On 24/10/2017 13:10, Pedro Fonseca wrote: > Hi, > > During tests that we conducted on KVM, we noticed that executing a "PUSH > %ES" instruction under KVM produces different results on both memory and > the SP register depending on whether EPT support is enabled. With EPT > the SP is reduced by 4 bytes (and the written value is 0-padded) but > without EPT support it is only reduced by 2 bytes. The difference can be > observed when the CS.DB field is 1 (32-bit) but not when it's 0 (16-bit). Just one thing: your setup code is setting up selectors and DPL for a protected mode guest, but you are not initializing CR0.PE=1. Paolo > The test case initializes the VM with EIP=0, CS.DB=1, ES=0x10, and > SP=0xFFE. Memory is initialized with 0x06 (PUSH %ES) and 0xF4 (HLT). The > testing system was running Linux 4.12.5 and Intel(R) Core(TM) i7-7700 > CPU @ 3.60GHz. > > The test case (https://pastebin.com/ZejdtGEk) produces the output > bellow. Note that 0x10 is written to 0xFFA on EPT=1 but it's written to > 0xFFC on EPT=0. >> $ insmod kvm-intel.ko >> $ sudo ./reproduce-push_es >> Executing KVM_RUN >> KVM_RUN exited (exit_reason: 5, KVM_EXIT_HLT) >> 0000: 06 f4 00 00 00 00 00 00 >> 0008: 00 00 00 00 00 00 00 00 >> 0ff8: 00 00 10 00 00 00 00 00 >> 1000: 00 00 00 00 00 00 00 00 > >> $ insmod kvm-intel.ko ept=0 >> $ sudo ./reproduce-push_es >> Executing KVM_RUN >> KVM_RUN exited (exit_reason: 5, KVM_EXIT_HLT) >> 0000: 06 f4 00 00 00 00 00 00 >> 0008: 00 00 00 00 00 00 00 00 >> 0ff8: 00 00 00 00 10 00 00 00 >> 1000: 00 00 00 00 00 00 00 00 > > > Thanks, > Pedro >
