| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
This is CVE-2013-4361 / XSA-66.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For one, repeat count clipping for MOVS must be done taking into
consideration both source and destination addresses.
And then we should allow a wrap on the final iteration only if either
the wrap is a precise one (i.e. the access itself doesn't wrap, just
the resulting index register value would) or if there is just one
iteration. In all other cases we should do a bulk operation first
without hitting the wrap, and then issue an individual iteration. If
we don't do it that way,
- the last iteration not completing successfully will cause the whole
operation to fail (i.e. registers not get updated to the failure
point)
- hvmemul_virtual_to_linear() may needlessly enforce non-repeated
operation
Additionally with the prior implementation there was a case
(df=1, ea=~0, reps=~0, bytes_per_rep=1) where we'd end up passing zero
reps back to the caller, yet various places assume that there's at
least on iteration.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With HVM's MMIO operand handling now being capable of splitting large
reads, there's no need to issue at most machine word size reads when
we really need wider operands.
Not that this is not done everywhere - there are a couple of cases
where keeping the reads separate is more natural (and folding them
would complicate the code rather than simplifying it).
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We really need to check for a signed overflow of 8 bits, while the
previous check compared the sign-extended 8-bit result with the
zero-extended 16-bit one (which was wrong for all negative results).
Once at it
- also adjust the 16-bit comparison for symmetry
- improve the 8-bit multiplication (no need to zero-extend to 32-bits
the sign-extended to 16 bits original 8-bit value)
- fold both signed multiplication variants
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
|
|
|
|
| |
... for the case of accessing MMIO.
Rather than doing the early operand type adjustment for just for that
case, do it for all of the 0xF6, 0xF7, and 0xFF groups (allowing some
other code to be dropped instead).
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
... for the case of accessing MMIO.
Also streamline the ARPL emulation a little, and add tests for both
instructions (the MOVSXD one requires a few other adjustments, as we
now need to run in a mode where the emulator's mode_64bit() returns
true).
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- we used the C4/C5 (first prefix) byte instead of the apparent ModR/M
one as the second prefix byte
- early decoding normalized vex.reg, thus corrupting it for the main
consumer (copy_REX_VEX()), resulting in #UD on the two-operand
instructions we emulate
Also add respective test cases to the testing utility plus
- fix get_fpu() (the fall-through order was inverted)
- add cpu_has_avx2, even if it's currently unused (as in the new test
cases I decided to refrain from using AVX2 instructions in order to
be able to actually run all the tests on the hardware I have)
- slightly tweak cpu_has_avx to more consistently express the outputs
we don't care about (sinking them all into the same variable)
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
|
|
| |
This opcode neither supports 1-byte operands, nor does it support
8-byte ones (since the opcode is undefined in 64-bit mode). Simplify
the code accordingly.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
... and make restore conditional not only upon having saved the state,
but also upon whether saved state was actually modified (and register
values are known to have been preserved).
Note that RBP is unconditionally considered a volatile register (i.e.
irrespective of CONFIG_FRAME_POINTER), since the RBP handling would
become overly complicated due to the need to save/restore it on the
compat mode hypercall path [6th argument].
Note further that for compat mode code paths, saving/restoring R8...R15
is entirely unnecessary - we don't allow those guests to enter 64-bit
mode, and hence they have no way of seeing these registers' contents
(and there consequently also is no information leak, except if the
context saving domctl would be considered such).
Finally, note that this may not properly deal with gdbstub's needs, yet
(but if so, I can't really suggest adjustments, as I don't know that
code).
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
|
|
|
|
| |
Signed-off-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
| |
From: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Keir Fraser <keir@xen.org>
Committed-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
An lea instruction with two register operands should raise an
undefined instruction exception.
