On Fri, Dec 07, 2007 at 04:16:00PM +0100, Alexander Graf wrote:
>>>> For IN/OUT instructions that access more than a single byte, the
>>>> permission bits for all bytes are checked; if any bit is set to 1,
>>>> the I/O operation is intercepted.
>>>>
>
> That was the one. Thank you.
Unfortunately there is another bug in this line. As there
is only a single byte read from the permission bitmap, an
unaligned 4-byte access to port 0x7 would be possible even
when the access to port 0x8-0xa is not allowed. The updated
patch fixes also this case.
Bernhard Kauer
Index: target-i386/helper.c
===================================================================
RCS file: /sources/qemu/qemu/target-i386/helper.c,v
retrieving revision 1.95
diff -u -r1.95 helper.c
--- target-i386/helper.c 18 Nov 2007 01:44:38 -0000 1.95
+++ target-i386/helper.c 8 Dec 2007 20:44:28 -0000
@@ -4250,7 +4332,8 @@
uint64_t addr = ldq_phys(env->vm_vmcb + offsetof(struct vmcb, control.iopm_base_pa));
uint16_t port = (uint16_t) (param >> 16);
- if(ldub_phys(addr + port / 8) & (1 << (port % 8)))
+ uint16_t mask = (1 << ((param >> 4) & 7)) - 1;
+ if(lduw_phys(addr + port / 8) & (mask << (port & 7)))
vmexit(type, param);
}
break;
