From mboxrd@z Thu Jan  1 00:00:00 1970
From: Gleb Natapov <gleb@redhat.com>
Subject: Re: [PATCH kvm-unit-tests] emulator: test 64-bit mov with immediate
 operand
Date: Thu, 13 Dec 2012 23:26:36 +0200
Message-ID: <20121213212636.GL29003@redhat.com>
References: <1355400716-21359-1-git-send-email-pbonzini@redhat.com>
 <20121213122418.GA11016@redhat.com>
 <20121213204526.GA1529@amt.cnet>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: Paolo Bonzini <pbonzini@redhat.com>, kvm@vger.kernel.org,
	Nadav Amit <nadav.amit@gmail.com>
To: Marcelo Tosatti <mtosatti@redhat.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:44946 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1756286Ab2LMV0i (ORCPT <rfc822;kvm@vger.kernel.org>);
	Thu, 13 Dec 2012 16:26:38 -0500
Content-Disposition: inline
In-Reply-To: <20121213204526.GA1529@amt.cnet>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On Thu, Dec 13, 2012 at 06:45:26PM -0200, Marcelo Tosatti wrote:
> On Thu, Dec 13, 2012 at 02:24:18PM +0200, Gleb Natapov wrote:
> > On Thu, Dec 13, 2012 at 01:11:55PM +0100, Paolo Bonzini wrote:
> > > MOV immediate instruction (opcodes 0xB8-0xBF) may take 64-bit operand.
> > > Some hypervisor implementations assumed the operand is 32-bit.  This
> > > should never happen because the instruction has no memory operand, but
> > > (like the existing test_mmx_movq_mf) the testcase tricks the emulator
> > > into executing one by mismatching the page tables and the corresponding
> > > TLB entry.
> > > 
> > BTW how the bug was found? Why instruction was emulated at all? May be
> > there is bug somewhere that makes KVM emulate something it should not.
> 
> During switch to protected mode. SS.DPL=3, SS.RPL=0.
Yes, looks like a bug. We set SS.DPL to 3 to enter vm86 and this leaks
to protected mode. There are a lot of those. I am trying to fix this
mess.

--
			Gleb.