From: Alex ZUEPKE <azuepke@sysgo.com>
To: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH] x86: enforce DPL checking on task gate switches invoked through IDT
Date: Mon, 27 Aug 2012 18:39:38 +0200 [thread overview]
Message-ID: <503BA2CA.7030902@sysgo.com> (raw)
In-Reply-To: <502E63A3.1040304@sysgo.com>
Ping, no response so far ...
Thanks,
Alex
Alex ZUEPKE wrote:
> Hi,
>
> x86 software emulation (non-KVM mode) does not check privilege levels on
> task gate switches ... so one can invoke a kernel's double fault handler
> from user space -- very bad.
>
> Expected behaviour (testcase works with any linux distribution + gcc):
> $ cat test.c
> int main(void)
> {
> __asm__ volatile ("int $8");
> }
> $ gcc test.c
> $ ./a.out
> Segmentation fault
> $
> ... and not a kernel panic (double fault)
>
>
> Best Regards,
> Alex
>
> ---
> x86 software emulation (non-KVM mode) does not check privilege
> levels on task gate switches ... so one can invoke a kernel's
> double fault handler from user space.
>
> Signed-off-by: Alex Zuepke <azu@sysgo.com>
> diff --git a/target-i386/seg_helper.c b/target-i386/seg_helper.c
> index 5fff8d5..23c5542 100644
> --- a/target-i386/seg_helper.c
> +++ b/target-i386/seg_helper.c
> @@ -578,12 +578,17 @@ static void do_interrupt_protected(CPUX86State *env, int intno, int is_int,
> e2 = cpu_ldl_kernel(env, ptr + 4);
> /* check gate type */
> type = (e2 >> DESC_TYPE_SHIFT) & 0x1f;
> + dpl = (e2 >> DESC_DPL_SHIFT) & 3;
> + cpl = env->hflags & HF_CPL_MASK;
> switch (type) {
> case 5: /* task gate */
> /* must do that check here to return the correct error code */
> if (!(e2 & DESC_P_MASK)) {
> raise_exception_err(env, EXCP0B_NOSEG, intno * 8 + 2);
> }
> + /* check privilege if software int */
> + if (is_int && dpl < cpl)
> + raise_exception_err(env, EXCP0D_GPF, intno * 8 + 2);
> switch_tss(env, intno * 8, e1, e2, SWITCH_TSS_CALL, old_eip);
> if (has_error_code) {
> int type;
> @@ -616,8 +621,6 @@ static void do_interrupt_protected(CPUX86State *env, int intno, int is_int,
> raise_exception_err(env, EXCP0D_GPF, intno * 8 + 2);
> break;
> }
> - dpl = (e2 >> DESC_DPL_SHIFT) & 3;
> - cpl = env->hflags & HF_CPL_MASK;
> /* check privilege if software int */
> if (is_int && dpl < cpl) {
> raise_exception_err(env, EXCP0D_GPF, intno * 8 + 2);
>
>
next prev parent reply other threads:[~2012-08-27 16:39 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-17 15:30 [Qemu-devel] [PATCH] x86: enforce DPL checking on task gate switches invoked through IDT Alex ZUEPKE
2012-08-27 16:39 ` Alex ZUEPKE [this message]
2012-08-31 16:54 ` Don Slutz
2012-08-31 17:01 ` Peter Maydell
2012-09-01 11:42 ` Blue Swirl
-- strict thread matches above, loose matches on Subject: below --
2012-08-17 9:14 Alex ZUEPKE
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=503BA2CA.7030902@sysgo.com \
--to=azuepke@sysgo.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.