The Intel manual states for LTR and 64-Bit Exceptions:
#GP(selector)
If the descriptor type of the upper 8-byte of the 16-byte descriptor
is non-zero.
Qemu currently does not check this. The attached patch fixes the bug.
Bernhard Kauer
--- helper.c.orig 2007-03-26 15:39:11.000000000 +0200
+++ helper.c 2007-03-26 15:40:27.000000000 +0200
@@ -1825,8 +1825,11 @@
raise_exception_err(EXCP0B_NOSEG, selector & 0xfffc);
#ifdef TARGET_X86_64
if (env->hflags & HF_LMA_MASK) {
- uint32_t e3;
+ uint32_t e3, e4;
e3 = ldl_kernel(ptr + 8);
+ e4 = ldl_kernel(ptr + 12);
+ if ((e4 >> DESC_TYPE_SHIFT) & 0xf)
+ raise_exception_err(EXCP0D_GPF, selector & 0xfffc);
load_seg_cache_raw_dt(&env->tr, e1, e2);
env->tr.base |= (target_ulong)e3 << 32;
} else
