On 7/9/24 23:29, Paolo Bonzini wrote:
This fixes a bug wherein i386/tcg assumed an interrupt return using the CALL or JMP instructions were always going from kernel or user mode to kernel mode, when using a call gate. This assumption is violated if the call gate has a DPL that is greater than 0.In addition, the stack accesses should count as explicit, not implicit ("kernel" in QEMU code), so that SMAP is not applied if DPL=3. Analyzed-by: Robert R. Henry<[email protected]> Resolves:https://gitlab.com/qemu-project/qemu/-/issues/249 Signed-off-by: Paolo Bonzini<[email protected]> --- target/i386/tcg/seg_helper.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-)
Reviewed-by: Richard Henderson <[email protected]> r~
