lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4DA5CA0E.8050102@redhat.com>
Date:	Wed, 13 Apr 2011 19:06:38 +0300
From:	Avi Kivity <avi@...hat.com>
To:	Nelson Elhage <nelhage@...lice.com>
CC:	kvm@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] KVM: emulator: Handle wraparound in (cs_base + offset)
 when fetching.

On 04/13/2011 06:44 PM, Nelson Elhage wrote:
> Currently, setting a large (i.e. negative) base address for %cs does not work on
> a 64-bit host. The "JOS" teaching operating system, used by MIT and other
> universities, relies on such segments while bootstrapping its way to full
> virtual memory management.
>
> Signed-off-by: Nelson Elhage<nelhage@...lice.com>
> ---
>   arch/x86/kvm/emulate.c |    5 ++++-
>   1 files changed, 4 insertions(+), 1 deletions(-)
>
> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> index 0ad47b8..54e84b2 100644
> --- a/arch/x86/kvm/emulate.c
> +++ b/arch/x86/kvm/emulate.c
> @@ -505,9 +505,12 @@ static int do_fetch_insn_byte(struct x86_emulate_ctxt *ctxt,
>   	int size, cur_size;
>
>   	if (eip == fc->end) {
> +		unsigned long linear = eip + ctxt->cs_base;
> +		if (ctxt->mode != X86EMUL_MODE_PROT64)
> +			linear&= (u32)-1;
>   		cur_size = fc->end - fc->start;
>   		size = min(15UL - cur_size, PAGE_SIZE - offset_in_page(eip));
> -		rc = ops->fetch(ctxt->cs_base + eip, fc->data + cur_size,
> +		rc = ops->fetch(linear, fc->data + cur_size,
>   				size, ctxt->vcpu,&ctxt->exception);
>   		if (rc != X86EMUL_CONTINUE)
>   			return rc;

A better fix would be to call linearize() here, which does the necessary 
truncation as well as segment checks.

However, this patch is a lot more backportable, so I think it should be 
applied, and a conversion to linearize() performed afterwards.

-- 
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