Changeset 37058 in vbox

Timestamp:

May 13, 2011 9:06:40 AM (13 years ago)

Author:

vboxsync

Message:

-> office

Location:

trunk/src/VBox/VMM/VMMAll

Files:

• IEMAll.cpp (modified) (7 diffs)
• IEMAllCImpl.cpp.h (modified) (17 diffs)

trunk/src/VBox/VMM/VMMAll/IEMAll.cpp

@@ -538 +538 @@
 *******************************************************************************/
 static VBOXSTRICTRC     iemRaiseTaskSwitchFaultCurrentTSS(PIEMCPU pIemCpu);
+static VBOXSTRICTRC     iemRaiseSelectorNotPresent(PIEMCPU pIemCpu, uint32_t iSegReg, uint32_t fAccess);
+static VBOXSTRICTRC     iemRaiseSelectorNotPresentBySelector(PIEMCPU pIemCpu, uint16_t uSel);
 static VBOXSTRICTRC     iemRaiseSelectorNotPresentWithErr(PIEMCPU pIemCpu, uint16_t uErr);
 static VBOXSTRICTRC     iemRaiseGeneralProtectionFault(PIEMCPU pIemCpu, uint16_t uErr);
 static VBOXSTRICTRC     iemRaiseGeneralProtectionFault0(PIEMCPU pIemCpu);
+static VBOXSTRICTRC     iemRaiseGeneralProtectionFaultBySelector(PIEMCPU pIemCpu, RTSEL uSel);
 static VBOXSTRICTRC     iemRaiseSelectorBounds(PIEMCPU pIemCpu, uint32_t iSegReg, uint32_t fAccess);
 static VBOXSTRICTRC     iemRaiseSelectorInvalidAccess(PIEMCPU pIemCpu, uint32_t iSegReg, uint32_t fAccess);
-static VBOXSTRICTRC     iemRaiseSelectorNotPresent(PIEMCPU pIemCpu, uint32_t iSegReg, uint32_t fAccess);
 static VBOXSTRICTRC     iemRaisePageFault(PIEMCPU pIemCpu, RTGCPTR GCPtrWhere, uint32_t fAccess, int rc);
 static VBOXSTRICTRC     iemMemFetchDataU32(PIEMCPU pIemCpu, uint32_t *pu32Dst, uint8_t iSegReg, RTGCPTR GCPtrMem);
@@ -1199 +1201 @@
     } while (0)
 
