Hi, I would just like to underline a unusual behaviour I observed recently with Xen. Indeed, a test with a Xen HVM x86-32bit guest pointed out the x86_emulate function in xen/arch/x86/x86_emulate/x86_emulate.c seems to only partially handle far-jmp instruction emulation.
According to Intel documentation, when the processor is operating in protected mode, there exists three types of far jumps: * A far jump to a conforming or non-conforming code segment; * A far jump through a call gate; * A task switch - through a task gate or directly with a TSS segment. When x86_emulate function emulates a far jmp (case 0xea or 0xff/5), it does not check what type of descriptor given as far-jmp parameter. When performing segment loading (by calling load_seg function), type segment parameter is always set to 'x86_seg_cs': xen/arch/x86/x86_emulate/x86_emulate.c: 4665 far_jmp: 4666 if ( (rc = load_seg(x86_seg_cs, imm2, 0, &cs, ctxt, ops)) || 4667 (rc = commit_far_branch(&cs, imm1)) ) 4668 goto done; 4669 break; In protected mode load_seg calls protmode_load_seg. Before loading segment, protmode_load_seg checks several properties, in particular the consistency of the system flag S of 'x86_seg_cs' and of the descriptor 'desc' referenced by 'imm2'. If imm2 references a call gate, a task gate or a tss segment, flag S is clear and differs from x86_seg_cs flag. That lead to a segmentation fault: xen/arch/x86/x86_emulate/x86_emulate.c: 1434 /* User segments must have S flag == 1. */ 1435 if ( is_x86_user_segment(seg) && !(desc.b & (1u << 12)) ) 1436 goto raise_exn; In a nutshell, x86_emulate always generates a segmentation fault instead of performing a legitim task swich or a legitim far jump through a call gate. Is it normal ? Regards, Anaïs Gantet NB: it seems it is the same problem with far-call emulation. -- Anaïs Gantet Evaluation DTO Digital Security – ZSCCR Airbus - B80-E130/E14CA PGP fingerprint : 478C 6713 366D 742E 1F10 81C0 7D78 5359 17E2 3980 <html><head></head><body><font color="black" face="arial" size="2"> The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, please notify Airbus immediately and delete this e-mail. Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately. All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free. </font> </body> </html>
_______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
