target-i386: Fixed syscall posssible segfault

In user-mode emulation env->idt.base memory is allocated in linux-user/main.c with size 8*512 = 4096 (for 64-bit). When fake interrupt EXCP_SYSCALL is thrown do_interrupt_user checks destination privilege level for this fake exception, and tries to read 4 bytes at address base + (256 * 2^4)=4096, that causes segfault. Privlege level was checked only for int's, so lets read dpl from memory only for this case. Signed-off-by: N Stanislav Shmarov <snarpix@gmail.com> Message-Id: <1473773008-2588376-1-git-send-email-snarpix@gmail.com> Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com>

target-i386: Fixed syscall posssible segfault
In user-mode emulation env->idt.base memory is allocated in linux-user/main.c with size 8*512 = 4096 (for 64-bit). When fake interrupt EXCP_SYSCALL is thrown do_interrupt_user checks destination privilege level for this fake exception, and tries to read 4 bytes at address base + (256 * 2^4)=4096, that causes segfault. Privlege level was checked only for int's, so lets read dpl from memory only for this case. Signed-off-by: N Stanislav Shmarov <snarpix@gmail.com> Message-Id: <1473773008-2588376-1-git-send-email-snarpix@gmail.com> Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com>
885b7c44 · Stanislav Shmarov · Paolo Bonzini · 89d0a64f · 885b7c44
隐藏空白更改
内联并排

Showing with 19 addition and 17 deletion

target-i386/seg_helper.c target-i386/seg_helper.c +19 -17

未找到文件。
--- a/target-i386/seg_helper.c
+++ b/target-i386/seg_helper.c
@@ -1137,25 +1137,27 @@ static void do_interrupt_real(CPUX86State *env, int intno, int is_int,
 static void do_interrupt_user(CPUX86State *env, int intno, int is_int,
                              int error_code, target_ulong next_eip)
 {
-    SegmentCache *dt;
+    if (is_int) {
-    target_ulong ptr;
+        SegmentCache *dt;
-    int dpl, cpl, shift;
+        target_ulong ptr;
-    uint32_t e2;
+        int dpl, cpl, shift;
+        uint32_t e2;
-    dt = &env->idt;
+        dt = &env->idt;
-    if (env->hflags & HF_LMA_MASK) {
+        if (env->hflags & HF_LMA_MASK) {
-        shift = 4;
+            shift = 4;
-    } else {
+        } else {
-        shift = 3;
+            shift = 3;
-    }
+        }
-    ptr = dt->base + (intno << shift);
+        ptr = dt->base + (intno << shift);
-    e2 = cpu_ldl_kernel(env, ptr + 4);
+        e2 = cpu_ldl_kernel(env, ptr + 4);
-    dpl = (e2 >> DESC_DPL_SHIFT) & 3;
+        dpl = (e2 >> DESC_DPL_SHIFT) & 3;
-    cpl = env->hflags & HF_CPL_MASK;
+        cpl = env->hflags & HF_CPL_MASK;
-    /* check privilege if software int */
+        /* check privilege if software int */
-    if (is_int && dpl < cpl) {
+        if (dpl < cpl) {
-        raise_exception_err(env, EXCP0D_GPF, (intno << shift) + 2);
+            raise_exception_err(env, EXCP0D_GPF, (intno << shift) + 2);
+        }
    }
    /* Since we emulate only user space, we cannot do more than