+
+/** @name  Misc Worker Functions.
+ * @{
+ */
+
+
+/**
+ * Validates a new SS segment.
+ *
+ * @returns VBox strict status code.
+ * @param   pIemCpu         The IEM per CPU instance data.
+ * @param   pCtx            The CPU context.
+ * @param   NewSS           The new SS selctor.
+ * @param   uCpl            The CPL to load the stack for.
+ * @param   pDesc           Where to return the descriptor.
+ */
+static VBOXSTRICTRC iemMiscValidateNewSS(PIEMCPU pIemCpu, PCCPUMCTX pCtx, RTSEL NewSS, uint8_t uCpl, PIEMSELDESC pDesc)
+{
+    /* Null selectors are not allowed (we're not called for dispatching
+       interrupts with SS=0 in long mode). */
+    if (!(NewSS & (X86_SEL_MASK | X86_SEL_LDT)))
+    {
+        Log(("iemMiscValidateNewSSandRsp: #x - null selector -> #GP(0)\n", NewSS));
+        return iemRaiseGeneralProtectionFault0(pIemCpu);
+    }
+
+    /*
+     * Read the descriptor.
+     */
+    VBOXSTRICTRC rcStrict = iemMemFetchSelDesc(pIemCpu, pDesc, NewSS);
+    if (rcStrict != VINF_SUCCESS)
+        return rcStrict;
+
+    /*
+     * Perform the descriptor validation documented for LSS, POP SS and MOV SS.
+     */
+    if (!pDesc->Legacy.Gen.u1DescType)
+    {
+        Log(("iemMiscValidateNewSSandRsp: %#x - system selector -> #GP\n", NewSS, pDesc->Legacy.Gen.u4Type));
+        return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, NewSS);
+    }
+
+    if (   (pDesc->Legacy.Gen.u4Type & X86_SEL_TYPE_CODE)
+        || !(pDesc->Legacy.Gen.u4Type & X86_SEL_TYPE_WRITE) )
+    {
+        Log(("iemMiscValidateNewSSandRsp: %#x - code or read only (%#x) -> #GP\n", NewSS, pDesc->Legacy.Gen.u4Type));
+        return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, NewSS);
+    }
+    if (    (pDesc->Legacy.Gen.u4Type & X86_SEL_TYPE_CODE)
+        || !(pDesc->Legacy.Gen.u4Type & X86_SEL_TYPE_WRITE) )
+    {
+        Log(("iemMiscValidateNewSSandRsp: %#x - code or read only (%#x) -> #GP\n", NewSS, pDesc->Legacy.Gen.u4Type));
+        return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, NewSS);
+    }
+    /** @todo testcase: check if the TSS.ssX RPL is checked. */
+    if ((NewSS & X86_SEL_RPL) != uCpl)
+    {
+        Log(("iemMiscValidateNewSSandRsp: %#x - RPL and CPL (%d) differs -> #GP\n", NewSS, uCpl));
+        return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, NewSS);
+    }
+    if (pDesc->Legacy.Gen.u2Dpl != uCpl)
+    {
+        Log(("iemMiscValidateNewSSandRsp: %#x - DPL (%d) and CPL (%d) differs -> #GP\n", NewSS, pDesc->Legacy.Gen.u2Dpl, uCpl));
+        return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, NewSS);
+    }
+
+    /* Is it there? */
+    /** @todo testcase: Is this checked before the canonical / limit check below? */
+    if (!pDesc->Legacy.Gen.u1Present)
+    {
+        Log(("iemMiscValidateNewSSandRsp: %#x - segment not present -> #NP\n", NewSS));
+        return iemRaiseSelectorNotPresentBySelector(pIemCpu, NewSS);
+    }
+
+    return VINF_SUCCESS;
+}
+
+
+/** @}  */
 
 /** @name  Raising Exceptions.
@@ -1528 +1609 @@
     /** @todo is the RPL of the interrupt/trap gate descriptor checked? */
 
