On Fri, Dec 07, 2007 at 04:16:00PM +0100, Alexander Graf wrote: >>>> For IN/OUT instructions that access more than a single byte, the >>>> permission bits for all bytes are checked; if any bit is set to 1, >>>> the I/O operation is intercepted. >>>> > > That was the one. Thank you.
Unfortunately there is another bug in this line. As there is only a single byte read from the permission bitmap, an unaligned 4-byte access to port 0x7 would be possible even when the access to port 0x8-0xa is not allowed. The updated patch fixes also this case. Bernhard Kauer
Index: target-i386/helper.c =================================================================== RCS file: /sources/qemu/qemu/target-i386/helper.c,v retrieving revision 1.95 diff -u -r1.95 helper.c --- target-i386/helper.c 18 Nov 2007 01:44:38 -0000 1.95 +++ target-i386/helper.c 8 Dec 2007 20:44:28 -0000 @@ -4250,7 +4332,8 @@ uint64_t addr = ldq_phys(env->vm_vmcb + offsetof(struct vmcb, control.iopm_base_pa)); uint16_t port = (uint16_t) (param >> 16); - if(ldub_phys(addr + port / 8) & (1 << (port % 8))) + uint16_t mask = (1 << ((param >> 4) & 7)) - 1; + if(lduw_phys(addr + port / 8) & (mask << (port & 7))) vmexit(type, param); } break;