Software interrupt 0x8 guest crash from userspace: virtualbox emulation or guest kernel bug?

[halfdog <me@halfdog.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have observed a strange guest kernel crash in virtualbox and are
currently trying to understand it. Since I have no real 32-bit Intel
platform any more, I cannot verify that this crash would happen on
native 32bit also, so perhaps someone could check that. I have also
collected information about the crash [1], but currently fail to
understand why this is happening.

In short: Calling "int 0x8" in i386 guest on amd64 host crashes the
guest. It seems, that "int 0x8" is handled by task gate, that fails to
initialize "gs" correctly. The crash can be reproduced using [2], the
same program does not crash the host. Due to lack of test platforms it
is not clear, if that only affects virtual box guests.

Questions:
* Does this idt entry seem sane or could it be really broken? Code says
./arch/x86/kernel/traps.c:      set_intr_gate_ist(8, &double_fault,
DOUBLEFAULT_STACK);
which seems consistent with observed idt setup. I'm not sure about
privilege levels, is it possible to invoke this interrupt also on
native systems and cause same behavior?
* If broken, what is idt on native i386 system (not guest) on real
32-bit CPU? Could someone with such system send me: grep "idt_table"
in System.map, "gdb --core /proc/kcore" and "x/64x [address of
idt_table]" (see also [1])?
* If broken, why? Same outcome on native i386 platform?
* If not broken on native: why this interaction with virtualbox?

hd

[1]
http://www.halfdog.net/Security/2012/VirtualBoxSoftwareInterrupt0x8GuestCrash/
[2]
http://www.halfdog.net/Security/2012/VirtualBoxSoftwareInterrupt0x8GuestCrash/RtcInt.c

- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAlAuqz8ACgkQxFmThv7tq+6CzwCginL/PMRVIKxRV4YRXtRIRF+O
tO4An2KcZs5caaoTFu+UGJQLtFOrmKpS
=9P33
-----END PGP SIGNATURE-----