mirror of
https://github.com/yuzu-emu/unicorn.git
synced 2025-01-09 14:25:41 +00:00
1a3abaa81a
When the 'int N' instruction is executed in protected mode, the pseudocode in the architecture manual specifies that we need to check: * vector number within IDT limits * selected IDT descriptor is a valid type (interrupt, trap or task gate) * if this was a software interrupt then gate DPL < CPL The way we had structured the code meant that the privilege check for software interrupts ended up not in the code path taken for task gate handling, because all of the task gate handling code was in the 'case 5' of the switch which was checking "is this descriptor a valid type". Move the task gate handling code out of that switch (so that it is now purely doing the "valid type?" check) and below the software interrupt privilege check. The effect of this missing check was that in a guest userspace binary executing 'int 8' would cause a guest kernel panic rather than the userspace binary being handed a SEGV. This is essentially the same bug fixed in VirtualBox in 2012: https://www.halfdog.net/Security/2012/VirtualBoxSoftwareInterrupt0x8GuestCrash/ Note that for QEMU this is not a security issue because it is only present when using TCG. Backports 3df1a3d070575419859cbbab1083fafa7ec2669a |
||
|---|---|---|
| .. | ||
| arch_memory_mapping.c | ||
| bpt_helper.c | ||
| cc_helper.c | ||
| cc_helper_template.h | ||
| cpu-param.h | ||
| cpu-qom.h | ||
| cpu.c | ||
| cpu.h | ||
| excp_helper.c | ||
| fpu_helper.c | ||
| helper.c | ||
| helper.h | ||
| int_helper.c | ||
| Makefile.objs | ||
| mem_helper.c | ||
| misc_helper.c | ||
| mpx_helper.c | ||
| ops_sse.h | ||
| ops_sse_header.h | ||
| seg_helper.c | ||
| shift_helper_template.h | ||
| smm_helper.c | ||
| svm.h | ||
| svm_helper.c | ||
| topology.h | ||
| translate.c | ||
| unicorn.c | ||
| unicorn.h | ||