On 18/06/19 20:27, Borislav Petkov wrote: > Right, and that right there looks wrong: > > ICLASS : VMLOAD > CPL : 3 > CATEGORY : SYSTEM > EXTENSION : SVM > ATTRIBUTES: PROTECTED_MODE > PATTERN : 0x0F 0x01 MOD[0b11] MOD=3 REG[0b011] RM[0b010] > OPERANDS : REG0=OrAX():r:IMPL > > That is, *if* "CPL: 3" above means in XED context that VMLOAD is > supposed to be run in CPL3, then this is wrong because VMLOAD #GPs if > CPL was not 0. Ditto for VMRUN and a couple of others. This should not be related though, this is what syzkaller could place in the guest but the reproducer is much simpler and the vmload fault is happening genuinely in the host. In particular, syz_kvm_setup_cpu's arguments are all zero so the guest is basically doing nothing. Paolo
