Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching

[Pranith Kumar]

On Wed, Mar 22, 2017 at 11:04 AM, Peter Maydell
<address@hidden> wrote:
>>
>> How about doing the instruction size check as follows?
>>
>> diff --git a/target/i386/translate.c b/target/i386/translate.c
>> index 72c1b03a2a..94cf3da719 100644
>> --- a/target/i386/translate.c
>> +++ b/target/i386/translate.c
>> @@ -8235,6 +8235,10 @@ static target_ulong disas_insn(CPUX86State
>> *env, DisasContext *s,
>>      default:
>>          goto unknown_op;
>>      }
>> +    if (s->pc - pc_start > 15) {
>> +        s->pc = pc_start;
>> +        goto illegal_op;
>> +    }
>>      return s->pc;
>>   illegal_op:
>>      gen_illegal_opcode(s);
>
> This doesn't look right because it means we'll check
> only after we've emitted all the code to do the
> instruction operation, so the effect will be
> "execute instruction, then take illegal-opcode
> exception".
>

The pc is restored to original address (s->pc = pc_start), so the
exception will overwrite the generated illegal instruction and will be
executed first.

But yes, it's better to follow the architecture manual.

Thanks,
--
Pranith