qemu/target/i386
Peter Maydell 3df1a3d070 target/i386: Check privilege level for protected mode 'int N' task gate
When the 'int N' instruction is executed in protected mode, the
pseudocode in the architecture manual specifies that we need to check:

 * vector number within IDT limits
 * selected IDT descriptor is a valid type (interrupt, trap or task gate)
 * if this was a software interrupt then gate DPL < CPL

The way we had structured the code meant that the privilege check for
software interrupts ended up not in the code path taken for task gate
handling, because all of the task gate handling code was in the 'case 5'
of the switch which was checking "is this descriptor a valid type".

Move the task gate handling code out of that switch (so that it is now
purely doing the "valid type?" check) and below the software interrupt
privilege check.

The effect of this missing check was that in a guest userspace binary
executing 'int 8' would cause a guest kernel panic rather than the
userspace binary being handed a SEGV.

This is essentially the same bug fixed in VirtualBox in 2012:
https://www.halfdog.net/Security/2012/VirtualBoxSoftwareInterrupt0x8GuestCrash/

Note that for QEMU this is not a security issue because it is only
present when using TCG.

Fixes: https://bugs.launchpad.net/qemu/+bug/1813201
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20201121224445.16236-1-peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2021-01-02 21:03:09 +01:00
..
hax i386: move hax accel files into hax/ 2020-12-16 14:06:53 -05:00
hvf hvf: Fix segment selector format 2020-11-18 09:32:17 +01:00
kvm i386: move hyperv_limits initialization to x86_cpu_realizefn() 2020-12-16 14:07:33 -05:00
tcg target/i386: Check privilege level for protected mode 'int N' task gate 2021-01-02 21:03:09 +01:00
whpx i386: move whpx accel files into whpx/ 2020-12-16 14:06:53 -05:00
arch_dump.c dump: add kernel_gs_base to QEMU CPU state 2018-07-16 16:13:34 +02:00
arch_memory_mapping.c exec,dump,i386,ppc,s390x: don't include exec/cpu-all.h explicitly 2017-09-19 18:21:33 +02:00
cpu-dump.c i386: move cpu dump out of helper.c into cpu-dump.c 2020-12-16 14:06:53 -05:00
cpu-param.h tcg: Split out target/arch/cpu-param.h 2019-06-10 07:03:34 -07:00
cpu-qom.h qom: Remove module_obj_name parameter from OBJECT_DECLARE* macros 2020-09-18 14:12:32 -04:00
cpu.c qapi: Use QAPI_LIST_PREPEND() where possible 2020-12-19 10:20:14 +01:00
cpu.h i386: move TCG cpu class initialization to tcg/ 2020-12-16 15:50:33 -05:00
gdbstub.c x86 tcg cpus: Fix Lesser GPL version number 2020-11-15 16:41:42 +01:00
helper.c i386: move TCG cpu class initialization to tcg/ 2020-12-16 15:50:33 -05:00
helper.h target/i386: fix IEEE SSE floating-point exception raising 2020-07-10 18:02:17 -04:00
machine.c i386: move kvm accel files into kvm/ 2020-12-16 14:06:52 -05:00
meson.build i386: move cpu dump out of helper.c into cpu-dump.c 2020-12-16 14:06:53 -05:00
monitor.c sev: add sev-inject-launch-secret 2020-12-10 17:33:17 -05:00
ops_sse_header.h x86 tcg cpus: Fix Lesser GPL version number 2020-11-15 16:41:42 +01:00
ops_sse.h x86 tcg cpus: Fix Lesser GPL version number 2020-11-15 16:41:42 +01:00
sev_i386.h target/i386: sev: provide proper error reporting for query-sev-capabilities 2020-07-10 18:02:22 -04:00
sev-stub.c sev: add sev-inject-launch-secret 2020-12-10 17:33:17 -05:00
sev.c sev: add sev-inject-launch-secret 2020-12-10 17:33:17 -05:00
shift_helper_template.h x86 tcg cpus: Fix Lesser GPL version number 2020-11-15 16:41:42 +01:00
svm.h tcg/svm: use host cr4 during NPT page table walk 2020-07-10 18:02:14 -04:00
trace-events i386: move kvm accel files into kvm/ 2020-12-16 14:06:52 -05:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
xsave_helper.c Include qemu-common.h exactly where needed 2019-06-12 13:20:20 +02:00