qemu/target
Peter Maydell 3df1a3d070 target/i386: Check privilege level for protected mode 'int N' task gate
When the 'int N' instruction is executed in protected mode, the
pseudocode in the architecture manual specifies that we need to check:

 * vector number within IDT limits
 * selected IDT descriptor is a valid type (interrupt, trap or task gate)
 * if this was a software interrupt then gate DPL < CPL

The way we had structured the code meant that the privilege check for
software interrupts ended up not in the code path taken for task gate
handling, because all of the task gate handling code was in the 'case 5'
of the switch which was checking "is this descriptor a valid type".

Move the task gate handling code out of that switch (so that it is now
purely doing the "valid type?" check) and below the software interrupt
privilege check.

The effect of this missing check was that in a guest userspace binary
executing 'int 8' would cause a guest kernel panic rather than the
userspace binary being handed a SEGV.

This is essentially the same bug fixed in VirtualBox in 2012:
https://www.halfdog.net/Security/2012/VirtualBoxSoftwareInterrupt0x8GuestCrash/

Note that for QEMU this is not a security issue because it is only
present when using TCG.

Fixes: https://bugs.launchpad.net/qemu/+bug/1813201
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20201121224445.16236-1-peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2021-01-02 21:03:09 +01:00
..
alpha migration: Replace migration's JSON writer by the general one 2020-12-19 10:39:16 +01:00
arm migration: Replace migration's JSON writer by the general one 2020-12-19 10:39:16 +01:00
avr migration: Replace migration's JSON writer by the general one 2020-12-19 10:39:16 +01:00
cris cris tcg cpus: Fix Lesser GPL version number 2020-11-15 16:39:05 +01:00
hppa migration: Replace migration's JSON writer by the general one 2020-12-19 10:39:16 +01:00
i386 target/i386: Check privilege level for protected mode 'int N' task gate 2021-01-02 21:03:09 +01:00
lm32 nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
m68k m68k: fix some comment spelling errors 2020-12-12 18:12:43 +01:00
microblaze migration: Replace migration's JSON writer by the general one 2020-12-19 10:39:16 +01:00
mips QAPI patches patches for 2020-12-19 2021-01-01 14:33:03 +00:00
moxie qom: Remove module_obj_name parameter from OBJECT_DECLARE* macros 2020-09-18 14:12:32 -04:00
nios2 target/nios2: Use deposit32() to update ipending register 2020-12-15 12:04:30 +00:00
openrisc migration: Replace migration's JSON writer by the general one 2020-12-19 10:39:16 +01:00
ppc migration: Replace migration's JSON writer by the general one 2020-12-19 10:39:16 +01:00
riscv target/riscv: cpu: Set XLEN independently from target 2020-12-17 21:56:44 -08:00
rx target/rx: Fix Lesser GPL version number 2020-10-27 00:22:56 +01:00
s390x Further s390x updates: 2021-01-01 18:19:44 +00:00
sh4 hmp: Pass monitor to mon_get_cpu_env() 2020-11-13 12:45:51 +00:00
sparc Machine queue, 2020-12-23 2021-01-01 22:57:15 +00:00
tilegx nomaintainer: Fix Lesser GPL version number 2020-11-15 17:04:40 +01:00
tricore tricore tcg cpus: Fix Lesser GPL version number 2020-11-15 16:40:30 +01:00
unicore32 target/unicore32/translate: Add missing fallthrough annotations 2020-12-18 09:14:22 +01:00
xtensa xtensa tcg cpus: Fix Lesser GPL version number 2020-11-15 16:40:15 +01:00
meson.build meson: target 2020-08-21 06:30:35 -04:00