[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 13/20] target/i386/tcg: Allow IRET from user mode to user mode wit
|
From: |
Paolo Bonzini |
|
Subject: |
[PULL 13/20] target/i386/tcg: Allow IRET from user mode to user mode with SMAP |
|
Date: |
Wed, 17 Jul 2024 07:03:23 +0200 |
This fixes a bug wherein i386/tcg assumed an interrupt return using
the IRET instruction was always returning from kernel mode to either
kernel mode or user mode. This assumption is violated when IRET is used
as a clever way to restore thread state, as for example in the dotnet
runtime. There, IRET returns from user mode to user mode.
This bug is that stack accesses from IRET and RETF, as well as accesses
to the parameters in a call gate, are normal data accesses using the
current CPL. This manifested itself as a page fault in the guest Linux
kernel due to SMAP preventing the access.
This bug appears to have been in QEMU since the beginning.
Analyzed-by: Robert R. Henry <rrh.henry@gmail.com>
Co-developed-by: Robert R. Henry <rrh.henry@gmail.com>
Signed-off-by: Robert R. Henry <rrh.henry@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
target/i386/tcg/seg_helper.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/target/i386/tcg/seg_helper.c b/target/i386/tcg/seg_helper.c
index 19d6b41a589..224e73e9ed0 100644
--- a/target/i386/tcg/seg_helper.c
+++ b/target/i386/tcg/seg_helper.c
@@ -594,13 +594,13 @@ int exception_has_error_code(int intno)
#define POPW_RA(ssp, sp, sp_mask, val, ra) \
{ \
- val = cpu_lduw_kernel_ra(env, (ssp) + (sp & (sp_mask)), ra); \
+ val = cpu_lduw_data_ra(env, (ssp) + (sp & (sp_mask)), ra); \
sp += 2; \
}
#define POPL_RA(ssp, sp, sp_mask, val, ra) \
{ \
- val = (uint32_t)cpu_ldl_kernel_ra(env, (ssp) + (sp & (sp_mask)), ra); \
+ val = (uint32_t)cpu_ldl_data_ra(env, (ssp) + (sp & (sp_mask)), ra); \
sp += 4; \
}
@@ -847,7 +847,7 @@ static void do_interrupt_protected(CPUX86State *env, int
intno, int is_int,
#define POPQ_RA(sp, val, ra) \
{ \
- val = cpu_ldq_kernel_ra(env, sp, ra); \
+ val = cpu_ldq_data_ra(env, sp, ra); \
sp += 8; \
}
@@ -1797,18 +1797,18 @@ void helper_lcall_protected(CPUX86State *env, int
new_cs, target_ulong new_eip,
PUSHL_RA(ssp, sp, sp_mask, env->segs[R_SS].selector, GETPC());
PUSHL_RA(ssp, sp, sp_mask, env->regs[R_ESP], GETPC());
for (i = param_count - 1; i >= 0; i--) {
- val = cpu_ldl_kernel_ra(env, old_ssp +
- ((env->regs[R_ESP] + i * 4) &
- old_sp_mask), GETPC());
+ val = cpu_ldl_data_ra(env,
+ old_ssp + ((env->regs[R_ESP] + i *
4) & old_sp_mask),
+ GETPC());
PUSHL_RA(ssp, sp, sp_mask, val, GETPC());
}
} else {
PUSHW_RA(ssp, sp, sp_mask, env->segs[R_SS].selector, GETPC());
PUSHW_RA(ssp, sp, sp_mask, env->regs[R_ESP], GETPC());
for (i = param_count - 1; i >= 0; i--) {
- val = cpu_lduw_kernel_ra(env, old_ssp +
- ((env->regs[R_ESP] + i * 2) &
- old_sp_mask), GETPC());
+ val = cpu_lduw_data_ra(env,
+ old_ssp + ((env->regs[R_ESP] + i *
2) & old_sp_mask),
+ GETPC());
PUSHW_RA(ssp, sp, sp_mask, val, GETPC());
}
}
--
2.45.2
- [PULL 03/20] cpu: Free queued CPU work, (continued)
- [PULL 03/20] cpu: Free queued CPU work, Paolo Bonzini, 2024/07/17
- [PULL 02/20] Revert "qemu-char: do not operate on sources from finalize callbacks", Paolo Bonzini, 2024/07/17
- [PULL 04/20] disas: Fix build against Capstone v6, Paolo Bonzini, 2024/07/17
- [PULL 06/20] scsi: fix regression and honor bootindex again for legacy drives, Paolo Bonzini, 2024/07/17
- [PULL 07/20] qemu/timer: Add host ticks function for LoongArch, Paolo Bonzini, 2024/07/17
- [PULL 05/20] hw/scsi/lsi53c895a: bump instruction limit in scripts processing to fix regression, Paolo Bonzini, 2024/07/17
- [PULL 09/20] hpet: fix clamping of period, Paolo Bonzini, 2024/07/17
- [PULL 08/20] docs: Update description of 'user=username' for '-run-with', Paolo Bonzini, 2024/07/17
- [PULL 11/20] target/i386/tcg: fix POP to memory in long mode, Paolo Bonzini, 2024/07/17
- [PULL 10/20] hpet: fix HPET_TN_SETVAL for high 32-bits of the comparator, Paolo Bonzini, 2024/07/17
- [PULL 13/20] target/i386/tcg: Allow IRET from user mode to user mode with SMAP,
Paolo Bonzini <=
- [PULL 14/20] target/i386/tcg: use PUSHL/PUSHW for error code, Paolo Bonzini, 2024/07/17
- [PULL 15/20] target/i386/tcg: Reorg push/pop within seg_helper.c, Paolo Bonzini, 2024/07/17
- [PULL 18/20] target/i386/tcg: check for correct busy state before switching to a new task, Paolo Bonzini, 2024/07/17
- [PULL 20/20] target/i386/tcg: save current task state before loading new one, Paolo Bonzini, 2024/07/17
- [PULL 16/20] target/i386/tcg: Introduce x86_mmu_index_{kernel_,}pl, Paolo Bonzini, 2024/07/17
- [PULL 19/20] target/i386/tcg: use X86Access for TSS access, Paolo Bonzini, 2024/07/17
- [PULL 17/20] target/i386/tcg: Compute MMU index once, Paolo Bonzini, 2024/07/17
- [PULL 12/20] target/i386/tcg: Remove SEG_ADDL, Paolo Bonzini, 2024/07/17
- Re: [PULL 00/20] i386, bugfix changes for QEMU 9.1 soft freeze, Richard Henderson, 2024/07/17