From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH] Xen: fix various checks of unsigned
	integers < 0
Date: Fri, 29 Oct 2010 23:23:07 +0200
Message-ID: <4CCB3B3B.3080801@redhat.com>
References: <20101029140219.GD11016@whitby.uk.xensource.com>
	<2e35ec26-1314-4f30-b172-fbd9b08134c9@default>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xensource.com>
In-Reply-To: <2e35ec26-1314-4f30-b172-fbd9b08134c9@default>
List-Unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Dan Magenheimer <dan.magenheimer@oracle.com>
Cc: xen-devel@lists.xensource.com, Tim Deegan <Tim.Deegan@citrix.com>
List-Id: xen-devel@lists.xenproject.org

On 10/29/2010 05:38 PM, Dan Magenheimer wrote:
> Wow, I wonder how many times this code has executed
> and returned the wrong (incorrectly sign-extended) value?

Probably never---which doesn't make the fix worthless, but is still 
never. :)  The emulator is mostly used for real mode and MMIO, but this 
is long-mode code (which rules out real mode) and the CQO instruction 
doesn't access memory (which rules out MMIO).

To trigger the bug you probably have to cause a race between a thread 
doing MMIO and a thread replacing the MMIO instruction with a CQO.  It 
can be done fairly reliably on KVM; until they were patched, this trick 
allowed to exploit emulator bugs and go from guest-ring3 to guest-ring0.

Paolo