Changeset 5342

Timestamp:

10/17/07 09:30:36 (1 year ago)

Author:

vboxsync

Message:

Protect cmpxchg emulation

Files:

• trunk/include/VBox/em.h (modified) (1 diff)
• trunk/src/VBox/VMM/VMMGC/EMGCA.asm (modified) (3 diffs)
• trunk/src/VBox/VMM/VMMGC/MMRamGC.cpp (modified) (3 diffs)

trunk/include/VBox/em.h

@@ -457 +457 @@
-EMGCDECL(int) EMGCTrap(PVM pVM, unsigned uTrap, PCPUMCTXCORE pRegFrame);
-
-
-
+, uint32_t *pEflags
+, uint32_t *pEflags
-
-/** @} */

trunk/src/VBox/VMM/VMMGC/EMGCA.asm

@@ -26 +26 @@
-;;
-; Emulate lock CMPXCHG instruction, CDECL calling conv.
-
+, uint32_t *pEflags
-;
-EFLAGS after the operation, only arithmetic flags is vali
+eax=0 if data written, other code - invalid access, #PF was generate
-; @param    [esp + 04h]    Param 1 - First parameter - pointer to first parameter
-; @param    [esp + 08h]    Param 2 - Second parameter - pointer to second parameter (eax)
-; @param    [esp + 0ch]    Param 3 - Third parameter - third parameter
-; @param    [esp + 10h]    Param 4 - Size of parameters, only 1/2/4 is valid.
+; @param    [esp + 14h]    Param 4 - Pointer to eflags (out)
-; @uses     eax, ecx, edx
-;
@@ -79 +80 @@
-    pop     eax
-
+    mov     edx, [esp + 14h + 4]            ; eflags pointer
+    mov     dword [edx], eax
+
-    pop     ebx
+    mov     eax, VINF_SUCCESS
-    retn
+
+; Read error - we will be here after our page fault handler.
+GLOBALNAME EMGCEmulateLockCmpXchg_Error
+    pop     ebx
+    mov     eax, VERR_ACCESS_DENIED
+    ret
+
-ENDPROC     EMGCEmulateLockCmpXchg
-
-;;
-; Emulate CMPXCHG instruction, CDECL calling conv.
-
+, uint32_t *pEflags
-;
-EFLAGS after the operation, only arithmetic flags is vali
+eax=0 if data written, other code - invalid access, #PF was generate
-; @param    [esp + 04h]    Param 1 - First parameter - pointer to first parameter
-; @param    [esp + 08h]    Param 2 - Second parameter - pointer to second parameter (eax)
-; @param    [esp + 0ch]    Param 3 - Third parameter - third parameter
-; @param    [esp + 10h]    Param 4 - Size of parameters, only 1/2/4 is valid.
+; @param    [esp + 14h]    Param 4 - Pointer to eflags (out)
-; @uses     eax, ecx, edx
-;
@@ -138 +151 @@
-    pop     eax
-
+    mov     edx, [esp + 14h + 4]        ; eflags pointer
+    mov     dword [edx], eax
+
-    pop     ebx
+    mov     eax, VINF_SUCCESS
-    retn
+
+; Read error - we will be here after our page fault handler.
+GLOBALNAME EMGCEmulateCmpXchg_Error
+    pop     ebx
+    mov     eax, VERR_ACCESS_DENIED
+    ret
-ENDPROC     EMGCEmulateCmpXchg

trunk/src/VBox/VMM/VMMGC/MMRamGC.cpp

@@ -24 +24 @@
-#include <VBox/cpum.h>
-#include <VBox/trpm.h>
+#include <VBox/em.h>
-#include "MMInternal.h"
-#include <VBox/vm.h>
@@ -40 +41 @@
-DECLASM(void) MMGCRamReadNoTrapHandler_EndProc(void);
-DECLASM(void) MMGCRamWriteNoTrapHandler_EndProc(void);
-
+
+
+
+
-DECLASM(void) MMGCRamRead_Error(void);
-DECLASM(void) MMGCRamWrite_Error(void);
@@ -166 +170 @@
-        return VINF_SUCCESS;
-    }
+    else if (    (uintptr_t)&EMGCEmulateLockCmpXchg < (uintptr_t)pRegFrame->eip
+             &&  (uintptr_t)pRegFrame->eip < (uintptr_t)&EMGCEmulateLockCmpXchg_EndProc)
+    {
+        /*
+         * Page fault inside EMGCEmulateLockCmpXchg() func.
+         */
+
+        /* Return execution to func at error label. */
+        pRegFrame->eip = (uintptr_t)&EMGCEmulateLockCmpXchg_Error;
+        return VINF_SUCCESS;
+    }
+    else if (    (uintptr_t)&EMGCEmulateCmpXchg < (uintptr_t)pRegFrame->eip
+             &&  (uintptr_t)pRegFrame->eip < (uintptr_t)&EMGCEmulateCmpXchg_EndProc)
+    {
+        /*
+         * Page fault inside EMGCEmulateCmpXchg() func.
+         */
+
+        /* Return execution to func at error label. */
+        pRegFrame->eip = (uintptr_t)&EMGCEmulateCmpXchg_Error;
+        return VINF_SUCCESS;
+    }
-
-    /* #PF is not handled - kill the Hypervisor. */