From nobody Mon Apr 29 00:28:19 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; dkim=fail spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1498055004254661.8583183523373; Wed, 21 Jun 2017 07:23:24 -0700 (PDT) Received: from localhost ([::1]:54412 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dNgXP-0005Y1-5R for importer@patchew.org; Wed, 21 Jun 2017 10:23:19 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59652) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dNgWG-0004UK-Jy for qemu-devel@nongnu.org; Wed, 21 Jun 2017 10:22:09 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dNgWC-0003Wv-LM for qemu-devel@nongnu.org; Wed, 21 Jun 2017 10:22:08 -0400 Received: from mail-pf0-x243.google.com ([2607:f8b0:400e:c00::243]:36313) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dNgWC-0003Wc-D9 for qemu-devel@nongnu.org; Wed, 21 Jun 2017 10:22:04 -0400 Received: by mail-pf0-x243.google.com with SMTP id y7so30870971pfd.3 for ; Wed, 21 Jun 2017 07:22:02 -0700 (PDT) Received: from wxdeubuntu.ipads-lab.se.sjtu.edu.cn (45.78.51.222.16clouds.com. [45.78.51.222]) by smtp.gmail.com with ESMTPSA id r83sm33256511pfk.57.2017.06.21.07.22.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Jun 2017 07:22:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=KsPtXPtHm2r3fOs0KtZFc76vFVf4IplpUpWr8Qer4cQ=; b=V5VlQwUfkk41NpGQ80Qc1t62vodPoyCfLgaRUsvAk95mu7coJnyvL42+Ulw43I5qx1 OM8JZoOqgVB1/Hr/ehVjyThEc4qxoGThDgCAQQhqewPazo9nB3H/GOFDQdybmhMCXpc8 lfDx7VUh0WRlXPtmxMmWJhNKpsxEc8Wg/cwFgRD6yCwCu+xxkJ5l6k3wTuuMtadlOxZ4 O9kmvVIxDQg8mMlPVIoyddqIhBgk/PZMw2WpKz76H1MSl3IxyWycYTdu9WdrX0HIcoYc zNF+ARrfw3P7GpARFdXBotFY2kVOJ2Twk6gcK8ktdlfLHpd9g5PP+ysHMWyAkc9x0LPx S+UA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=KsPtXPtHm2r3fOs0KtZFc76vFVf4IplpUpWr8Qer4cQ=; b=cHXKyMewxAknTpfQOKSrQ4HNgtrUi+Y5XkNSt7CcjMMpRe9wkI5mWXVLQC4FcB1tWw i9NGyccKTAbxPgLx5wr8w9FUreZPbpEZt+388HUC7QH+1Nin27HXQ8/8r2kCibmLnDgt V/ux2gyTnaigS/kXkJxk2a0ILiOshF+fgpRUHsQ8UoVcj4tvBIIGScwbh6ad6TnQr+V/ yyf2/7BCCf9RCIzGL8Y6umIDL8ou9YpCg/8/dQ1TyZMUsH8glXWYw3vmt3etOoZbB5m6 b2NTO5iPaPSFcmQBqf4hA4eE/r91sI9kKuycPoUrQ5yAZgc6Oyd5ldr+/yUb27CdTcKN +b2Q== X-Gm-Message-State: AKS2vOx8GH2iGXpA+7p2vlW+dfKrVgeQ4fIdGkkfBeRhDMT5EW6IbxBm qmCG1j/bA4HSezDtBPQ= X-Received: by 10.98.12.76 with SMTP id u73mr5549413pfi.62.1498054921664; Wed, 21 Jun 2017 07:22:01 -0700 (PDT) Date: Wed, 21 Jun 2017 22:21:56 +0800 From: Wu Xiang To: qemu-devel@nongnu.org Message-ID: <20170621142152.GA18094@wxdeubuntu.ipads-lab.se.sjtu.edu.cn> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:400e:c00::243 Subject: [Qemu-devel] [PATCH] target/i386: fix interrupt CPL error when using ist in x86-64 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Paolo Bonzini , Eduardo Habkost , Richard Henderson Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In do_interrupt64(), when interrupt stack table(ist) is enabled and the the target code segment is conforming(e2 & DESC_C_MASK), the old implementation always set new CPL to 0, and SS.RPL to 0. This is incorrect for when CPL3 code access a CPL0 conforming code segment, the CPL should remain unchanged. Otherwise higher privileged code can be compromised. The patch fix this for always set dpl =3D cpl when the target code segment is conforming, and modify the last parameter `flags`, which contains correct new CPL, in cpu_x86_load_seg_cache(). Signed-off-by: Wu Xiang --- target/i386/seg_helper.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/target/i386/seg_helper.c b/target/i386/seg_helper.c index 0374031..9af69c2 100644 --- a/target/i386/seg_helper.c +++ b/target/i386/seg_helper.c @@ -931,12 +931,14 @@ static void do_interrupt64(CPUX86State *env, int intn= o, int is_int, } new_stack =3D 0; esp =3D env->regs[R_ESP]; - dpl =3D cpl; } else { raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc); new_stack =3D 0; /* avoid warning */ esp =3D 0; /* avoid warning */ } + if (e2 & DESC_C_MASK) { + dpl =3D cpl; + } esp &=3D ~0xfLL; /* align stack */ =20 PUSHQ(esp, env->segs[R_SS].selector); @@ -956,7 +958,7 @@ static void do_interrupt64(CPUX86State *env, int intno,= int is_int, =20 if (new_stack) { ss =3D 0 | dpl; - cpu_x86_load_seg_cache(env, R_SS, ss, 0, 0, 0); + cpu_x86_load_seg_cache(env, R_SS, ss, 0, 0, dpl << DESC_DPL_SHIFT); } env->regs[R_ESP] =3D esp; =20 --=20 2.7.4