motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-08-05 00:33:55 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions

target/i386: check validity of VMCB addresses

Browse source 
MSR_VM_HSAVE_PA bits 0-11 are reserved, as are the bits above the
maximum physical address width of the processor.  Setting them to
1 causes a #GP (see "15.30.4 VM_HSAVE_PA MSR" in the AMD manual).

The same is true of VMCB addresses passed to VMRUN/VMLOAD/VMSAVE,
even though the manual is not clear on that.

Cc: qemu-stable@nongnu.org
Fixes: 4a1e9d4d11 ("target/i386: Use atomic operations for pte updates", 2022-10-18)
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
Paolo Bonzini 2023-12-22 17:47:38 +01:00
parent 68fb78d7d5
commit d09c79010f
2 changed files with 24 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

3
target/i386/tcg/sysemu/misc_helper.c
View file

@ -212,6 +212,9 @@ void helper_wrmsr(CPUX86State *env)
tlb_flush(cs); tlb_flush(cs);
break; break;
case MSR_VM_HSAVE_PA: case MSR_VM_HSAVE_PA:
if (val & (0xfff | ((~0ULL) << env_archcpu(env)->phys_bits))) {
goto error;
}
env->vm_hsave = val; env->vm_hsave = val;
break; break;
#ifdef TARGET_X86_64 #ifdef TARGET_X86_64

27
target/i386/tcg/sysemu/svm_helper.c
View file

@ -164,14 +164,19 @@ void helper_vmrun(CPUX86State *env, int aflag, int next_eip_addend)
uint64_t new_cr3; uint64_t new_cr3;
uint64_t new_cr4; uint64_t new_cr4;
cpu_svm_check_intercept_param(env, SVM_EXIT_VMRUN, 0, GETPC());
if (aflag == 2) { if (aflag == 2) {
addr = env->regs[R_EAX]; addr = env->regs[R_EAX];
} else { } else {
addr = (uint32_t)env->regs[R_EAX]; addr = (uint32_t)env->regs[R_EAX];
} }
/* Exceptions are checked before the intercept. */
if (addr & (0xfff | ((~0ULL) << env_archcpu(env)->phys_bits))) {
raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
}
cpu_svm_check_intercept_param(env, SVM_EXIT_VMRUN, 0, GETPC());
qemu_log_mask(CPU_LOG_TB_IN_ASM, "vmrun! " TARGET_FMT_lx "\n", addr); qemu_log_mask(CPU_LOG_TB_IN_ASM, "vmrun! " TARGET_FMT_lx "\n", addr);
env->vm_vmcb = addr; env->vm_vmcb = addr;
@ -463,14 +468,19 @@ void helper_vmload(CPUX86State *env, int aflag)
int mmu_idx = MMU_PHYS_IDX; int mmu_idx = MMU_PHYS_IDX;
target_ulong addr; target_ulong addr;
cpu_svm_check_intercept_param(env, SVM_EXIT_VMLOAD, 0, GETPC());
if (aflag == 2) { if (aflag == 2) {
addr = env->regs[R_EAX]; addr = env->regs[R_EAX];
} else { } else {
addr = (uint32_t)env->regs[R_EAX]; addr = (uint32_t)env->regs[R_EAX];
} }
/* Exceptions are checked before the intercept. */
if (addr & (0xfff | ((~0ULL) << env_archcpu(env)->phys_bits))) {
raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
}
cpu_svm_check_intercept_param(env, SVM_EXIT_VMLOAD, 0, GETPC());
if (virtual_vm_load_save_enabled(env, SVM_EXIT_VMLOAD, GETPC())) { if (virtual_vm_load_save_enabled(env, SVM_EXIT_VMLOAD, GETPC())) {
mmu_idx = MMU_NESTED_IDX; mmu_idx = MMU_NESTED_IDX;
} }
@ -519,14 +529,19 @@ void helper_vmsave(CPUX86State *env, int aflag)
int mmu_idx = MMU_PHYS_IDX; int mmu_idx = MMU_PHYS_IDX;
target_ulong addr; target_ulong addr;
cpu_svm_check_intercept_param(env, SVM_EXIT_VMSAVE, 0, GETPC());
if (aflag == 2) { if (aflag == 2) {
addr = env->regs[R_EAX]; addr = env->regs[R_EAX];
} else { } else {
addr = (uint32_t)env->regs[R_EAX]; addr = (uint32_t)env->regs[R_EAX];
} }
/* Exceptions are checked before the intercept. */
if (addr & (0xfff | ((~0ULL) << env_archcpu(env)->phys_bits))) {
raise_exception_err_ra(env, EXCP0D_GPF, 0, GETPC());
}
cpu_svm_check_intercept_param(env, SVM_EXIT_VMSAVE, 0, GETPC());
if (virtual_vm_load_save_enabled(env, SVM_EXIT_VMSAVE, GETPC())) { if (virtual_vm_load_save_enabled(env, SVM_EXIT_VMSAVE, GETPC())) {
mmu_idx = MMU_NESTED_IDX; mmu_idx = MMU_NESTED_IDX;
} }