[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Stable-9.1.2 03/58] target/i386/tcg: Use DPL-level accesses for interru
From: |
Michael Tokarev |
Subject: |
[Stable-9.1.2 03/58] target/i386/tcg: Use DPL-level accesses for interrupts and call gates |
Date: |
Sat, 9 Nov 2024 15:08:04 +0300 |
From: Paolo Bonzini <pbonzini@redhat.com>
Stack accesses should be explicit and use the privilege level of the
target stack. This ensures that SMAP is not applied when the target
stack is in ring 3.
This fixes a bug wherein i386/tcg assumed that an interrupt return, or a
far call using the CALL or JMP instruction, was always going from kernel
or user mode to kernel mode when using a call gate. This assumption is
violated if the call gate has a DPL that is greater than 0.
Analyzed-by: Robert R. Henry <rrh.henry@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/249
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit e136648c5c95ee4ea233cccf999c07e065bef26d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
diff --git a/target/i386/tcg/seg_helper.c b/target/i386/tcg/seg_helper.c
index 3b8fd827e1..02ae6a0d1f 100644
--- a/target/i386/tcg/seg_helper.c
+++ b/target/i386/tcg/seg_helper.c
@@ -695,7 +695,6 @@ static void do_interrupt_protected(CPUX86State *env, int
intno, int is_int,
sa.env = env;
sa.ra = 0;
- sa.mmu_index = cpu_mmu_index_kernel(env);
if (type == 5) {
/* task gate */
@@ -705,7 +704,9 @@ static void do_interrupt_protected(CPUX86State *env, int
intno, int is_int,
}
shift = switch_tss(env, intno * 8, e1, e2, SWITCH_TSS_CALL, old_eip);
if (has_error_code) {
- /* push the error code */
+ /* push the error code on the destination stack */
+ cpl = env->hflags & HF_CPL_MASK;
+ sa.mmu_index = x86_mmu_index_pl(env, cpl);
if (env->segs[R_SS].flags & DESC_B_MASK) {
sa.sp_mask = 0xffffffff;
} else {
@@ -750,6 +751,7 @@ static void do_interrupt_protected(CPUX86State *env, int
intno, int is_int,
if (e2 & DESC_C_MASK) {
dpl = cpl;
}
+ sa.mmu_index = x86_mmu_index_pl(env, dpl);
if (dpl < cpl) {
/* to inner privilege */
uint32_t esp;
@@ -1001,7 +1003,7 @@ static void do_interrupt64(CPUX86State *env, int intno,
int is_int,
sa.env = env;
sa.ra = 0;
- sa.mmu_index = cpu_mmu_index_kernel(env);
+ sa.mmu_index = x86_mmu_index_pl(env, dpl);
sa.sp_mask = -1;
sa.ss_base = 0;
if (dpl < cpl || ist != 0) {
@@ -1135,7 +1137,7 @@ static void do_interrupt_real(CPUX86State *env, int
intno, int is_int,
sa.sp = env->regs[R_ESP];
sa.sp_mask = 0xffff;
sa.ss_base = env->segs[R_SS].base;
- sa.mmu_index = cpu_mmu_index_kernel(env);
+ sa.mmu_index = x86_mmu_index_pl(env, 0);
if (is_int) {
old_eip = next_eip;
@@ -1599,7 +1601,7 @@ void helper_lcall_real(CPUX86State *env, uint32_t new_cs,
uint32_t new_eip,
sa.sp = env->regs[R_ESP];
sa.sp_mask = get_sp_mask(env->segs[R_SS].flags);
sa.ss_base = env->segs[R_SS].base;
- sa.mmu_index = cpu_mmu_index_kernel(env);
+ sa.mmu_index = x86_mmu_index_pl(env, 0);
if (shift) {
pushl(&sa, env->segs[R_CS].selector);
@@ -1639,9 +1641,9 @@ void helper_lcall_protected(CPUX86State *env, int new_cs,
target_ulong new_eip,
sa.env = env;
sa.ra = GETPC();
- sa.mmu_index = cpu_mmu_index_kernel(env);
if (e2 & DESC_S_MASK) {
+ /* "normal" far call, no stack switch possible */
if (!(e2 & DESC_CS_MASK)) {
raise_exception_err_ra(env, EXCP0D_GPF, new_cs & 0xfffc, GETPC());
}
@@ -1665,6 +1667,7 @@ void helper_lcall_protected(CPUX86State *env, int new_cs,
target_ulong new_eip,
raise_exception_err_ra(env, EXCP0B_NOSEG, new_cs & 0xfffc,
GETPC());
}
+ sa.mmu_index = x86_mmu_index_pl(env, cpl);
#ifdef TARGET_X86_64
/* XXX: check 16/32 bit cases in long mode */
if (shift == 2) {
@@ -1792,6 +1795,7 @@ void helper_lcall_protected(CPUX86State *env, int new_cs,
target_ulong new_eip,
if (!(e2 & DESC_C_MASK) && dpl < cpl) {
/* to inner privilege */
+ sa.mmu_index = x86_mmu_index_pl(env, dpl);
#ifdef TARGET_X86_64
if (shift == 2) {
ss = dpl; /* SS = NULL selector with RPL = new CPL */
@@ -1870,6 +1874,7 @@ void helper_lcall_protected(CPUX86State *env, int new_cs,
target_ulong new_eip,
new_stack = 1;
} else {
/* to same privilege */
+ sa.mmu_index = x86_mmu_index_pl(env, cpl);
sa.sp = env->regs[R_ESP];
sa.sp_mask = get_sp_mask(env->segs[R_SS].flags);
sa.ss_base = env->segs[R_SS].base;
--
2.39.5
- [Stable-9.1.2 00/58] Patch Round-up for stable 9.1.2, freeze on 2024-11-18, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 01/58] tcg/s390x: fix constraint for 32-bit TSTEQ/TSTNE, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 02/58] KVM: Dynamic sized kvm memslots array, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 03/58] target/i386/tcg: Use DPL-level accesses for interrupts and call gates,
Michael Tokarev <=
- [Stable-9.1.2 04/58] accel/kvm: check for KVM_CAP_READONLY_MEM on VM, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 05/58] target/i386: Use only 16 and 32-bit operands for IN/OUT, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 06/58] tests: Wait for migration completion on destination QEMU to avoid failures, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 07/58] Revert "hw/sh4/r2d: Realize IDE controller before accessing it", Michael Tokarev, 2024/11/09
- [Stable-9.1.2 08/58] tests/qemu-iotests/211.out: Update to expect MapEntry 'compressed' field, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 09/58] raw-format: Fix error message for invalid offset/size, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 11/58] target/i386: Walk NPT in guest real mode, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 10/58] tcg: Reset data_gen_ptr correctly, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 14/58] linux-user/ppc: Fix sigmask endianness issue in sigreturn, Michael Tokarev, 2024/11/09
- [Stable-9.1.2 13/58] linux-user: Emulate /proc/self/maps under mmap_lock, Michael Tokarev, 2024/11/09