Re: [kvm-unit-tests][RFC PATCH] x86: Add a new test case for ret/iret with a nullified segment

[Paolo Bonzini <pbonzini@redhat.com>]

On 16/01/21 15:16, Bin Meng wrote:
> Hi Paolo,
> 
> On Tue, Nov 24, 2020 at 5:12 PM Paolo Bonzini <pbonzini@redhat.com> wrote:
>>
>> On 24/11/20 09:33, Bin Meng wrote:
>>> From: Bin Meng <bin.meng@windriver.com>
>>>
>>> This makes up the test case for the following QEMU patch:
>>> http://patchwork.ozlabs.org/project/qemu-devel/patch/1605261378-77971-1-git-send-email-bmeng.cn@gmail.com/
>>>
>>> Note the test case only fails on an unpatched QEMU with "accel=tcg".
>>>
>>> Signed-off-by: Bin Meng <bin.meng@windriver.com>
>>> ---
>>> Sending this as RFC since I am new to kvm-unit-tests
>>>
>>>    x86/emulator.c | 38 ++++++++++++++++++++++++++++++++++++++
>>>    1 file changed, 38 insertions(+)
>>>
>>> diff --git a/x86/emulator.c b/x86/emulator.c
>>> index e46d97e..6100b6d 100644
>>> --- a/x86/emulator.c
>>> +++ b/x86/emulator.c
>>> @@ -6,10 +6,14 @@
>>>    #include "processor.h"
>>>    #include "vmalloc.h"
>>>    #include "alloc_page.h"
>>> +#include "usermode.h"
>>>
>>>    #define memset __builtin_memset
>>>    #define TESTDEV_IO_PORT 0xe0
>>>
>>> +#define MAGIC_NUM 0xdeadbeefdeadbeefUL
>>> +#define GS_BASE 0x400000
>>> +
>>>    static int exceptions;
>>>
>>>    /* Forced emulation prefix, used to invoke the emulator unconditionally.  */
>>> @@ -925,6 +929,39 @@ static void test_sreg(volatile uint16_t *mem)
>>>        write_ss(ss);
>>>    }
>>>
>>> +static uint64_t usr_gs_mov(void)
>>> +{
>>> +    static uint64_t dummy = MAGIC_NUM;
>>> +    uint64_t dummy_ptr = (uint64_t)&dummy;
>>> +    uint64_t ret;
>>> +
>>> +    dummy_ptr -= GS_BASE;
>>> +    asm volatile("mov %%gs:(%%rcx), %%rax" : "=a"(ret): "c"(dummy_ptr) :);
>>> +
>>> +    return ret;
>>> +}
>>> +
>>> +static void test_iret(void)
>>> +{
>>> +    uint64_t val;
>>> +    bool raised_vector;
>>> +
>>> +    /* Update GS base to 4MiB */
>>> +    wrmsr(MSR_GS_BASE, GS_BASE);
>>> +
>>> +    /*
>>> +     * Per the SDM, jumping to user mode via `iret`, which is returning to
>>> +     * outer privilege level, for segment registers (ES, FS, GS, and DS)
>>> +     * if the check fails, the segment selector becomes null.
>>> +     *
>>> +     * In our test case, GS becomes null.
>>> +     */
>>> +    val = run_in_user((usermode_func)usr_gs_mov, GP_VECTOR,
>>> +                      0, 0, 0, 0, &raised_vector);
>>> +
>>> +    report(val == MAGIC_NUM, "Test ret/iret with a nullified segment");
>>> +}
>>> +
>>>    /* Broken emulation causes triple fault, which skips the other tests. */
>>>    #if 0
>>>    static void test_lldt(volatile uint16_t *mem)
>>> @@ -1074,6 +1111,7 @@ int main(void)
>>>        test_shld_shrd(mem);
>>>        //test_lgdt_lidt(mem);
>>>        test_sreg(mem);
>>> +     test_iret();
>>>        //test_lldt(mem);
>>>        test_ltr(mem);
>>>        test_cmov(mem);
>>>
>>
>> Thanks, the patch is good.
> 
> Is this patch applied?
> 
> Regards,
> Bin
> 

Yes, it is.

Paolo