From nobody Wed Oct 23 01:34:47 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=suse.com ARC-Seal: i=1; a=rsa-sha256; t=1727351095; cv=none; d=zohomail.com; s=zohoarc; b=gXxTJDDuQUgG6WGKDLsoUhxAI1cNCmQugWiq5ciZkYh046fT1HiwjzturxsK9a3Pov6ZSmiDzZqrs6WdOx6VsIgfvh0LegnunFtnfnXBzTPCVZT55ypobTi0DgLY2CzNvGuuDLUQo7R/HHJHDDpQo5z6DYcdpLtBTi3Rwl6fDtw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1727351095; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=lsw1RQy2Mf+XPYHQBH2yDEpXoxmim1IQpkHxFHok+0g=; b=YB6ApTAH03feIMUrRy9vEfCqkvl+l4L9CHekpJiFxPFYNMWCkC2AF039mqvwR+lnbXeQXGtiuC/enF/T4NYVi+HN7Uhe2UYUnDff3ww8z0cAf76z/X+lAHwussR7NB1wbGriE0tE3pWntwhbiPuW7XbU1VlzAYFIOKUWjIKYC/w= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1727351095912776.8704750772888; Thu, 26 Sep 2024 04:44:55 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1stmti-0001y9-L5; Thu, 26 Sep 2024 07:43:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1stmtA-0000qU-93 for qemu-devel@nongnu.org; Thu, 26 Sep 2024 07:42:28 -0400 Received: from smtp-out1.suse.de ([195.135.223.130]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1stmt8-0005lh-Ar for qemu-devel@nongnu.org; Thu, 26 Sep 2024 07:42:27 -0400 Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 636CF21AC0; Thu, 26 Sep 2024 11:42:24 +0000 (UTC) Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id A184B13ABC; Thu, 26 Sep 2024 11:42:23 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id GAptJZ9I9WbcRAAAD6G6ig (envelope-from ); Thu, 26 Sep 2024 11:42:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1727350944; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lsw1RQy2Mf+XPYHQBH2yDEpXoxmim1IQpkHxFHok+0g=; b=VltBFgTj3+2gkMj0FEUiXSfhS6Wf+7ORsbCuzvLPRa3fqdmOAeOZ01ov2s2glSHXB0OSUU ZSKoItGiMes0khV0mEZkINCopMxJo6b9cCmBajuu7m/3FDaloIFtGQSDxLqBKJMClpNvyG z0gEgVXq4t1kXrJ+/LMyNsozQwKlF2Y= Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1727350944; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lsw1RQy2Mf+XPYHQBH2yDEpXoxmim1IQpkHxFHok+0g=; b=VltBFgTj3+2gkMj0FEUiXSfhS6Wf+7ORsbCuzvLPRa3fqdmOAeOZ01ov2s2glSHXB0OSUU ZSKoItGiMes0khV0mEZkINCopMxJo6b9cCmBajuu7m/3FDaloIFtGQSDxLqBKJMClpNvyG z0gEgVXq4t1kXrJ+/LMyNsozQwKlF2Y= From: Roy Hopkins To: qemu-devel@nongnu.org Cc: Roy Hopkins , Paolo Bonzini , =?UTF-8?q?Daniel=20P=20=2E=20Berrang=C3=A9?= , Stefano Garzarella , Marcelo Tosatti , "Michael S . Tsirkin" , Cornelia Huck , Marcel Apfelbaum , Sergio Lopez , Eduardo Habkost , Alistair Francis , Peter Xu , David Hildenbrand , Igor Mammedov , Tom Lendacky , Michael Roth , Ani Sinha , =?UTF-8?q?J=C3=B6rg=20Roedel?= Subject: [PATCH v6 07/16] target/i386: Allow setting of R_LDTR and R_TR with cpu_x86_load_seg_cache() Date: Thu, 26 Sep 2024 12:41:56 +0100 Message-ID: <74042246990ccd0c702f88f1f842337979a614d3.1727341768.git.roy.hopkins@suse.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spamd-Result: default: False [-1.30 / 50.00]; BAYES_HAM(-3.00)[100.00%]; SUSPICIOUS_RECIPS(1.50)[]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TAGGED_RCPT(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,suse.com:email,suse.com:mid]; RCPT_COUNT_TWELVE(0.00)[19]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_CC(0.00)[suse.com,redhat.com,gmail.com,habkost.net,alistair23.me,amd.com]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_ALL(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; R_RATELIMIT(0.00)[to_ip_from(RLm8d31jk6dhzwhww9bgqrb1jt)]; DKIM_SIGNED(0.00)[suse.com:s=susede1]; FREEMAIL_ENVRCPT(0.00)[gmail.com] X-Spam-Score: -1.30 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=195.135.223.130; envelope-from=roy.hopkins@suse.com; helo=smtp-out1.suse.de X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @suse.com) X-ZM-MESSAGEID: 1727351097126116600 Content-Type: text/plain; charset="utf-8" The x86 segment registers are identified by the X86Seg enumeration which includes LDTR and TR as well as the normal segment registers. The function 'cpu_x86_load_seg_cache()' uses the enum to determine which segment to set. However, specifying R_LDTR or R_TR results in an out-of-bounds access of the segment array. Possibly by coincidence, the function does correctly set LDTR or TR in this case as the structures for these registers immediately follow the array which is accessed out of bounds. This patch adds correct handling for R_LDTR and R_TR in the function. Signed-off-by: Roy Hopkins Reviewed-by: Michael S. Tsirkin Reviewed-by: Stefano Garzarella --- target/i386/cpu.h | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/target/i386/cpu.h b/target/i386/cpu.h index 14edd57a37..61d96c9344 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -2261,7 +2261,14 @@ static inline void cpu_x86_load_seg_cache(CPUX86Stat= e *env, SegmentCache *sc; unsigned int new_hflags; =20 - sc =3D &env->segs[seg_reg]; + if (seg_reg =3D=3D R_LDTR) { + sc =3D &env->ldt; + } else if (seg_reg =3D=3D R_TR) { + sc =3D &env->tr; + } else { + sc =3D &env->segs[seg_reg]; + } + sc->selector =3D selector; sc->base =3D base; sc->limit =3D limit; --=20 2.43.0