+ if (sext != 0 && sext != -1) {
+ raise_exception_err(env, EXCP0C_STACK, 0);
+ }
+
+ return rsp;
}
/* 64 bit interrupt */
diff --git a/target/i386/tcg/sysemu/excp_helper.c
b/target/i386/tcg/sysemu/excp_helper.c
index 0410170d64..db4c266c86 100644
--- a/target/i386/tcg/sysemu/excp_helper.c
+++ b/target/i386/tcg/sysemu/excp_helper.c
@@ -21,42 +21,6 @@
#include "cpu.h"
#include "tcg/helper-tcg.h"
-int get_pg_mode(CPUX86State *env)
-{
- int pg_mode = 0;
- if (!(env->cr[0] & CR0_PG_MASK)) {
- return 0;
- }
- if (env->cr[0] & CR0_WP_MASK) {
- pg_mode |= PG_MODE_WP;
- }
- if (env->cr[4] & CR4_PAE_MASK) {
- pg_mode |= PG_MODE_PAE;
- if (env->efer & MSR_EFER_NXE) {
- pg_mode |= PG_MODE_NXE;
- }
- }
- if (env->cr[4] & CR4_PSE_MASK) {
- pg_mode |= PG_MODE_PSE;
- }
- if (env->cr[4] & CR4_SMEP_MASK) {
- pg_mode |= PG_MODE_SMEP;
- }
- if (env->hflags & HF_LMA_MASK) {
- pg_mode |= PG_MODE_LMA;
- if (env->cr[4] & CR4_PKE_MASK) {
- pg_mode |= PG_MODE_PKE;
- }
- if (env->cr[4] & CR4_PKS_MASK) {
- pg_mode |= PG_MODE_PKS;
- }
- if (env->cr[4] & CR4_LA57_MASK) {
- pg_mode |= PG_MODE_LA57;
- }
- }
- return pg_mode;
-}
-
#define PG_ERROR_OK (-1)
typedef hwaddr (*MMUTranslateFunc)(CPUState *cs, hwaddr gphys, MMUAccessType
access_type,
--
2.35.1
- Re: [PULL 15/22] x86: Grant AMX permission for guest, (continued)
- Re: [PULL 15/22] x86: Grant AMX permission for guest, Peter Krempa, 2022/03/16
- Re: [PULL 15/22] x86: Grant AMX permission for guest, Daniel P . Berrangé, 2022/03/16
- Re: [PULL 15/22] x86: Grant AMX permission for guest, Paolo Bonzini, 2022/03/16
- Re: [PULL 15/22] x86: Grant AMX permission for guest, David Edmondson, 2022/03/16
- Re: [PULL 15/22] x86: Grant AMX permission for guest, Daniel P . Berrangé, 2022/03/16
- Re: [PULL 15/22] x86: Grant AMX permission for guest, Maxim Levitsky, 2022/03/17
- Re: [PULL 15/22] x86: Grant AMX permission for guest, Yang Zhong, 2022/03/17
- Re: [PULL 15/22] x86: Grant AMX permission for guest, Michal Prívozník, 2022/03/18
- Re: [PULL 15/22] x86: Grant AMX permission for guest, Yang Zhong, 2022/03/18
- Re: [PULL 15/22] x86: Grant AMX permission for guest, Yang Zhong, 2022/03/22
[PULL 11/22] target/i386: Throw a #SS when loading a non-canonical IST,
Paolo Bonzini <=
[PULL 22/22] gitlab-ci: do not run tests with address sanitizer, Paolo Bonzini, 2022/03/08
[PULL 21/22] KVM: SVM: always set MSR_AMD64_TSC_RATIO to default value, Paolo Bonzini, 2022/03/08
[PULL 19/22] x86: Support XFD and AMX xsave data migration, Paolo Bonzini, 2022/03/08
Re: [PULL v2 00/22] QEMU changes for 7.0 soft freeze, Peter Maydell, 2022/03/10