From nobody Mon Feb 9 18:18:53 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 149923927246627.992508526894085; Wed, 5 Jul 2017 00:21:12 -0700 (PDT) Received: from localhost ([::1]:44510 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dSecW-0001Qy-4c for importer@patchew.org; Wed, 05 Jul 2017 03:21:08 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46268) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dSeWX-0004Mk-L6 for qemu-devel@nongnu.org; Wed, 05 Jul 2017 03:14:59 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dSeWV-0007Qa-LJ for qemu-devel@nongnu.org; Wed, 05 Jul 2017 03:14:57 -0400 Received: from mail-wr0-x233.google.com ([2a00:1450:400c:c0c::233]:33878) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dSeWV-0007Pv-En for qemu-devel@nongnu.org; Wed, 05 Jul 2017 03:14:55 -0400 Received: by mail-wr0-x233.google.com with SMTP id 77so258101644wrb.1 for ; Wed, 05 Jul 2017 00:14:55 -0700 (PDT) Received: from 640k.lan (94-39-191-51.adsl-ull.clienti.tiscali.it. [94.39.191.51]) by smtp.gmail.com with ESMTPSA id y35sm22202793wrc.51.2017.07.05.00.14.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 05 Jul 2017 00:14:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references; bh=Ztrq0G2bfbzcVlMNply0R8fzpCLd2vtQaGt9aaYcHlg=; b=CDc7V6vHE8X9v1gqdEIfCbZjGLAMZ87ZFYeUYC3VPLHSspADqs70Um6RApXq3VO8s6 dLrMS+f+E9tvz2hgzuK1VluzJtbRi+MM4+Gch9+Bo/FTfcERG/LX6epf2XKu0HqYdVZm aDizhFwzbtUXUgUGTWtV8nr1um68/Sn5EA4zfScgi9BO6zeydfr4IDCzhr9CZkJZ7kuH VAH4jgP/oaSyF0VG6ZRDZu7okoZtL/4UDF903EZ4a+VLIPysJokNTAgOKBRc1diZTxUr mvjtG3hRl3eZ6LmG+LHWs+utIPqjqczTa4iUzOZxLotnAs730XZCwQ775cB3hzyyXqP9 GJcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references; bh=Ztrq0G2bfbzcVlMNply0R8fzpCLd2vtQaGt9aaYcHlg=; b=hpPLRXAV81n4Fg4vA5LclQNTIDYjfaMAVPEkqMcj0rpvaFwWiMZB/e9+0TfVTncjtU xn9LQCnN9evDk7HE+OMdKGs5zcKbiMFtb6S6lro5oWTynRAWPNnVCvsGZZo2j8mOvfKi j9UWEFaUhqWLRRA+Qa01t9MK2ELKwmuoT4kVpcm6wQhhZWhYBM+0eCSafJc+20kWpXSS VhIykRbv1toFmoxujLq0tIBKQI5wS4MmKc9XtpGNlZRFp/7y/ToLC2bgs5VRoqlM3R07 iVGNZcROsZTMYXGqhrCUr3yf78P1fHgj5KpBJUTBA4OGEi43CfW45FbysdaU+sN8gjQf 5SHw== X-Gm-Message-State: AKS2vOyL2FxNawcs1mG4dsz5v+1o41M4HTj+fPdftAv1F+BaHwnHcE9G EapoAz7yUWoSpPD39J0= X-Received: by 10.223.172.211 with SMTP id o77mr31221817wrc.201.1499238894117; Wed, 05 Jul 2017 00:14:54 -0700 (PDT) From: Paolo Bonzini To: qemu-devel@nongnu.org Date: Wed, 5 Jul 2017 09:14:07 +0200 Message-Id: <1499238885-26161-5-git-send-email-pbonzini@redhat.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1499238885-26161-1-git-send-email-pbonzini@redhat.com> References: <1499238885-26161-1-git-send-email-pbonzini@redhat.com> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:400c:c0c::233 Subject: [Qemu-devel] [PULL 04/42] target/i386: fix interrupt CPL error when using ist in x86-64 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Wu Xiang Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Wu Xiang In do_interrupt64(), when interrupt stack table(ist) is enabled and the the target code segment is conforming(e2 & DESC_C_MASK), the old implementation always set new CPL to 0, and SS.RPL to 0. This is incorrect for when CPL3 code access a CPL0 conforming code segment, the CPL should remain unchanged. Otherwise higher privileged code can be compromised. The patch fix this for always set dpl =3D cpl when the target code segment is conforming, and modify the last parameter `flags`, which contains correct new CPL, in cpu_x86_load_seg_cache(). Signed-off-by: Wu Xiang Message-Id: <20170621142152.GA18094@wxdeubuntu.ipads-lab.se.sjtu.edu.cn> Signed-off-by: Paolo Bonzini --- target/i386/seg_helper.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/target/i386/seg_helper.c b/target/i386/seg_helper.c index 0374031..9af69c2 100644 --- a/target/i386/seg_helper.c +++ b/target/i386/seg_helper.c @@ -931,12 +931,14 @@ static void do_interrupt64(CPUX86State *env, int intn= o, int is_int, } new_stack =3D 0; esp =3D env->regs[R_ESP]; - dpl =3D cpl; } else { raise_exception_err(env, EXCP0D_GPF, selector & 0xfffc); new_stack =3D 0; /* avoid warning */ esp =3D 0; /* avoid warning */ } + if (e2 & DESC_C_MASK) { + dpl =3D cpl; + } esp &=3D ~0xfLL; /* align stack */ =20 PUSHQ(esp, env->segs[R_SS].selector); @@ -956,7 +958,7 @@ static void do_interrupt64(CPUX86State *env, int intno,= int is_int, =20 if (new_stack) { ss =3D 0 | dpl; - cpu_x86_load_seg_cache(env, R_SS, ss, 0, 0, 0); + cpu_x86_load_seg_cache(env, R_SS, ss, 0, 0, dpl << DESC_DPL_SHIFT); } env->regs[R_ESP] =3D esp; =20 --=20 1.8.3.1