[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 02/10] target/i386/tcg: Allow IRET from user mode to user mode wi
|
From: |
Paolo Bonzini |
|
Subject: |
[PATCH 02/10] target/i386/tcg: Allow IRET from user mode to user mode with SMAP |
|
Date: |
Wed, 10 Jul 2024 08:29:12 +0200 |
This fixes a bug wherein i386/tcg assumed an interrupt return using
the IRET instruction was always returning from kernel mode to either
kernel mode or user mode. This assumption is violated when IRET is used
as a clever way to restore thread state, as for example in the dotnet
runtime. There, IRET returns from user mode to user mode.
This bug is that stack accesses from IRET and RETF, as well as accesses
to the parameters in a call gate, are normal data accesses using the
current CPL. This manifested itself as a page fault in the guest Linux
kernel due to SMAP preventing the access.
This bug appears to have been in QEMU since the beginning.
Analyzed-by: Robert R. Henry <rrh.henry@gmail.com>
Co-developed-by: Robert R. Henry <rrh.henry@gmail.com>
Signed-off-by: Robert R. Henry <rrh.henry@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
target/i386/tcg/seg_helper.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/target/i386/tcg/seg_helper.c b/target/i386/tcg/seg_helper.c
index 19d6b41a589..4977a5f5b3a 100644
--- a/target/i386/tcg/seg_helper.c
+++ b/target/i386/tcg/seg_helper.c
@@ -594,13 +594,13 @@ int exception_has_error_code(int intno)
#define POPW_RA(ssp, sp, sp_mask, val, ra) \
{ \
- val = cpu_lduw_kernel_ra(env, (ssp) + (sp & (sp_mask)), ra); \
+ val = cpu_lduw_data_ra(env, (ssp) + (sp & (sp_mask)), ra); \
sp += 2; \
}
#define POPL_RA(ssp, sp, sp_mask, val, ra) \
{ \
- val = (uint32_t)cpu_ldl_kernel_ra(env, (ssp) + (sp & (sp_mask)), ra); \
+ val = (uint32_t)cpu_ldl_data_ra(env, (ssp) + (sp & (sp_mask)), ra); \
sp += 4; \
}
@@ -847,7 +847,7 @@ static void do_interrupt_protected(CPUX86State *env, int
intno, int is_int,
#define POPQ_RA(sp, val, ra) \
{ \
- val = cpu_ldq_kernel_ra(env, sp, ra); \
+ val = cpu_ldq_data_ra(env, sp, ra); \
sp += 8; \
}
@@ -1797,18 +1797,18 @@ void helper_lcall_protected(CPUX86State *env, int
new_cs, target_ulong new_eip,
PUSHL_RA(ssp, sp, sp_mask, env->segs[R_SS].selector, GETPC());
PUSHL_RA(ssp, sp, sp_mask, env->regs[R_ESP], GETPC());
for (i = param_count - 1; i >= 0; i--) {
- val = cpu_ldl_kernel_ra(env, old_ssp +
- ((env->regs[R_ESP] + i * 4) &
- old_sp_mask), GETPC());
+ val = cpu_ldl_data_ra(env,
+ old_ssp + ((env->regs[R_ESP] + i * 4)
& old_sp_mask),
+ GETPC());
PUSHL_RA(ssp, sp, sp_mask, val, GETPC());
}
} else {
PUSHW_RA(ssp, sp, sp_mask, env->segs[R_SS].selector, GETPC());
PUSHW_RA(ssp, sp, sp_mask, env->regs[R_ESP], GETPC());
for (i = param_count - 1; i >= 0; i--) {
- val = cpu_lduw_kernel_ra(env, old_ssp +
- ((env->regs[R_ESP] + i * 2) &
- old_sp_mask), GETPC());
+ val = cpu_lduw_data_ra(env,
+ old_ssp + ((env->regs[R_ESP] + i *
2) & old_sp_mask),
+ GETPC());
PUSHW_RA(ssp, sp, sp_mask, val, GETPC());
}
}
--
2.45.2
- [PATCH 00/10] target/i386/tcg: fixes for seg_helper.c, Paolo Bonzini, 2024/07/10
- [PATCH 02/10] target/i386/tcg: Allow IRET from user mode to user mode with SMAP,
Paolo Bonzini <=
- [PATCH 01/10] target/i386/tcg: Remove SEG_ADDL, Paolo Bonzini, 2024/07/10
- [PATCH 03/10] target/i386/tcg: use PUSHL/PUSHW for error code, Paolo Bonzini, 2024/07/10
- [PATCH 04/10] target/i386/tcg: Reorg push/pop within seg_helper.c, Paolo Bonzini, 2024/07/10
- [PATCH 05/10] target/i386/tcg: Introduce x86_mmu_index_{kernel_,}pl, Paolo Bonzini, 2024/07/10
- [PATCH 06/10] target/i386/tcg: Compute MMU index once, Paolo Bonzini, 2024/07/10
- [PATCH 07/10] target/i386/tcg: Use DPL-level accesses for interrupts and call gates, Paolo Bonzini, 2024/07/10