On 17/10/19 03:23, Xiaoyao Li wrote: > However, without force_emulation_prefix enabled, I'm not sure whether > malicious guest can create the case causing the emulation with a lock > prefix and going to the emulator_cmpxchg_emulated(). > I found it impossible without force_emulation_prefix enabled and I'm not > familiar with emulation at all. If I missed something, please let me know. It's always possible to invoke the emulator on arbitrary instructions without FEP: 1) use big real mode on processors without unrestricted mode 2) set up two processors racing between executing an MMIO access, and rewriting it so that the emulator sees a different instruction 3) a variant of (2) where you rewrite the page tables so that the processor's iTLB lookup uses a stale translation. Then the stale translation can point to an MMIO access, while the emulator sees the instruction pointed by the current contents of the page tables. FEP was introduced just to keep the test code clean. Paolo
