[kvm-unit-tests,3/3] x86: Test CPL=3 DS/ES/FS/GS RPL=DPL=0 segment descriptor load

Commit Message

Michal Luczaj Jan. 26, 2023, 1:34 a.m. UTC

User space loading of DS, ES, FS, or GS is forbidden for a DPL=0
segment descriptor (conforming code segment being an exception).
Verify that #GP is raised if

	((segment is a data or nonconforming code segment)
	 AND ((RPL > DPL) or (CPL > DPL)))

Signed-off-by: Michal Luczaj <mhal@rbox.co>
---
Test is implemented only for x86_64 as it's making use of
run_in_user(). Should it be reimplemented for _32 as well?

 x86/emulator64.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

Patch

diff --git a/x86/emulator64.c b/x86/emulator64.c
index 7f55d38..c58441c 100644
--- a/x86/emulator64.c
+++ b/x86/emulator64.c
@@ -355,6 +355,21 @@  static void test_movabs(uint64_t *mem)
 	report(rcx == 0x9090909090909090, "64-bit mov imm2");
 }
 
+static void load_dpl0_seg(void)
+{
+	asm volatile(KVM_FEP "mov %0, %%fs" :: "r" (KERNEL_CS)); /* RPL=0 */
+}
+
+static void test_user_load_dpl0_seg(void)
+{
+	bool raised_vector;
+
+	run_in_user((usermode_func)load_dpl0_seg, GP_VECTOR, 0, 0, 0, 0,
+		    &raised_vector);
+
+	report(raised_vector, "Wanted #GP on CPL=3 DPL=0 segment load");
+}
+
 static void test_push16(uint64_t *mem)
 {
 	uint64_t rsp1, rsp2;
@@ -456,6 +471,7 @@  static void test_emulator_64(void *mem)
 	if (is_fep_available()) {
 		test_mmx_movq_mf(mem);
 		test_movabs(mem);
+		test_user_load_dpl0_seg();
 	}
 
 	test_push16(mem);