target-i386: Fixed syscall posssible segfault

In user-mode emulation env->idt.base memory is
allocated in linux-user/main.c with
size 8*512 = 4096 (for 64-bit).
When fake interrupt EXCP_SYSCALL is thrown
do_interrupt_user checks destination privilege level
for this fake exception, and tries to read 4 bytes
at address base + (256 * 2^4)=4096, that causes
segfault.

Privlege level was checked only for int's, so lets
read dpl from memory only for this case.

Signed-off-by: Stanislav Shmarov <snarpix@gmail.com>
Message-Id: <1473773008-2588376-1-git-send-email-snarpix@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
Stanislav Shmarov 2016-09-13 16:23:28 +03:00 committed by Paolo Bonzini
parent 89d0a64f49
commit 885b7c44e4
1 changed files with 19 additions and 17 deletions

View File

@ -1137,6 +1137,7 @@ static void do_interrupt_real(CPUX86State *env, int intno, int is_int,
static void do_interrupt_user(CPUX86State *env, int intno, int is_int,
int error_code, target_ulong next_eip)
{
if (is_int) {
SegmentCache *dt;
target_ulong ptr;
int dpl, cpl, shift;
@ -1154,9 +1155,10 @@ static void do_interrupt_user(CPUX86State *env, int intno, int is_int,
dpl = (e2 >> DESC_DPL_SHIFT) & 3;
cpl = env->hflags & HF_CPL_MASK;
/* check privilege if software int */
if (is_int && dpl < cpl) {
if (dpl < cpl) {
raise_exception_err(env, EXCP0D_GPF, (intno << shift) + 2);
}
}
/* Since we emulate only user space, we cannot do more than
exiting the emulation with the suitable exception and error