Liran Alon <liran.alon@xxxxxxxxxx> writes: > As reported by Maxime at > https://bugzilla.kernel.org/show_bug.cgi?id=204175: > > In vmx/nested.c::get_vmx_mem_address(), when the guest runs in long mode, > the base address of the memory operand is computed with a simple: > *ret = s.base + off; > > This is incorrect, the base applies only to FS and GS, not to the others. > Because of that, if the guest uses a VMX instruction based on DS and has > a DS.base that is non-zero, KVM wrongfully adds the base to the > resulting address. > > Reported-by: Maxime Villard <max@xxxxxxxxxxx> > Reviewed-by: Joao Martins <joao.m.martins@xxxxxxxxxx> > Signed-off-by: Liran Alon <liran.alon@xxxxxxxxxx> > --- > arch/x86/kvm/vmx/nested.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c > index 18efb338ed8a..e01e1b6b8167 100644 > --- a/arch/x86/kvm/vmx/nested.c > +++ b/arch/x86/kvm/vmx/nested.c > @@ -4068,6 +4068,8 @@ int get_vmx_mem_address(struct kvm_vcpu *vcpu, unsigned long exit_qualification, > * mode, e.g. a 32-bit address size can yield a 64-bit virtual > * address when using FS/GS with a non-zero base. > */ > + if ((seg_reg != VCPU_SREG_FS) && (seg_reg != VCPU_SREG_GS)) > + s.base = 0; (personal preference) I'd rather write this as /* In long mode only FS and GS bases are considered */ if (seg_reg == VCPU_SREG_FS || seg_reg == VCPU_SREG_GS) *ret = s.base + off; else *ret = off; > *ret = s.base + off; > > /* Long mode: #GP(0)/#SS(0) if the memory address is in a As-is or rewritten with my suggestion, Reviewed-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx> -- Vitaly