Skype does such a instruction and will crash when starting if it does
not get the exception.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Keir Fraser <keir@xen.org>
Committed-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The only cases where we might end up emulating fsincos (as any other
x87 operations without memory operands) are
- when a HVM guest is in real mode (not applicable on AMD)
- between two half page table updates in PAE mode (unlikely, and not
doing the emulation here does affect only performance, not
correctness)
- when a guest maliciously (or erroneously) modifies an (MMIO or page
table update) instruction under emulation (unspecified behavior)
Hence, in order to avoid the erratum to cause harm to the entire host,
don't emulate fsincos on the affected AMD CPU families.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
|
|
|
| |
Utilize some of the additions in the prior patches to clean up other
code:
- keep track of REP prefixes in only one variable
- use REX_W in a few more places (instead of a literal number)
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These instructions are prefix selected flavors of bsf and bsr
respectively, and hence the presences of the F3 prefix must be handled
in the emulation code in order to avoid running into problems on newer
CPUs.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -1058,6 +1058,9 @@ static bool_t vcpu_has(
return rc == X86EMUL_OKAY;
}
+#define vcpu_has_lzcnt() vcpu_has(0x80000001, ECX, 5, ctxt, ops)
+#define vcpu_has_bmi1() vcpu_has(0x00000007, EBX, 3, ctxt, ops)
+
#define vcpu_must_have(leaf, reg, bit) \
generate_exception_if(!vcpu_has(leaf, reg, bit, ctxt, ops), EXC_UD, -1)
#define vcpu_must_have_mmx() vcpu_must_have(0x00000001, EDX, 23)
@@ -4357,13 +4360,24 @@ x86_emulate(
dst.val = (uint8_t)src.val;
break;
- case 0xbc: /* bsf */ {
- int zf;
+ case 0xbc: /* bsf or tzcnt */ {
+ bool_t zf;
asm ( "bsf %2,%0; setz %b1"
: "=r" (dst.val), "=q" (zf)
- : "r" (src.val), "1" (0) );
+ : "r" (src.val) );
_regs.eflags &= ~EFLG_ZF;
- if ( zf )
+ if ( (rep_prefix == REPE_PREFIX) && vcpu_has_bmi1() )
+ {
+ _regs.eflags &= ~EFLG_CF;
+ if ( zf )
+ {
+ _regs.eflags |= EFLG_CF;
+ dst.val = op_bytes * 8;
+ }
+ else if ( !dst.val )
+ _regs.eflags |= EFLG_ZF;
+ }
+ else if ( zf )
{
_regs.eflags |= EFLG_ZF;
dst.type = OP_NONE;
@@ -4371,13 +4385,28 @@ x86_emulate(
break;
}
- case 0xbd: /* bsr */ {
- int zf;
+ case 0xbd: /* bsr or lzcnt */ {
+ bool_t zf;
asm ( "bsr %2,%0; setz %b1"
: "=r" (dst.val), "=q" (zf)
- : "r" (src.val), "1" (0) );
+ : "r" (src.val) );
_regs.eflags &= ~EFLG_ZF;
- if ( zf )
+ if ( (rep_prefix == REPE_PREFIX) && vcpu_has_lzcnt() )
+ {
+ _regs.eflags &= ~EFLG_CF;
+ if ( zf )
+ {
+ _regs.eflags |= EFLG_CF;
+ dst.val = op_bytes * 8;
+ }
+ else
+ {
+ dst.val = op_bytes * 8 - 1 - dst.val;
+ if ( !dst.val )
+ _regs.eflags |= EFLG_ZF;
+ }
+ }
+ else if ( zf )
{
_regs.eflags |= EFLG_ZF;
dst.type = OP_NONE;
|
|
|
|
|
|
|
|
|
|
| |
Clone the existing movq emulation to also support the most fundamental
SIMD FP moves.
Extend the testing code to also exercise these instructions.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Extend the existing movq emulation to also support its SSE2 and AVX
variants, the latter implying the addition of VEX decoding. Fold the
read and write cases (as most of the logic is identical), and add
movntq and variants (as they're very similar).
Extend the testing code to also exercise these instructions.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Certain instructions were introduced only after the i686 or original
x86-64 architecture, so we should not try to emulate them if the guest
is not seeing the respective feature enabled (or, worse, if the
underlying hardware doesn't support them). This affects fisttp,
movnti, and cmpxchg16b.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
| |
Original patch by Jan Beulich <jbeulich@suse.com>
Signed-off-by: Keir Fraser <keir@xen.org>
|
|
|
|
| |
Signed-off-by: Keir Fraser <keir@xen.org>
|
|
|
|
| |
Signed-off-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
| |
Need to emit assembler instruction fimull not fimul/fimuls.
Signed-off-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
| |
This is needed to compile xen with clang.
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
Acked-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
| |
Otherwise it defaults to 0 bytes.
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
Signed-off-by: Keir Fraser <keir@xen.org>
|
|
|
|
| |
Signed-off-by: Keir Fraser <keir@xen.org>
|
|
|
|
|
|
|
| |
Some of these could be benignly discarded by the compiler but some are
actual bugs.
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We recently found that FreeBSD 8.0 guest failed to install and boot on
Xen. The reason was that FreeBSD detected clflush feature and invoked
this instruction to flush MMIO space. This caused a page fault; but
x86_emulate.c failed to emulate this instruction (not supported). As a
result, a page fault was detected inside FreeBSD. A similar issue was
reported earlier.
http://lists.xensource.com/archives/html/xen-devel/2010-03/msg00362.html
From: Wei Huang <wei.huang2@amd.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
|
|
|
| |
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
|
|
|
|
|
|
| |
Make various data items const or __read_mostly where
possible/reasonable.
