KVM: x86: Emulator performs privilege checks on __linearize
When segment is accessed, real hardware does not perform any privilege level checks. In contrast, KVM emulator does. This causes some discrepencies from real hardware. For instance, reading from readable code segment may fail due to incorrect segment checks. In addition, it introduces unnecassary overhead. To reference Intel SDM 5.5 ("Privilege Levels"): "Privilege levels are checked when the segment selector of a segment descriptor is loaded into a segment register." The SDM never mentions privilege level checks during memory access, except for loading far pointers in section 5.10 ("Pointer Validation"). Those are actually segment selector loads and are emulated in the similarily (i.e., regardless to __linearize checks). This behavior was also checked using sysexit. A data-segment whose DPL=0 was loaded, and after sysexit (CPL=3) it is still accessible. Therefore, all the privilege level checks in __linearize are removed. Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
parent
1c1c35ae4b
commit
a7315d2f3c
@ -663,7 +663,6 @@ static __always_inline int __linearize(struct x86_emulate_ctxt *ctxt,
|
|||||||
ulong la;
|
ulong la;
|
||||||
u32 lim;
|
u32 lim;
|
||||||
u16 sel;
|
u16 sel;
|
||||||
unsigned cpl;
|
|
||||||
|
|
||||||
la = seg_base(ctxt, addr.seg) + addr.ea;
|
la = seg_base(ctxt, addr.seg) + addr.ea;
|
||||||
*max_size = 0;
|
*max_size = 0;
|
||||||
@ -705,20 +704,6 @@ static __always_inline int __linearize(struct x86_emulate_ctxt *ctxt,
|
|||||||
}
|
}
|
||||||
if (size > *max_size)
|
if (size > *max_size)
|
||||||
goto bad;
|
goto bad;
|
||||||
cpl = ctxt->ops->cpl(ctxt);
|
|
||||||
if (!fetch) {
|
|
||||||
/* data segment or readable code segment */
|
|
||||||
if (cpl > desc.dpl)
|
|
||||||
goto bad;
|
|
||||||
} else if ((desc.type & 8) && !(desc.type & 4)) {
|
|
||||||
/* nonconforming code segment */
|
|
||||||
if (cpl != desc.dpl)
|
|
||||||
goto bad;
|
|
||||||
} else if ((desc.type & 8) && (desc.type & 4)) {
|
|
||||||
/* conforming code segment */
|
|
||||||
if (cpl < desc.dpl)
|
|
||||||
goto bad;
|
|
||||||
}
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if (ctxt->mode != X86EMUL_MODE_PROT64)
|
if (ctxt->mode != X86EMUL_MODE_PROT64)
|
||||||
|
Loading…
x
Reference in New Issue
Block a user