From: Jan Kiszka <jan.kis...@siemens.com>
A 16-bit TSS is only 44 bytes long. So make sure to test for the correct
size on task switch.
Signed-off-by: Jan Kiszka <jan.kis...@siemens.com>
---
Changes in v2:
- fixed off-by-one in 16-bit limit
arch/x86/kvm/emulate.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 266576c..ab3fff5 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -2355,6 +2355,7 @@ static int emulator_do_task_switch(struct
x86_emulate_ctxt *ctxt,
u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
ulong old_tss_base =
get_cached_descriptor_base(ctxt, ops, VCPU_SREG_TR);
+ u32 desc_limit;
/* FIXME: old_tss_base == ~0 ? */
@@ -2375,7 +2376,10 @@ static int emulator_do_task_switch(struct
x86_emulate_ctxt *ctxt,
}
}
- if (!next_tss_desc.p || desc_limit_scaled(&next_tss_desc) < 0x67) {
+ desc_limit = desc_limit_scaled(&next_tss_desc);
+ if (!next_tss_desc.p ||
+ ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
+ desc_limit < 0x2b)) {
kvm_queue_exception_e(ctxt->vcpu, TS_VECTOR,
tss_selector & 0xfffc);
return X86EMUL_PROPAGATE_FAULT;
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
