From patchwork Tue Sep 13 13:23:28 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Stanislav Shmarov <snarpix@gmail.com>
X-Patchwork-Id: 9329167
Return-Path: 
 <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	B76F46048F for <patchwork-qemu-devel@patchwork.kernel.org>;
	Tue, 13 Sep 2016 13:55:41 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A6AC4294A6
	for <patchwork-qemu-devel@patchwork.kernel.org>;
	Tue, 13 Sep 2016 13:55:41 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 97E3E294B2; Tue, 13 Sep 2016 13:55:41 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id EE8EB294A6
	for <patchwork-qemu-devel@patchwork.kernel.org>;
	Tue, 13 Sep 2016 13:55:40 +0000 (UTC)
Received: from localhost ([::1]:49034 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>)
	id 1bjoBX-0004KL-NZ for patchwork-qemu-devel@patchwork.kernel.org;
	Tue, 13 Sep 2016 09:55:39 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53415)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <snarpix@gmail.com>) id 1bjni0-0005ts-3V
	for qemu-devel@nongnu.org; Tue, 13 Sep 2016 09:25:12 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <snarpix@gmail.com>) id 1bjnhu-0000E3-JO
	for qemu-devel@nongnu.org; Tue, 13 Sep 2016 09:25:07 -0400
Received: from mail-lf0-f67.google.com ([209.85.215.67]:34253)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <snarpix@gmail.com>) id 1bjnhu-0000Dj-Bn
	for qemu-devel@nongnu.org; Tue, 13 Sep 2016 09:25:02 -0400
Received: by mail-lf0-f67.google.com with SMTP id k12so7119808lfb.1
	for <qemu-devel@nongnu.org>; Tue, 13 Sep 2016 06:25:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id;
	bh=7IEjCNxUAAQOcMiUtoMwLrUfn+4qDkILqx39U8PKYU4=;
	b=c9NnXKESkjJLuuZcvnW4Vo1YKdR+QB2rfFUjyfh4Cqjah5E2TI0smyPkxv1VgVPx6G
	kGXJjWRw4wt5pgwbJCw4CwAx49QUS0it2Nr2zDScLwcKSaqPVi+8MwFfyhjgjRr45UUC
	LnH0bgm+hVZZaQvNcESd7DC9WUlHQf51v/M01aKhpukxg1KQBB3zv72Oo5MNOBjgxOIq
	qko3T0sfNAT7POSHPsT5MrPN2APS5vXyw8dlPR9n3oNF770pIa/7gdC4V7CQyfTjXqBh
	VqoaRgXX3gksdmxTfe4w3vgi3tHUje9lANmnwRS7+3Q9SHHRXf1bRamp68w3FFmoLaub
	l4KA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=7IEjCNxUAAQOcMiUtoMwLrUfn+4qDkILqx39U8PKYU4=;
	b=jNp45eg/+0FXJeCcCfkLAt24jwFd0+3tuFppvNi1WdI/cGg+T8twnZqVNGcp1ghXT9
	2ptclGXcI6zhruDcKaFI/o5UiAfbEHq8pq+xFF8m0ndrtUdS2kRQ1uI1Ef4uPDQLn4TE
	9N0g0Q3eNwJMMFnJ03vyCi7xEfjOQzdN9eCOA/gOv/aEpeaNrgxiF2m3AiUO8Bq3MFCj
	U4QWyoQD7L2qGxBYSxUq9Y790qKa4c6mOEL+l8uvUAaT/8tfuRkj11o/2xoZevV9RXqN
	NGlBfksOS6hiq1WWHPbGhPwfxfUaplY7QFa6It4AudpVwrH7mriPVBHpJizvzbG91lOq
	IpcQ==
X-Gm-Message-State: 
 AE9vXwPjJ6jKQywEp/4r8dYCRC43pa8SXI/S32RivLeGAqIl9U8rJWy8/gj87STRAj8kpw==
X-Received: by 10.25.162.68 with SMTP id l65mr8207407lfe.15.1473773041566;
	Tue, 13 Sep 2016 06:24:01 -0700 (PDT)
Received: from mlogin26.smware.local ([213.243.91.10])
	by smtp.gmail.com with ESMTPSA id
	g84sm2760048ljg.13.2016.09.13.06.24.00
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 13 Sep 2016 06:24:00 -0700 (PDT)
From: Stanislav Shmarov <snarpix@gmail.com>
To: qemu-devel@nongnu.org
Date: Tue, 13 Sep 2016 16:23:28 +0300
Message-Id: <1473773008-2588376-1-git-send-email-snarpix@gmail.com>
X-Mailer: git-send-email 1.9.3
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
	[fuzzy]
X-Received-From: 209.85.215.67
Subject: [Qemu-devel] [PATCH] target-i386: Fixed syscall posssible segfault
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
	Stanislav Shmarov <snarpix@gmail.com>,
	Eduardo Habkost <ehabkost@redhat.com>,
	Richard Henderson <rth@twiddle.net>
Errors-To: 
 qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
X-Virus-Scanned: ClamAV using ClamSMTP

In user-mode emulation env->idt.base memory is
allocated in linux-user/main.c with
size 8*512 = 4096 (for 64-bit).
When fake interrupt EXCP_SYSCALL is thrown
do_interrupt_user checks destination privilege level
for this fake exception, and tries to read 4 bytes
at address base + (256 * 2^4)=4096, that causes
segfault.

Privlege level was checked only for int's, so lets
read dpl from memory only for this case.

Signed-off-by: Stanislav Shmarov <snarpix@gmail.com>
---
 target-i386/seg_helper.c | 36 +++++++++++++++++++-----------------
 1 file changed, 19 insertions(+), 17 deletions(-)

diff --git a/target-i386/seg_helper.c b/target-i386/seg_helper.c
index 6cbdf17..fb79f31 100644
--- a/target-i386/seg_helper.c
+++ b/target-i386/seg_helper.c
@@ -1137,25 +1137,27 @@ static void do_interrupt_real(CPUX86State *env, int intno, int is_int,
 static void do_interrupt_user(CPUX86State *env, int intno, int is_int,
                               int error_code, target_ulong next_eip)
 {
-    SegmentCache *dt;
-    target_ulong ptr;
-    int dpl, cpl, shift;
-    uint32_t e2;
+    if (is_int) {
+        SegmentCache *dt;
+        target_ulong ptr;
+        int dpl, cpl, shift;
+        uint32_t e2;
 
-    dt = &env->idt;
-    if (env->hflags & HF_LMA_MASK) {
-        shift = 4;
-    } else {
-        shift = 3;
-    }
-    ptr = dt->base + (intno << shift);
-    e2 = cpu_ldl_kernel(env, ptr + 4);
+        dt = &env->idt;
+        if (env->hflags & HF_LMA_MASK) {
+            shift = 4;
+        } else {
+            shift = 3;
+        }
+        ptr = dt->base + (intno << shift);
+        e2 = cpu_ldl_kernel(env, ptr + 4);
 
-    dpl = (e2 >> DESC_DPL_SHIFT) & 3;
-    cpl = env->hflags & HF_CPL_MASK;
-    /* check privilege if software int */
-    if (is_int && dpl < cpl) {
-        raise_exception_err(env, EXCP0D_GPF, (intno << shift) + 2);
+        dpl = (e2 >> DESC_DPL_SHIFT) & 3;
+        cpl = env->hflags & HF_CPL_MASK;
+        /* check privilege if software int */
+        if (dpl < cpl) {
+            raise_exception_err(env, EXCP0D_GPF, (intno << shift) + 2);
+        }
     }
 
     /* Since we emulate only user space, we cannot do more than