+    /* Check the new EIP against the new CS limit. */
+    uint32_t const uNewEip =    Idte.Gate.u4Type == X86_SEL_TYPE_SYS_286_INT_GATE
+                             || Idte.Gate.u4Type == X86_SEL_TYPE_SYS_286_TRAP_GATE
+                           ? Idte.Gate.u16OffsetLow
+                           : Idte.Gate.u16OffsetLow | ((uint32_t)Idte.Gate.u16OffsetHigh << 16);
+    uint32_t cbLimit = X86DESC_LIMIT(DescCS.Legacy);
+    if (DescCS.Legacy.Gen.u1Granularity)
+        cbLimit = (cbLimit << PAGE_SHIFT) | PAGE_OFFSET_MASK;
+    if (uNewEip > X86DESC_LIMIT(DescCS.Legacy))
+    {
+        Log(("RaiseXcptOrIntInProtMode %#x - CS=%#x - DPL (%d) > CPL (%d) -> #GP\n",
+             u8Vector, NewCS, DescCS.Legacy.Gen.u2Dpl, pIemCpu->uCpl));
+        return iemRaiseGeneralProtectionFault(pIemCpu, NewCS & (X86_SEL_MASK | X86_SEL_LDT));
+    }
+
+    /* Make sure the selector is present. */
+    if (!DescCS.Legacy.Gen.u1Present)
+    {
+        Log(("RaiseXcptOrIntInProtMode %#x - CS=%#x - segment not present -> #NP\n", u8Vector, NewCS));
+        return iemRaiseSelectorNotPresentBySelector(pIemCpu, NewCS);
+    }
+
     /*
      * If the privilege level changes, we need to get a new stack from the TSS.
+     * This in turns means validating the new SS and ESP...
      */
-    uint8_t const uNewCpl = DescCS.Legacy.Gen.u4Type & X86_SEL_TYPE_CONF
-                          ? pIemCpu->uCpl : DescCS.Legacy.Gen.u2Dpl;
+    uint8_t const   uNewCpl = DescCS.Legacy.Gen.u4Type & X86_SEL_TYPE_CONF
+                            ? pIemCpu->uCpl : DescCS.Legacy.Gen.u2Dpl;
+    uint32_t        uNewEsp;
+    RTSEL           NewSS;
+    uint32_t        fNewSSAttr;
+    uint32_t        cbNewSSLimit;
+    uint64_t        uNewSSBase;
+
     if (uNewCpl != pIemCpu->uCpl)
     {
-        uint32_t uNewEsp;
-        RTSEL    uNewSs;
-        rcStrict = iemRaiseLoadStackFromTss32Or16(pIemCpu, pCtx, uNewCpl, &uNewSs, &uNewEsp);
+        rcStrict = iemRaiseLoadStackFromTss32Or16(pIemCpu, pCtx, uNewCpl, &NewSS, &uNewEsp);
         if (rcStrict != VINF_SUCCESS)
             return rcStrict;
-
-    }
+        IEMSELDESC DescSS;
+        rcStrict = iemMiscValidateNewSS(pIemCpu, pCtx, NewSS, uNewCpl, &DescSS);
+        if (rcStrict != VINF_SUCCESS)
+            return rcStrict;
+        fNewSSAttr   = X86DESC_GET_HID_ATTR(DescSS.Legacy);
+        cbNewSSLimit = X86DESC_LIMIT(DescSS.Legacy);
+        if (DescSS.Legacy.Gen.u1Granularity)
+            cbNewSSLimit = (cbNewSSLimit << PAGE_SHIFT) | PAGE_OFFSET_MASK;
+        uNewSSBase   = X86DESC_BASE(DescSS.Legacy);
+    }
+    else
+    {
+        uNewEsp      = pCtx->esp;
+        NewSS        = pCtx->ss;
+        fNewSSAttr   = pCtx->ssHid.Attr.u;
+        cbNewSSLimit = pCtx->ssHid.u32Limit;
+        uNewSSBase   = pCtx->ssHid.u64Base;
+    }
+
+    /*
+     * Check if we have the space for the stack frame.
+     */
+
+
+    /*
+     * Set the CS and maybe SS accessed bits.
+     */
+    /** @todo testcase: excatly when is the accessed bit set, before or after
+     *        pushing the stack frame. (write protect the gdt + stack to find
+     *        out). */
+
 
     return VERR_NOT_IMPLEMENTED;
@@ -1741 +1878 @@
 {
     return iemRaiseGeneralProtectionFault(pIemCpu, 0);
+}
+
+
+/** \#GP(sel) - 0d.  */
+static VBOXSTRICTRC iemRaiseGeneralProtectionFaultBySelector(PIEMCPU pIemCpu, RTSEL Sel)
+{
+    return iemRaiseGeneralProtectionFault(pIemCpu, Sel & (X86_SEL_MASK | X86_SEL_LDT));
 }
 
@@ -4065 +4209 @@
                  uSel, pCtx->ldtrHid.u32Limit, pCtx->ldtr));
             /** @todo is this the right exception? */
-            return iemRaiseGeneralProtectionFault(pIemCpu, uSel & (X86_SEL_MASK | X86_SEL_LDT));
+            return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uSel);
         }
 
