From patchwork Fri Oct 10 02:07:50 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nadav Amit X-Patchwork-Id: 5063231 Return-Path: X-Original-To: patchwork-kvm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id A6378C11AC for ; Fri, 10 Oct 2014 02:08:03 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id C94BB2022D for ; Fri, 10 Oct 2014 02:08:02 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6D0B42022A for ; Fri, 10 Oct 2014 02:08:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751146AbaJJCH6 (ORCPT ); Thu, 9 Oct 2014 22:07:58 -0400 Received: from mailgw12.technion.ac.il ([132.68.225.12]:21040 "EHLO mailgw12.technion.ac.il" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751064AbaJJCH5 (ORCPT ); Thu, 9 Oct 2014 22:07:57 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgACABw/N1SERCABjGdsb2JhbABghDnSaQKBCRYBARABAQEnQIQEAQUnUhBRVwcSiD69FoYkj1hsB4RLBYtYkyGGc5FWaYEPgTsBAQE X-IPAS-Result: AgACABw/N1SERCABjGdsb2JhbABghDnSaQKBCRYBARABAQEnQIQEAQUnUhBRVwcSiD69FoYkj1hsB4RLBYtYkyGGc5FWaYEPgTsBAQE X-IronPort-AV: E=Sophos;i="5.04,689,1406581200"; d="scan'208";a="124923192" Received: from csa.cs.technion.ac.il ([132.68.32.1]) by mailgw12.technion.ac.il with ESMTP; 10 Oct 2014 05:07:55 +0300 Received: from csn.cs.technion.ac.il (csn.cs.technion.ac.il [132.68.32.15]) by csa.cs.technion.ac.il (Postfix) with ESMTP id AFB14140036; Fri, 10 Oct 2014 05:07:54 +0300 (IDT) Received: from csl-tapuz20.cs.technion.ac.il (csl-tapuz20.cs.technion.ac.il [132.68.206.58]) by csn.cs.technion.ac.il (Postfix) with ESMTPSA id 8ED86A0BC2; Fri, 10 Oct 2014 05:07:54 +0300 (IDT) From: Nadav Amit To: pbonzini@redhat.com, rkrcmar@redhat.com Cc: kvm@vger.kernel.org, Nadav Amit Subject: [PATCH v2 2/5] KVM: x86: Emulator performs code segment checks on read access Date: Fri, 10 Oct 2014 05:07:50 +0300 Message-Id: <1412906870-4322-1-git-send-email-namit@cs.technion.ac.il> X-Mailer: git-send-email 1.9.1 In-Reply-To: <20141006203238.GA4989@potion.brq.redhat.com> References: <20141006203238.GA4989@potion.brq.redhat.com> Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP When read access is performed using a readable code segment, the "conforming" and "non-conforming" checks should not be done. As a result, read using non-conforming readable code segment fails. This is according to Intel SDM 5.6.1 ("Accessing Data in Code Segments"). One exception is the case of conforming code segment. The SDM says: "Use a code-segment override prefix (CS) to read a readable... [it is] valid because the DPL of the code segment selected by the CS register is the same as the CPL." This is misleading since CS.DPL may be lower (numerically) than CPL, and CS would still be accessible. The emulator should avoid privilage level checks for data reads using CS. The fix is not to perform the "non-conforming" checks if the access is not a fetch, and never to perform the checks for CS. --- v1->v2: Privilage level checks are always skipped for CS Signed-off-by: Nadav Amit --- arch/x86/kvm/emulate.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index a46207a..0fee0a0 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -661,9 +661,9 @@ static int __linearize(struct x86_emulate_ctxt *ctxt, goto bad; } cpl = ctxt->ops->cpl(ctxt); - if (!(desc.type & 8)) { - /* data segment */ - if (cpl > desc.dpl) + if (!fetch) { + /* data segment or readable code segment */ + if (cpl > desc.dpl && addr.seg != VCPU_SREG_CS) goto bad; } else if ((desc.type & 8) && !(desc.type & 4)) { /* nonconforming code segment */