Re: [PATCH 2/6] KVM: x86: Stack size is overridden by __linearize

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Paolo Bonzini <pbonzini@redhat.com>
To: Nadav Amit <namit@cs.technion.ac.il>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH 2/6] KVM: x86: Stack size is overridden by __linearize
Date: Wed, 19 Nov 2014 18:17:42 +0100	[thread overview]
Message-ID: <546CD0B6.8030008@redhat.com> (raw)
In-Reply-To: <1416411793-22244-3-git-send-email-namit@cs.technion.ac.il>



On 19/11/2014 16:43, Nadav Amit wrote:
> When performing segmented-read/write in the emulator for stack operations, it
> ignores the stack size, and uses the ad_bytes as indication for the pointer
> size. As a result, a wrong address may be accessed.
> 
> To fix this behavior, we can remove the masking of address in __linearize and
> perform it beforehand.  It is already done for the operands (so currently it is
> inefficiently done twice). It is missing in two cases:
> 1. When using rip_relative
> 2. On fetch_bit_operand that changes the address.
> 
> This patch masks the address on these two occassions, and removes the masking
> from __linearize.
> 
> Note that it does not mask EIP during fetch. In protected/legacy mode code
> fetch when RIP >= 2^32 should result in #GP and not wrap-around. Since we make
> limit checks within __linearize, this is the expected behavior.

Partial revert of commit 518547b32ab4 (KVM: x86: Emulator does not
calculate address correctly, 2014-09-30).

Paolo


> Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
> ---
>  arch/x86/kvm/emulate.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> index 5d47714..1317560 100644
> --- a/arch/x86/kvm/emulate.c
> +++ b/arch/x86/kvm/emulate.c
> @@ -665,8 +665,7 @@ static __always_inline int __linearize(struct x86_emulate_ctxt *ctxt,
>  	u16 sel;
>  	unsigned cpl;
>  
> -	la = seg_base(ctxt, addr.seg) +
> -	    (fetch || ctxt->ad_bytes == 8 ? addr.ea : (u32)addr.ea);
> +	la = seg_base(ctxt, addr.seg) + addr.ea;
>  	*max_size = 0;
>  	switch (ctxt->mode) {
>  	case X86EMUL_MODE_PROT64:
> @@ -1289,7 +1288,8 @@ static void fetch_bit_operand(struct x86_emulate_ctxt *ctxt)
>  		else
>  			sv = (s64)ctxt->src.val & (s64)mask;
>  
> -		ctxt->dst.addr.mem.ea += (sv >> 3);
> +		ctxt->dst.addr.mem.ea = address_mask(ctxt,
> +					   ctxt->dst.addr.mem.ea + (sv >> 3));
>  	}
>  
>  	/* only subword offset */
> @@ -4638,7 +4638,8 @@ done_prefixes:
>  	rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
>  
>  	if (ctxt->rip_relative)
> -		ctxt->memopp->addr.mem.ea += ctxt->_eip;
> +		ctxt->memopp->addr.mem.ea = address_mask(ctxt,
> +					ctxt->memopp->addr.mem.ea + ctxt->_eip);
>  
>  done:
>  	return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
>

next prev parent reply	other threads:[~2014-11-19 17:20 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-11-19 15:43 [PATCH 0/6] KVM: x86: __linearize emulator fixes and minor cleanup Nadav Amit
2014-11-19 15:43 ` [PATCH 1/6] KVM: x86: Revert NoBigReal patch in the emulator Nadav Amit
2014-11-19 15:43 ` [PATCH 2/6] KVM: x86: Stack size is overridden by __linearize Nadav Amit
2014-11-19 17:17   ` Paolo Bonzini [this message]
2014-11-19 15:43 ` [PATCH 3/6] KVM: x86: Emulator performs privilege checks on __linearize Nadav Amit
2014-11-19 15:43 ` [PATCH 4/6] KVM: x86: Perform limit checks when assigning EIP Nadav Amit
2014-11-19 15:43 ` [PATCH 5/6] KVM: x86: Non-canonical access using SS should cause #SS Nadav Amit
2014-11-19 15:43 ` [PATCH 6/6] KVM: x86: Move __linearize masking of la into switch Nadav Amit
2014-11-19 18:47 ` [PATCH 0/6] KVM: x86: __linearize emulator fixes and minor cleanup Paolo Bonzini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=546CD0B6.8030008@redhat.com \
    --to=pbonzini@redhat.com \
    --cc=kvm@vger.kernel.org \
    --cc=namit@cs.technion.ac.il \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.