From patchwork Wed Nov 19 15:43:09 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nadav Amit <namit@cs.technion.ac.il>
X-Patchwork-Id: 5338321
Return-Path: <kvm-owner@kernel.org>
X-Original-To: patchwork-kvm@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 87AB4C11AC
	for <patchwork-kvm@patchwork.kernel.org>;
	Wed, 19 Nov 2014 15:44:29 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id C507120172
	for <patchwork-kvm@patchwork.kernel.org>;
	Wed, 19 Nov 2014 15:44:28 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id C70DA20176
	for <patchwork-kvm@patchwork.kernel.org>;
	Wed, 19 Nov 2014 15:44:27 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756050AbaKSPo0 (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Wed, 19 Nov 2014 10:44:26 -0500
Received: from mailgw12.technion.ac.il ([132.68.225.12]:49485 "EHLO
	mailgw12.technion.ac.il" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754559AbaKSPoN (ORCPT <rfc822; kvm@vger.kernel.org>);
	Wed, 19 Nov 2014 10:44:13 -0500
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 AjACANq5bFSERCABjGdsb2JhbABahDzTXgKBBxYBAQEBAQEQAQEBJ0KEAwEFJ1IQUVcZiEHOG4V5AQEBAQYCAR+QMVcHFoQ1BaAUhwmEU41pa4EHgUQBAQE
X-IPAS-Result: 
 AjACANq5bFSERCABjGdsb2JhbABahDzTXgKBBxYBAQEBAQEQAQEBJ0KEAwEFJ1IQUVcZiEHOG4V5AQEBAQYCAR+QMVcHFoQ1BaAUhwmEU41pa4EHgUQBAQE
X-IronPort-AV: E=Sophos;i="5.07,417,1413234000"; d="scan'208";a="130100400"
Received: from csa.cs.technion.ac.il ([132.68.32.1])
	by mailgw12.technion.ac.il with ESMTP; 19 Nov 2014 17:44:08 +0200
Received: from csn.cs.technion.ac.il (csn.cs.technion.ac.il [132.68.32.15])
	by csa.cs.technion.ac.il (Postfix) with ESMTP id 0C76414003B;
	Wed, 19 Nov 2014 17:44:08 +0200 (IST)
Received: from csl-tapuz20.cs.technion.ac.il (csl-tapuz20.cs.technion.ac.il
	[132.68.206.58])
	by csn.cs.technion.ac.il (Postfix) with ESMTPSA id EC1F5A1C46;
	Wed, 19 Nov 2014 17:44:07 +0200 (IST)
From: Nadav Amit <namit@cs.technion.ac.il>
To: pbonzini@redhat.com
Cc: kvm@vger.kernel.org, Nadav Amit <namit@cs.technion.ac.il>
Subject: [PATCH 2/6] KVM: x86: Stack size is overridden by __linearize
Date: Wed, 19 Nov 2014 17:43:09 +0200
Message-Id: <1416411793-22244-3-git-send-email-namit@cs.technion.ac.il>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1416411793-22244-1-git-send-email-namit@cs.technion.ac.il>
References: <1416411793-22244-1-git-send-email-namit@cs.technion.ac.il>
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

When performing segmented-read/write in the emulator for stack operations, it
ignores the stack size, and uses the ad_bytes as indication for the pointer
size. As a result, a wrong address may be accessed.

To fix this behavior, we can remove the masking of address in __linearize and
perform it beforehand.  It is already done for the operands (so currently it is
inefficiently done twice). It is missing in two cases:
1. When using rip_relative
2. On fetch_bit_operand that changes the address.

This patch masks the address on these two occassions, and removes the masking
from __linearize.

Note that it does not mask EIP during fetch. In protected/legacy mode code
fetch when RIP >= 2^32 should result in #GP and not wrap-around. Since we make
limit checks within __linearize, this is the expected behavior.

Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
---
 arch/x86/kvm/emulate.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 5d47714..1317560 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -665,8 +665,7 @@ static __always_inline int __linearize(struct x86_emulate_ctxt *ctxt,
 	u16 sel;
 	unsigned cpl;
 
-	la = seg_base(ctxt, addr.seg) +
-	    (fetch || ctxt->ad_bytes == 8 ? addr.ea : (u32)addr.ea);
+	la = seg_base(ctxt, addr.seg) + addr.ea;
 	*max_size = 0;
 	switch (ctxt->mode) {
 	case X86EMUL_MODE_PROT64:
@@ -1289,7 +1288,8 @@ static void fetch_bit_operand(struct x86_emulate_ctxt *ctxt)
 		else
 			sv = (s64)ctxt->src.val & (s64)mask;
 
-		ctxt->dst.addr.mem.ea += (sv >> 3);
+		ctxt->dst.addr.mem.ea = address_mask(ctxt,
+					   ctxt->dst.addr.mem.ea + (sv >> 3));
 	}
 
 	/* only subword offset */
@@ -4638,7 +4638,8 @@ done_prefixes:
 	rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
 
 	if (ctxt->rip_relative)
-		ctxt->memopp->addr.mem.ea += ctxt->_eip;
+		ctxt->memopp->addr.mem.ea = address_mask(ctxt,
+					ctxt->memopp->addr.mem.ea + ctxt->_eip);
 
 done:
 	return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;