From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marcelo Tosatti <mtosatti@redhat.com>
Subject: Re: [PATCH] VMX: Fix and improve guest state validity checks
Date: Wed, 12 May 2010 22:52:58 -0300
Message-ID: <20100513015258.GA32674@amt.cnet>
References: <1273596761-29923-1-git-send-email-m.gamal005@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: avi@redhat.com, kvm@vger.kernel.org
To: Mohammed Gamal <m.gamal005@gmail.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:4956 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752641Ab0EMCky (ORCPT <rfc822;kvm@vger.kernel.org>);
	Wed, 12 May 2010 22:40:54 -0400
Content-Disposition: inline
In-Reply-To: <1273596761-29923-1-git-send-email-m.gamal005@gmail.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On Tue, May 11, 2010 at 07:52:41PM +0300, Mohammed Gamal wrote:
> - Add 's' and 'g' field checks on segment registers
> - Correct SS checks for request and descriptor privilege levels
> 
> Signed-off-by: Mohammed Gamal <m.gamal005@gmail.com>
> ---
>  arch/x86/kvm/vmx.c |   73 +++++++++++++++++++++++++++++++++++++++++++++++----
>  1 files changed, 67 insertions(+), 6 deletions(-)
> 
> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> index 777e00d..9805c2a 100644
> --- a/arch/x86/kvm/vmx.c
> +++ b/arch/x86/kvm/vmx.c
> @@ -2121,16 +2121,30 @@ static bool stack_segment_valid(struct kvm_vcpu *vcpu)
>  	vmx_get_segment(vcpu, &ss, VCPU_SREG_SS);
>  	ss_rpl = ss.selector & SELECTOR_RPL_MASK;
>  
> -	if (ss.unusable)
> +	if (ss.dpl != ss_rpl) /* DPL != RPL */
> +		return false;
> +
> +	if (ss.unusable) /* Short-circuit */
>  		return true;
> +
>  	if (ss.type != 3 && ss.type != 7)
>  		return false;
>  	if (!ss.s)
>  		return false;
> -	if (ss.dpl != ss_rpl) /* DPL != RPL */
> -		return false;
>  	if (!ss.present)
>  		return false;
> +	if (ss.limit & 0xfff00000) {

0x1fff limit and g==1 is valid, for example.

> +                if ((ss.limit & 0xfff) < 0xfff)
> +                        return false;
> +                if (!ss.g)
> +                        return false;
> +        } else {
> +                if ((ss.limit & 0xfff) == 0xfff)
> +                        return false;

!g segments can be up to 1Mbyte in size, and byte granular.

Please send as separate patches. Also, the limit checks could
be in a helper function since they are shared.