On Thu, May 15, 2014 at 06:56:56PM +0200, Paolo Bonzini wrote:
CS.RPL is not equal to the CPL in the few instructions between
setting CR0.PE and reloading CS. We get this right in the common
case, because writes to CR0 do not modify the CPL, but it would
not be enough if an SMI comes exactly during that brief period.
Were this to happen, the RSM instruction would erroneously set
CPL to the low two bits of the real-mode selector; and if they are
not 00, the next instruction fetch cannot access the code segment
and causes a triple fault.
However, SS.DPL *is* always equal to the CPL (except during task switches
as noted in the previous patch). In real processors (AMD only) there
is a weird case of SYSRET setting SS.DPL=SS.RPL from the STAR register
while forcing CPL=3, but we do not emulate that.
It looks to me like there could be a couple of places in the code
where cpu_x86_load_seg_cache(R_CS) is called, but
cpu_x86_load_seg_cache(R_SS) may not be. In particular,
helper_ret_protected() and cpu_x86_load_seg_cache_sipi(). Are these
still okay?