* wrong placement of RIP-relative address computing
@ 2011-06-16 8:33 Li, Xin
2011-06-16 11:00 ` Li, Xin
0 siblings, 1 reply; 3+ messages in thread
From: Li, Xin @ 2011-06-16 8:33 UTC (permalink / raw)
To: kvm@vger.kernel.org
Avi,
I met a wrong address from instruction emulation, and it corrupted
guest page table silently. seems it's caused by eip which has not
reached next instruction. In my case, eip was pointing to immediate
data of current instruction.
I used below patch to fix it, but I didn't further check other logic. Can
you please take a look?
Thanks!
-Xin
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 6df88c7..e269d20 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -3547,9 +3547,6 @@ done_prefixes:
if (memop.type == OP_MEM && c->ad_bytes != 8)
memop.addr.mem.ea = (u32)memop.addr.mem.ea;
- if (memop.type == OP_MEM && c->rip_relative)
- memop.addr.mem.ea += c->eip;
-
/*
* Decode and fetch the source operand: register, memory
* or immediate.
@@ -3704,6 +3701,9 @@ done_prefixes:
}
done:
+ if (memop.type == OP_MEM && c->rip_relative)
+ memop.addr.mem.ea += c->eip;
+
return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED : EMULATION_OK;
}
^ permalink raw reply related [flat|nested] 3+ messages in thread* RE: wrong placement of RIP-relative address computing
2011-06-16 8:33 wrong placement of RIP-relative address computing Li, Xin
@ 2011-06-16 11:00 ` Li, Xin
2011-06-19 11:38 ` Avi Kivity
0 siblings, 1 reply; 3+ messages in thread
From: Li, Xin @ 2011-06-16 11:00 UTC (permalink / raw)
To: Li, Xin, kvm@vger.kernel.org
> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> index 6df88c7..e269d20 100644
> --- a/arch/x86/kvm/emulate.c
> +++ b/arch/x86/kvm/emulate.c
> @@ -3547,9 +3547,6 @@ done_prefixes:
> if (memop.type == OP_MEM && c->ad_bytes != 8)
> memop.addr.mem.ea = (u32)memop.addr.mem.ea;
>
> - if (memop.type == OP_MEM && c->rip_relative)
> - memop.addr.mem.ea += c->eip;
> -
> /*
> * Decode and fetch the source operand: register, memory
> * or immediate.
> @@ -3704,6 +3701,9 @@ done_prefixes:
> }
>
> done:
It's not correct to move here, I saw some other problem.
> + if (memop.type == OP_MEM && c->rip_relative)
> + memop.addr.mem.ea += c->eip;
> +
> return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED :
> EMULATION_OK;
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: wrong placement of RIP-relative address computing
2011-06-16 11:00 ` Li, Xin
@ 2011-06-19 11:38 ` Avi Kivity
0 siblings, 0 replies; 3+ messages in thread
From: Avi Kivity @ 2011-06-19 11:38 UTC (permalink / raw)
To: Li, Xin; +Cc: kvm@vger.kernel.org
On 06/16/2011 02:00 PM, Li, Xin wrote:
> > diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> > index 6df88c7..e269d20 100644
> > --- a/arch/x86/kvm/emulate.c
> > +++ b/arch/x86/kvm/emulate.c
> > @@ -3547,9 +3547,6 @@ done_prefixes:
> > if (memop.type == OP_MEM&& c->ad_bytes != 8)
> > memop.addr.mem.ea = (u32)memop.addr.mem.ea;
> >
> > - if (memop.type == OP_MEM&& c->rip_relative)
> > - memop.addr.mem.ea += c->eip;
> > -
> > /*
> > * Decode and fetch the source operand: register, memory
> > * or immediate.
> > @@ -3704,6 +3701,9 @@ done_prefixes:
> > }
> >
> > done:
>
> It's not correct to move here, I saw some other problem.
>
> > + if (memop.type == OP_MEM&& c->rip_relative)
> > + memop.addr.mem.ea += c->eip;
> > +
> > return (rc == X86EMUL_UNHANDLEABLE) ? EMULATION_FAILED :
> > EMULATION_OK;
>
There's the "return 0" in the previous switch, but otherwise I think
it's correct. We didn't take into account the complete instruction length.
--
error compiling committee.c: too many arguments to function
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-06-19 11:38 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-06-16 8:33 wrong placement of RIP-relative address computing Li, Xin
2011-06-16 11:00 ` Li, Xin
2011-06-19 11:38 ` Avi Kivity
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox