From patchwork Mon Jan 26 07:32:27 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nadav Amit <namit@cs.technion.ac.il>
X-Patchwork-Id: 5706931
Return-Path: <kvm-owner@kernel.org>
X-Original-To: patchwork-kvm@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 86E1CC058E
	for <patchwork-kvm@patchwork.kernel.org>;
	Mon, 26 Jan 2015 07:33:01 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id A7C402012E
	for <patchwork-kvm@patchwork.kernel.org>;
	Mon, 26 Jan 2015 07:33:00 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id C072220123
	for <patchwork-kvm@patchwork.kernel.org>;
	Mon, 26 Jan 2015 07:32:59 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752913AbbAZHcz (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Mon, 26 Jan 2015 02:32:55 -0500
Received: from mailgw10.technion.ac.il ([132.68.225.10]:46702 "EHLO
	mailgw10.technion.ac.il" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752742AbbAZHcv (ORCPT <rfc822; kvm@vger.kernel.org>);
	Mon, 26 Jan 2015 02:32:51 -0500
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 AnMFAFHsxVSERCAB/2dsb2JhbABagwaBK8wtAoERQwEBAQEBAXyEDQEFJ1IQUVcZiCzNVoRJAQEBAQYCAR+PeAcWhBMFjQ2dPiKDcG2BAiSBHAEBAQ
X-IPAS-Result: 
 AnMFAFHsxVSERCAB/2dsb2JhbABagwaBK8wtAoERQwEBAQEBAXyEDQEFJ1IQUVcZiCzNVoRJAQEBAQYCAR+PeAcWhBMFjQ2dPiKDcG2BAiSBHAEBAQ
X-IronPort-AV: E=Sophos;i="5.09,467,1418076000"; d="scan'208";a="7864484"
Received: from csa.cs.technion.ac.il ([132.68.32.1])
	by mailgw10.technion.ac.il with ESMTP; 26 Jan 2015 09:32:45 +0200
Received: from csn.cs.technion.ac.il (csn.cs.technion.ac.il [132.68.32.15])
	by csa.cs.technion.ac.il (Postfix) with ESMTP id 6F586140040;
	Mon, 26 Jan 2015 09:32:44 +0200 (IST)
Received: from csl-tapuz20.cs.technion.ac.il (csl-tapuz20.cs.technion.ac.il
	[132.68.206.58])
	by csn.cs.technion.ac.il (Postfix) with ESMTPSA id 3D685A1C70;
	Mon, 26 Jan 2015 09:32:44 +0200 (IST)
From: Nadav Amit <namit@cs.technion.ac.il>
To: pbonzini@redhat.com
Cc: kvm@vger.kernel.org, Nadav Amit <namit@cs.technion.ac.il>
Subject: [PATCH 7/7] KVM: x86: Emulation of call may use incorrect stack size
Date: Mon, 26 Jan 2015 09:32:27 +0200
Message-Id: <1422257547-4557-8-git-send-email-namit@cs.technion.ac.il>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1422257547-4557-1-git-send-email-namit@cs.technion.ac.il>
References: <1422257547-4557-1-git-send-email-namit@cs.technion.ac.il>
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

On long-mode, when far call that changes cs.l takes place, the stack size is
determined by the new mode.  For instance, if we go from 32-bit mode to 64-bit
mode, the stack-size if 64.  KVM uses the old stack size.

Fix it.

Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
---
 arch/x86/kvm/emulate.c | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index c3b0757..81dcf79 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -741,19 +741,26 @@ static int assign_eip_far(struct x86_emulate_ctxt *ctxt, ulong dst,
 			  const struct desc_struct *cs_desc)
 {
 	enum x86emul_mode mode = ctxt->mode;
+	int rc;
 
 #ifdef CONFIG_X86_64
-	if (ctxt->mode >= X86EMUL_MODE_PROT32 && cs_desc->l) {
-		u64 efer = 0;
+	if (ctxt->mode >= X86EMUL_MODE_PROT16) {
+		if (cs_desc->l) {
+			u64 efer = 0;
 
-		ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
-		if (efer & EFER_LMA)
-			mode = X86EMUL_MODE_PROT64;
+			ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
+			if (efer & EFER_LMA)
+				mode = X86EMUL_MODE_PROT64;
+		} else
+			mode = X86EMUL_MODE_PROT32; /* temporary value */
 	}
 #endif
 	if (mode == X86EMUL_MODE_PROT16 || mode == X86EMUL_MODE_PROT32)
 		mode = cs_desc->d ? X86EMUL_MODE_PROT32 : X86EMUL_MODE_PROT16;
-	return assign_eip(ctxt, dst, mode);
+	rc = assign_eip(ctxt, dst, mode);
+	if (rc == X86EMUL_CONTINUE)
+		ctxt->mode = mode;
+	return rc;
 }
 
 static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
@@ -3062,6 +3069,7 @@ static int em_call_far(struct x86_emulate_ctxt *ctxt)
 	struct desc_struct old_desc, new_desc;
 	const struct x86_emulate_ops *ops = ctxt->ops;
 	int cpl = ctxt->ops->cpl(ctxt);
+	enum x86emul_mode prev_mode = ctxt->mode;
 
 	old_eip = ctxt->_eip;
 	ops->get_segment(ctxt, &old_cs, &old_desc, NULL, VCPU_SREG_CS);
@@ -3085,11 +3093,14 @@ static int em_call_far(struct x86_emulate_ctxt *ctxt)
 	rc = em_push(ctxt);
 	/* If we failed, we tainted the memory, but the very least we should
 	   restore cs */
-	if (rc != X86EMUL_CONTINUE)
+	if (rc != X86EMUL_CONTINUE) {
+		pr_warn_once("faulting far call emulation tainted memory\n");
 		goto fail;
+	}
 	return rc;
 fail:
 	ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS);
+	ctxt->mode = prev_mode;
 	return rc;
 
 }