[Qemu-devel] [Bug 1503031] [NEW] 32-to-64-bit call gate unsupported in I

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [Bug 1503031] [NEW] 32-to-64-bit call gate unsupported in I

From:	Andrew Oates
Subject:	[Qemu-devel] [Bug 1503031] [NEW] 32-to-64-bit call gate unsupported in IA32e mode
Date:	Mon, 05 Oct 2015 20:33:28 -0000

Public bug reported:

In particular, the lcall implementation doesn't support the 64-bit TSS.

helper_lcall_protected (target-i386/seg_helper.c:1884) calls
get_ss_esp_from_tss() on a call gate to a lower privilege level, which
tries to extract a 32-bit ESP and 16-bit SS from the TSS.  In IA32e mode
(64-bit or compatibility mode), this instead grabs the lower 32-bits of
the target RSP, and 16 of the upper bits as the SS.  Additionally,
several of the subsequent checks are incorrect (even if the correct
stack pointer were extracted).

This isn't a problem for interrupts since the interrupts are given their
own implementation entirely, that uses get_rsp_from_tss() rather than
get_ss_esp_from_tss().

I believe the missing logic is from the branch starting "ELSE (* current
TSS is 64-bit *)" in the CALL pseudocode in the Intel manual (page 3-124
of the PDF I have).

Reproduced at master (c0b520dfb8890294a9f8879f4759172900585995), and
also as of a qemu built a year ago.

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1503031

Title:
  32-to-64-bit call gate unsupported in IA32e mode

Status in QEMU:
  New

Bug description:
  In particular, the lcall implementation doesn't support the 64-bit
  TSS.

  helper_lcall_protected (target-i386/seg_helper.c:1884) calls
  get_ss_esp_from_tss() on a call gate to a lower privilege level, which
  tries to extract a 32-bit ESP and 16-bit SS from the TSS.  In IA32e
  mode (64-bit or compatibility mode), this instead grabs the lower
  32-bits of the target RSP, and 16 of the upper bits as the SS.
  Additionally, several of the subsequent checks are incorrect (even if
  the correct stack pointer were extracted).

  This isn't a problem for interrupts since the interrupts are given
  their own implementation entirely, that uses get_rsp_from_tss() rather
  than get_ss_esp_from_tss().

  I believe the missing logic is from the branch starting "ELSE (*
  current TSS is 64-bit *)" in the CALL pseudocode in the Intel manual
  (page 3-124 of the PDF I have).

  Reproduced at master (c0b520dfb8890294a9f8879f4759172900585995), and
  also as of a qemu built a year ago.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1503031/+subscriptions

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [Bug 1503031] [NEW] 32-to-64-bit call gate unsupported in IA32e mode, Andrew Oates <=
- [Qemu-devel] [Bug 1503031] Re: 32-to-64-bit call gate unsupported in IA32e mode, Andrew Oates, 2015/10/08

Prev by Date: [Qemu-devel] [PULL 05/10] vfio: Generalize vfio_listener_region_add failure path
Next by Date: [Qemu-devel] [Bug 1503031] Re: 32-to-64-bit call gate unsupported in IA32e mode
Previous by thread: [Qemu-devel] [PATCHv2] target-arm: Implement AArch64 OSLSR_EL1 sysreg
Next by thread: [Qemu-devel] [Bug 1503031] Re: 32-to-64-bit call gate unsupported in IA32e mode
Index(es):
- Date
- Thread