[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translatio
From: |
Pranith Kumar |
Subject: |
Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching |
Date: |
Wed, 22 Mar 2017 11:14:47 -0400 |
On Wed, Mar 22, 2017 at 11:04 AM, Peter Maydell
<address@hidden> wrote:
>>
>> How about doing the instruction size check as follows?
>>
>> diff --git a/target/i386/translate.c b/target/i386/translate.c
>> index 72c1b03a2a..94cf3da719 100644
>> --- a/target/i386/translate.c
>> +++ b/target/i386/translate.c
>> @@ -8235,6 +8235,10 @@ static target_ulong disas_insn(CPUX86State
>> *env, DisasContext *s,
>> default:
>> goto unknown_op;
>> }
>> + if (s->pc - pc_start > 15) {
>> + s->pc = pc_start;
>> + goto illegal_op;
>> + }
>> return s->pc;
>> illegal_op:
>> gen_illegal_opcode(s);
>
> This doesn't look right because it means we'll check
> only after we've emitted all the code to do the
> instruction operation, so the effect will be
> "execute instruction, then take illegal-opcode
> exception".
>
The pc is restored to original address (s->pc = pc_start), so the
exception will overwrite the generated illegal instruction and will be
executed first.
But yes, it's better to follow the architecture manual.
Thanks,
--
Pranith
- [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Jann Horn, 2017/03/20
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Peter Maydell, 2017/03/20
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Pranith Kumar, 2017/03/22
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Peter Maydell, 2017/03/22
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching,
Pranith Kumar <=
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Peter Maydell, 2017/03/22
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Pranith Kumar, 2017/03/22
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Richard Henderson, 2017/03/22
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Paolo Bonzini, 2017/03/23
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Pranith Kumar, 2017/03/23
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Paolo Bonzini, 2017/03/23
- Re: [Qemu-devel] [BUG] user-to-root privesc inside VM via bad translation caching, Pranith Kumar, 2017/03/23