Signed-off-by: Jan Beulich <jbeulich@novell.com>
|
|
|
|
| |
Signed-off-by: Christoph Egger <Christoph.Egger@amd.com>
|
|
|
|
|
|
|
| |
Failure of in_longmode() shouldn't be treated the same as the function
returning 'true'.
Signed-off-by: Jan Beulich <jbeulich@novell.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Defer fail_if()-s as much as possible (in favor of possibly generating
exceptions), and avoid generating exceptions when not strictly
necessary.
Avoid fail_if()-s for simple return code checks (making the code that
used them consistent with other, longer existing code).
Eliminate redundant generate_exception_if()-s checking lock_prefix
(which is already covered by the general check prior to decoding
operands).
Also fix the testing code to add PROT_EXEC for the mapping that is
intended to have instruction executed from.
Signed-off-by: Jan Beulich <jbeulich@novell.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While Intel and AMD implementations differ in various respects when
it comes to non-default operand sizes of control transfer instructions
and segment register loads (lfs, lgs, lss), it seems to make senss to
(a) match their behavior if they agree and (b) prefer the more
permissive behavior if they don't agree:
- honor operand size overrides on near brances (AMD does, Intel
doesn't)
- honor operand size overrides on far branches (both Intel and AMD do)
- honor REX.W on far branches (Intel does, AMD doesn't except on far
returns)
- honor REX.W on lfs, lgs, and lss (Intel does, AMD doesn't)
Also, do not permit emulation of pushing/popping segment registers
other than fs and gs as well as that of les and lds (the latter are
particularly important due to the re-use of the respective opcodes as
VEX prefixes in AVX).
Signed-off-by: Jan Beulich <jbeulich@novell.com>
|
|
|
|
|
|
|
| |
1. Memory reads should be 16 bits only
2. Attempt to load %cs should result in #UD
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
|
|
|
| |
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
|
|
|
|
|
| |
It is safer to retry in a loop via the caller.
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
|
|
|
| |
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
|
|
|
|
|
|
| |
Intercept #UD and emulate SYSCALL/SYSENTER/SYSEXIT as necessary.
Signed-off-by: Christoph Egger <Christoph.Egger@amd.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
|
|
|
| |
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a VMX guest tries to enter real mode, put it in virtual 8086 mode
instead, if that's possible. Handle all errors and corner cases by
falling back to the real-mode emulator.
This is similar to the old VMXASSIST system except it uses Xen's
x86_emulate emulator instead of having a partial emulator in the guest
firmware. It more than doubles the speed of real-mode operation on
VMX.
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
|
|
|
|
|
|
|
|
| |
- Need to use EFLG_DF rather than EF_DF
- No need to force EAX destination for many opcodes, as this will be
the default behaviour for DstReg with no ModRM.
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
|
|
|
|
|
|
|
| |
Linux added the use of movnti for copying from user to kernel space in
certain cases, and as per reports we got this may happen with the
destination being in MMIO.
Signed-off-by: Jan Beulich <jbeulich@novell.com>
|
|
|
|
|
|
| |
be non-zero.
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A minimal implementation of the Viridian (Hyper-V) guest
interface. The only enlightenments advertised and supported are vAPIC
MSRs and long-spin-wait notifications. The set of enlightenments can
easily be extended in future, as they are found to provide a
performance win, and configured via an extended HVM_PARAM_VIRIDIAN hvm
parameter.
Signed-off-by: Peter Johnston <peter.johnston@citrix.com>
Signed-off-by: Tim Deegan <tim.deegan@citrix.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
|
|
|
|
|
|
|
| |
point at which the index register (SI/DI) wraps. This can cause a
discontinuity in the address range accessed by the repeated
instruction.
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes an issue when x86_emulate is called with
force_writeback=1 set. It resulted in cmp and test instructions with
memory operands to have the mem value written back after instruction
emulation finished. This caused false alarms on writes to RO mem, and
might have caused other issues if unintended writes occured to device
registers in mmio space.
Signed-off-by: Trolle Selander <trolle.selander@eu.citrix.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provide emulation for all FPU instructions except fsave/frstore &
fnstenv/fldenv.
While the main purpose of the patch is to avoid current and future
"gotchas" on FPU intructions used by various OS boot-loaders, it is
complete enough to run DOS realmode FPU applications and benchmarks,
but don't expect to set any speed records.
Signed-off-by: Trolle Selander <trolle.selander@eu.citrix.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
|
|
|
|
|
|
| |
pointer to emulator data buffer, and an arbitrary byte count (up to
the size of a page of memory).
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
|
|
|
|
|
|
| |
Emulation of SMSW is only restricted to 16-bit operation on memory
operands.
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
|
|
|
|
|
|
| |
The lmsw instruction can be used to set CR0_PE, but can never clear
it, once set.
Signed-off-by: Trolle Selander <trolle.selander@eu.citrix.com>
|