unicorn/qemu/target/i386
Paolo Bonzini 7dd4afd8d9
target/i386: trap on instructions longer than >15 bytes
Besides being more correct, arbitrarily long instruction allow the
generation of a translation block that spans three pages. This
confuses the generator and even allows ring 3 code to poison the
translation block cache and inject code into other processes that are
in guest ring 3.

This is an improved (and more invasive) fix for commit 30663fd ("tcg/i386:
Check the size of instruction being translated", 2017-03-24). In addition
to being more precise (and generating the right exception, which is #GP
rather than #UD), it distinguishes better between page faults and too long
instructions, as shown by this test case:

int main()
{
char *x = mmap(NULL, 8192, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_ANON, -1, 0);
memset(x, 0x66, 4096);
x[4096] = 0x90;
x[4097] = 0xc3;
char *i = x + 4096 - 15;
mprotect(x + 4096, 4096, PROT_READ|PROT_WRITE);
((void(*)(void)) i) ();
}

... which produces a #GP without the mprotect, and a #PF with it.

Backports commit b066c5375737ad0d630196dab2a2b329515a1d00 from qemu
2018-03-05 04:12:28 -05:00
..
arch_memory_mapping.c target/i386: enable A20 automatically in system management mode 2018-03-03 14:33:09 -05:00
bpt_helper.c Move target-* CPU file into a target/ folder 2018-03-01 22:50:58 -05:00
cc_helper.c Move target-* CPU file into a target/ folder 2018-03-01 22:50:58 -05:00
cc_helper_template.h Move target-* CPU file into a target/ folder 2018-03-01 22:50:58 -05:00
cpu-qom.h Move target-* CPU file into a target/ folder 2018-03-01 22:50:58 -05:00
cpu.c target-i386/cpu: Add new EPYC CPU model 2018-03-04 12:22:27 -05:00
cpu.h i386/cpu/hyperv: support over 64 vcpus for windows guests 2018-03-05 00:00:53 -05:00
excp_helper.c Move target-* CPU file into a target/ folder 2018-03-01 22:50:58 -05:00
fpu_helper.c target/i386: split cpu_set_mxcsr() and make cpu_set_fpuc() inline 2018-03-03 21:52:29 -05:00
helper.c target/i386: add the tcg_enabled() in target/i386/ 2018-03-03 21:56:31 -05:00
helper.h Move target-* CPU file into a target/ folder 2018-03-01 22:50:58 -05:00
int_helper.c Move target-* CPU file into a target/ folder 2018-03-01 22:50:58 -05:00
Makefile.objs target/i386: add the CONFIG_TCG into Makefiles 2018-03-03 21:57:22 -05:00
mem_helper.c Move target-* CPU file into a target/ folder 2018-03-01 22:50:58 -05:00
misc_helper.c Move target-* CPU file into a target/ folder 2018-03-01 22:50:58 -05:00
mpx_helper.c target/i386: move cpu_sync_bndcs_hflags() function 2018-03-03 21:41:26 -05:00
ops_sse.h target/i386: fix phminposuw in-place operation 2018-03-04 23:59:26 -05:00
ops_sse_header.h Move target-* CPU file into a target/ folder 2018-03-01 22:50:58 -05:00
seg_helper.c target/i386: simplify handling of conforming code segments on interrupt 2018-03-03 21:19:48 -05:00
shift_helper_template.h Move target-* CPU file into a target/ folder 2018-03-01 22:50:58 -05:00
smm_helper.c Move target-* CPU file into a target/ folder 2018-03-01 22:50:58 -05:00
svm.h Move target-* CPU file into a target/ folder 2018-03-01 22:50:58 -05:00
svm_helper.c target-i386: defer VMEXIT to do_interrupt 2018-03-02 12:49:18 -05:00
TODO Move target-* CPU file into a target/ folder 2018-03-01 22:50:58 -05:00
topology.h Move target-* CPU file into a target/ folder 2018-03-01 22:50:58 -05:00
translate.c target/i386: trap on instructions longer than >15 bytes 2018-03-05 04:12:28 -05:00
unicorn.c target/i386: make cpu_get_fp80()/cpu_set_fp80() static 2018-03-03 21:44:09 -05:00
unicorn.h Move target-* CPU file into a target/ folder 2018-03-01 22:50:58 -05:00