From patchwork Fri Dec 16 09:55:03 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: George Dunlap X-Patchwork-Id: 9477669 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 361326047D for ; Fri, 16 Dec 2016 09:57:20 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3F077287A8 for ; Fri, 16 Dec 2016 09:57:20 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 33CBF287CC; Fri, 16 Dec 2016 09:57:20 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id CF01B287BA for ; Fri, 16 Dec 2016 09:57:18 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cHpEO-0000NM-4I; Fri, 16 Dec 2016 09:55:12 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cHpEM-0000ND-9X for xen-devel@lists.xenproject.org; Fri, 16 Dec 2016 09:55:10 +0000 Received: from [193.109.254.147] by server-10.bemta-6.messagelabs.com id 68/7F-13192-DF9B3585; Fri, 16 Dec 2016 09:55:09 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNLMWRWlGSWpSXmKPExsXitHRDpO7fncE RBtunclt83zKZyYHR4/CHKywBjFGsmXlJ+RUJrBkTXyxiK9jCVzFr2ne2Bsa/XF2MnBwSAv4S V2efZwSx2QT0JOYd/8rSxcjBISKgInF7rwFImFmgUqJhzyJWEFtYIEyi+f16ZhCbRUBV4v2GP +wgNq+Ah8SUOw0sECPlJM4f/wlWIwRUs/jBUagaQYmTM5+wQMyUkDj44gXzBEbuWUhSs5CkFj AyrWJUL04tKkst0jXWSyrKTM8oyU3MzNE1NDDTy00tLk5MT81JTCrWS87P3cQIDAQGINjB2PH P6RCjJAeTkijv8h3BEUJ8SfkplRmJxRnxRaU5qcWHGGU4OJQkeN+C5ASLUtNTK9Iyc4AhCZOW 4OBREuGt2QaU5i0uSMwtzkyHSJ1iVJQS5z0O0icAksgozYNrg8XBJUZZKWFeRqBDhHgKUotyM 0tQ5V8xinMwKgnzfgWZwpOZVwI3/RXQYiagxRbzwBaXJCKkpBoYM+tdtZmkbXoEYutPXwnR/J pxRXGLpFPfq9kKU7S67NRq50mGrDJVLtWXjDmxJztVt4ebkfGMkIEv96EjOw61Fdmqz+x61vt q8mL+m/rfpned3RnOr71zsbR9JPuvD+fy/QIzdS83nviUybx7u7/kRf7nPDu7VPQfJm06vsQw 9faipLS0S4+VWIozEg21mIuKEwFYr+ahfgIAAA== X-Env-Sender: prvs=151b1e7b4=George.Dunlap@citrix.com X-Msg-Ref: server-9.tower-27.messagelabs.com!1481882107!77815063!1 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n, received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 9.1.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 52248 invoked from network); 16 Dec 2016 09:55:08 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-9.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 16 Dec 2016 09:55:08 -0000 X-IronPort-AV: E=Sophos;i="5.33,357,1477958400"; d="scan'208";a="395151229" From: George Dunlap To: Date: Fri, 16 Dec 2016 09:55:03 +0000 Message-ID: <1481882103-18332-1-git-send-email-george.dunlap@citrix.com> X-Mailer: git-send-email 2.1.4 MIME-Version: 1.0 Cc: Andrew Cooper , George Dunlap , Jan Beulich Subject: [Xen-devel] [PATCH] x86/emulate: Don't assume that addr_size == 32 implies protected mode X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP Callers of x86_emulate() generally define addr_size based on the code segment. In vm86 mode, the code segment is set by the hardware to be 16-bits; but it is entirely possible to enable protected mode, set the CS to 32-bits, and then disable protected mode. (This is commonly called "unreal mode".) But the instruction decoder only checks for protected mode when addr_size == 16. So in unreal mode, hardware will throw a #UD for VEX prefixes, but our instruction decoder will decode them, triggering an ASSERT() further on in _get_fpu(). (With debug=n the emulator will incorrectly emulate the instruction rather than throwing a #UD, but this is only a bug, not a crash, so it's not a security issue.) Teach the instruction decoder to check that we're in protected mode, even if addr_size is 32. While we're here, replace the open-coded protected mode check with in_protmode(). Signed-off-by: George Dunlap --- CC: Andrew Cooper CC: Jan Beulich --- xen/arch/x86/x86_emulate/x86_emulate.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c index dfdcd6c..46232c4 100644 --- a/xen/arch/x86/x86_emulate/x86_emulate.c +++ b/xen/arch/x86/x86_emulate/x86_emulate.c @@ -2149,11 +2149,8 @@ x86_decode( default: BUG(); /* Shouldn't be possible. */ case 2: - if ( in_realmode(ctxt, ops) || (state->regs->eflags & EFLG_VM) ) - break; - /* fall through */ case 4: - if ( modrm_mod != 3 ) + if ( modrm_mod != 3 || !in_protmode(ctxt, ops) ) break; /* fall through */ case 8: