On Thu, Dec 13, 2012 at 06:45:26PM -0200, Marcelo Tosatti wrote: > On Thu, Dec 13, 2012 at 02:24:18PM +0200, Gleb Natapov wrote: > > On Thu, Dec 13, 2012 at 01:11:55PM +0100, Paolo Bonzini wrote: > > > MOV immediate instruction (opcodes 0xB8-0xBF) may take 64-bit operand. > > > Some hypervisor implementations assumed the operand is 32-bit. This > > > should never happen because the instruction has no memory operand, but > > > (like the existing test_mmx_movq_mf) the testcase tricks the emulator > > > into executing one by mismatching the page tables and the corresponding > > > TLB entry. > > > > > BTW how the bug was found? Why instruction was emulated at all? May be > > there is bug somewhere that makes KVM emulate something it should not. > > During switch to protected mode. SS.DPL=3, SS.RPL=0. Yes, looks like a bug. We set SS.DPL to 3 to enter vm86 and this leaks to protected mode. There are a lot of those. I am trying to fix this mess. -- Gleb. -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
