From nobody Sun Nov 24 23:38:42 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=suse.com ARC-Seal: i=1; a=rsa-sha256; t=1720005155; cv=none; d=zohomail.com; s=zohoarc; b=FULCpEklCgcwqc0f/r9n++5evjOdN9wD0wJTmGrWb1Oo9RDt/thnCHSFnOLcEs+G+J4V0ga9ECTX94ivHcGdc0qpjoUQPPLVgmstqeHsJ3ujlUKnASFskdjJCxGhLGKItpGjmT5JODm5YO4Zi/Trph4S3QwwY/PAV8oNVAKG7Ek= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1720005155; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=7V9gKlKSi7jfZ7mLrf5E75WoChUGdSKiWJ/Mz/HUbx8=; b=lYeDDbND+ZF1kku2SwZz3JTtMw/aoR4suIEoKiRjafvwUwhuGYLl6odTjuqM0UOh3EVQEwT0mMNlLARcVKmy38XOFKanRRv55Xe6saDMaOB46C4F05hWRXL1+cbLhLhVJBN22FdpyRWSwQ91nDpomCTfVdzx9ofjmdZsIx+Qcgs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 17200051559431010.4771511026562; Wed, 3 Jul 2024 04:12:35 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sOxoy-0004uQ-8R; Wed, 03 Jul 2024 07:06:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sOxov-0004s9-40 for qemu-devel@nongnu.org; Wed, 03 Jul 2024 07:06:41 -0400 Received: from smtp-out1.suse.de ([195.135.223.130]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sOxop-0006Xn-ED for qemu-devel@nongnu.org; Wed, 03 Jul 2024 07:06:40 -0400 Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 1BF2B21BC2; Wed, 3 Jul 2024 11:06:24 +0000 (UTC) Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 5C00E13974; Wed, 3 Jul 2024 11:06:23 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id MC55FK8whWZ6cgAAD6G6ig (envelope-from ); Wed, 03 Jul 2024 11:06:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1720004784; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7V9gKlKSi7jfZ7mLrf5E75WoChUGdSKiWJ/Mz/HUbx8=; b=G+HcwTtmMfaH4E9qZv50gwJn/gSXcv5UoFUgPnY1ym44AxA+KH+w1TITPGsTMln4vE9gEW PXdRSTqsThG754AxE6B4hYv68dY4H9Tif+r33PT+LY3uiDY0sGk0zeMNwcMSSjEJuhNgB6 o5scFA9Fy0zhMxeqb48h9vfP3iTtudY= Authentication-Results: smtp-out1.suse.de; dkim=pass header.d=suse.com header.s=susede1 header.b=G+HcwTtm DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1720004784; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7V9gKlKSi7jfZ7mLrf5E75WoChUGdSKiWJ/Mz/HUbx8=; b=G+HcwTtmMfaH4E9qZv50gwJn/gSXcv5UoFUgPnY1ym44AxA+KH+w1TITPGsTMln4vE9gEW PXdRSTqsThG754AxE6B4hYv68dY4H9Tif+r33PT+LY3uiDY0sGk0zeMNwcMSSjEJuhNgB6 o5scFA9Fy0zhMxeqb48h9vfP3iTtudY= From: Roy Hopkins To: qemu-devel@nongnu.org Cc: Roy Hopkins , Paolo Bonzini , =?UTF-8?q?Daniel=20P=20=2E=20Berrang=C3=A9?= , Stefano Garzarella , Marcelo Tosatti , "Michael S . Tsirkin" , Cornelia Huck , Marcel Apfelbaum , Sergio Lopez , Eduardo Habkost , Alistair Francis , Peter Xu , David Hildenbrand , Igor Mammedov , Tom Lendacky , Michael Roth , Ani Sinha , =?UTF-8?q?J=C3=B6rg=20Roedel?= Subject: [PATCH v4 08/17] target/i386: Allow setting of R_LDTR and R_TR with cpu_x86_load_seg_cache() Date: Wed, 3 Jul 2024 12:05:46 +0100 Message-ID: <928dab59bc4194c0bb58c991331e958ffaa949fd.1720004383.git.roy.hopkins@suse.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spamd-Result: default: False [-0.89 / 50.00]; BAYES_HAM(-2.38)[97.14%]; SUSPICIOUS_RECIPS(1.50)[]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; R_DKIM_ALLOW(-0.20)[suse.com:s=susede1]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; RCPT_COUNT_TWELVE(0.00)[19]; FUZZY_BLOCKED(0.00)[rspamd.com]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.com:s=susede1]; FREEMAIL_CC(0.00)[suse.com,redhat.com,gmail.com,habkost.net,alistair23.me,amd.com]; RCVD_TLS_ALL(0.00)[]; DKIM_TRACE(0.00)[suse.com:+]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email,suse.com:dkim,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; DNSWL_BLOCKED(0.00)[2a07:de40:b281:104:10:150:64:97:from,2a07:de40:b281:106:10:150:64:167:received]; TAGGED_RCPT(0.00)[]; DWL_DNSWL_BLOCKED(0.00)[suse.com:dkim]; R_RATELIMIT(0.00)[to_ip_from(RLgjcjk3igk5en59wt86eb8xw3)]; RCVD_VIA_SMTP_AUTH(0.00)[]; FREEMAIL_ENVRCPT(0.00)[gmail.com] X-Spamd-Bar: / X-Rspamd-Queue-Id: 1BF2B21BC2 X-Rspamd-Server: rspamd2.dmz-prg2.suse.org X-Rspamd-Action: no action X-Spam-Score: -0.89 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=195.135.223.130; envelope-from=roy.hopkins@suse.com; helo=smtp-out1.suse.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @suse.com) X-ZM-MESSAGEID: 1720005156814100015 Content-Type: text/plain; charset="utf-8" The x86 segment registers are identified by the X86Seg enumeration which includes LDTR and TR as well as the normal segment registers. The function 'cpu_x86_load_seg_cache()' uses the enum to determine which segment to set. However, specifying R_LDTR or R_TR results in an out-of-bounds access of the segment array. Possibly by coincidence, the function does correctly set LDTR or TR in this case as the structures for these registers immediately follow the array which is accessed out of bounds. This patch adds correct handling for R_LDTR and R_TR in the function. Signed-off-by: Roy Hopkins --- target/i386/cpu.h | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/target/i386/cpu.h b/target/i386/cpu.h index 29daf37048..f4daec71cb 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -2242,7 +2242,14 @@ static inline void cpu_x86_load_seg_cache(CPUX86Stat= e *env, SegmentCache *sc; unsigned int new_hflags; =20 - sc =3D &env->segs[seg_reg]; + if (seg_reg =3D=3D R_LDTR) { + sc =3D &env->ldt; + } else if (seg_reg =3D=3D R_TR) { + sc =3D &env->tr; + } else { + sc =3D &env->segs[seg_reg]; + } + sc->selector =3D selector; sc->base =3D base; sc->limit =3D limit; --=20 2.43.0