motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2026-02-06 08:10:43 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions
qemu/target
History
Paolo Bonzini b066c53757 target/i386: trap on instructions longer than >15 bytes 
Besides being more correct, arbitrarily long instruction allow the
generation of a translation block that spans three pages.  This
confuses the generator and even allows ring 3 code to poison the
translation block cache and inject code into other processes that are
in guest ring 3.

This is an improved (and more invasive) fix for commit 30663fd ("tcg/i386:
Check the size of instruction being translated", 2017-03-24).  In addition
to being more precise (and generating the right exception, which is #GP
rather than #UD), it distinguishes better between page faults and too long
instructions, as shown by this test case:

    #include <sys/mman.h>
    #include <string.h>
    #include <stdio.h>

    int main()
    {
            char *x = mmap(NULL, 8192, PROT_READ|PROT_WRITE|PROT_EXEC,
                           MAP_PRIVATE|MAP_ANON, -1, 0);
            memset(x, 0x66, 4096);
            x[4096] = 0x90;
            x[4097] = 0xc3;
            char *i = x + 4096 - 15;
            mprotect(x + 4096, 4096, PROT_READ|PROT_WRITE);
            ((void(*)(void)) i) ();
    }

... which produces a #GP without the mprotect, and a #PF with it.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-10-16 18:03:53 +02:00
..
alpha tcg: remove addr argument from lookup_tb_ptr 2017-10-10 07:37:10 -07:00
arm tcg: remove addr argument from lookup_tb_ptr 2017-10-10 07:37:10 -07:00
cris qom/cpu: move cpu_model null check to cpu_class_by_name() 2017-10-09 23:21:52 -03:00
hppa tcg: remove addr argument from lookup_tb_ptr 2017-10-10 07:37:10 -07:00
i386 target/i386: trap on instructions longer than >15 bytes 2017-10-16 18:03:53 +02:00
lm32 qom/cpu: move cpu_model null check to cpu_class_by_name() 2017-10-09 23:21:52 -03:00
m68k qom/cpu: move cpu_model null check to cpu_class_by_name() 2017-10-09 23:21:52 -03:00
microblaze target: [tcg] Use a generic enum for DISAS_ values 2017-09-06 08:06:47 -07:00
mips tcg: remove addr argument from lookup_tb_ptr 2017-10-10 07:37:10 -07:00
moxie qom/cpu: move cpu_model null check to cpu_class_by_name() 2017-10-09 23:21:52 -03:00
nios2 nios2: define tcg_env 2017-10-16 18:03:52 +02:00
openrisc qom/cpu: move cpu_model null check to cpu_class_by_name() 2017-10-09 23:21:52 -03:00
ppc build: remove CONFIG_LIBDECNUMBER 2017-10-16 18:03:52 +02:00
s390x tcg: remove addr argument from lookup_tb_ptr 2017-10-10 07:37:10 -07:00
sh4 tcg: remove addr argument from lookup_tb_ptr 2017-10-10 07:37:10 -07:00
sparc qom/cpu: move cpu_model null check to cpu_class_by_name() 2017-10-09 23:21:52 -03:00
tilegx tilegx: replace cpu_tilegx_init() with cpu_generic_init() 2017-09-01 11:54:24 -03:00
tricore qom/cpu: move cpu_model null check to cpu_class_by_name() 2017-10-09 23:21:52 -03:00
unicore32 qom/cpu: move cpu_model null check to cpu_class_by_name() 2017-10-09 23:21:52 -03:00
xtensa qom/cpu: move cpu_model null check to cpu_class_by_name() 2017-10-09 23:21:52 -03:00