On 7/29/22 18:53, Sean Christopherson wrote:
> On Fri, Jul 29, 2022, Michal Luczaj wrote:
>> + * To trigger the emulator and feed it with LEA, we VM-exit on IO (with a
>> + * single OUTS), then race decoder's instruction fetch - hoping to replace the
>> + * initial IO op with an illegal LEA.
>
> Rather than play games with memory, can't we just require and use force_emulation_prefix
> to force KVM to emulate a bogus LEA encoding? emulator.c in KVM-unit-tests already has
> most of what you need, e.g. I believe it's just a matter of implementing
> test_illegal_lea(). That test already has test_smsw_reg(), which is darn near the
> same thing, it just expects a different result (success instead of #UD).
>
> diff --git a/x86/emulator.c b/x86/emulator.c
> index cd78e3cb..dd50578d 100644
> --- a/x86/emulator.c
> +++ b/x86/emulator.c
> @@ -1193,6 +1193,7 @@ int main(void)
> test_smsw_reg(mem);
> test_nop(mem);
> test_mov_dr(mem);
> + test_illegal_lea();
> } else {
> report_skip("skipping register-only tests, "
> "use kvm.force_emulation_prefix=1 to enable");
>
Ahh, right. Using force_emulation_prefix seems way better. Thanks!
I'll add "kvm-unit-tests" in the subject and send as v2 PATCH.
Michal