@@ -4077 +4221 @@
             Log(("iemMemFetchSelDesc: GDT selector %#x is out of bounds (%3x)\n", uSel, pCtx->gdtr.cbGdt));
             /** @todo is this the right exception? */
-            return iemRaiseGeneralProtectionFault(pIemCpu, uSel & (X86_SEL_MASK | X86_SEL_LDT));
+            return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uSel);
         }
         GCPtrBase = pCtx->gdtr.pGdt;
@@ -4098 +4242 @@
             Log(("iemMemFetchSelDesc: system selector %#x is out of bounds\n", uSel));
             /** @todo is this the right exception? */
-            return iemRaiseGeneralProtectionFault(pIemCpu, uSel & (X86_SEL_MASK | X86_SEL_LDT));
+            return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uSel);
         }
     }

trunk/src/VBox/VMM/VMMAll/IEMAllCImpl.cpp.h

@@ -723 +723 @@
 
     /* Is it there? */
-    if (!Desc.Legacy.Gen.u1Present)
+    if (!Desc.Legacy.Gen.u1Present) /** @todo this is probably checked too early. Testcase! */
     {
         Log(("jmpf %04x:%08x -> segment not present\n", uSel, offSeg));
@@ -738 +738 @@
         {
             Log(("jmpf %04x:%08x -> not a code selector (u4Type=%#x).\n", uSel, offSeg, Desc.Legacy.Gen.u4Type));
-            return iemRaiseGeneralProtectionFault(pIemCpu, uSel & (X86_SEL_MASK | X86_SEL_LDT));
+            return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uSel);
         }
 
@@ -747 +747 @@
         {
             Log(("jmpf %04x:%08x -> both L and D are set.\n", uSel, offSeg));
-            return iemRaiseGeneralProtectionFault(pIemCpu, uSel & (X86_SEL_MASK | X86_SEL_LDT));
+            return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uSel);
         }
 
@@ -757 +757 @@
                 Log(("jmpf %04x:%08x -> DPL violation (conforming); DPL=%d CPL=%u\n",
                      uSel, offSeg, Desc.Legacy.Gen.u2Dpl, pIemCpu->uCpl));
-                return iemRaiseGeneralProtectionFault(pIemCpu, uSel & (X86_SEL_MASK | X86_SEL_LDT));
+                return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uSel);
             }
         }
@@ -765 +765 @@
             {
                 Log(("jmpf %04x:%08x -> CPL != DPL; DPL=%d CPL=%u\n", uSel, offSeg, Desc.Legacy.Gen.u2Dpl, pIemCpu->uCpl));
-                return iemRaiseGeneralProtectionFault(pIemCpu, uSel & (X86_SEL_MASK | X86_SEL_LDT));
+                return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uSel);
             }
             if ((uSel & X86_SEL_RPL) > pIemCpu->uCpl)
             {
                 Log(("jmpf %04x:%08x -> RPL > DPL; RPL=%d CPL=%u\n", uSel, offSeg, (uSel & X86_SEL_RPL), pIemCpu->uCpl));
-                return iemRaiseGeneralProtectionFault(pIemCpu, uSel & (X86_SEL_MASK | X86_SEL_LDT));
+                return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uSel);
             }
         }
@@ -787 +787 @@
             {
                 Log(("jmpf %04x:%08x -> out of bounds (%#x)\n", uSel, offSeg, cbLimit));
-                return iemRaiseGeneralProtectionFault(pIemCpu, uSel & (X86_SEL_MASK | X86_SEL_LDT));
+                return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uSel);
             }
             u64Base = X86DESC_BASE(Desc.Legacy);
@@ -834 +834 @@
             default:
                 Log(("jmpf %04x:%08x -> wrong sys selector (64-bit): %d\n", uSel, offSeg, Desc.Legacy.Gen.u4Type));
-                return iemRaiseGeneralProtectionFault(pIemCpu, uSel & (X86_SEL_MASK | X86_SEL_LDT));
+                return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uSel);
 
         }
@@ -859 +859 @@
         default:
             Log(("jmpf %04x:%08x -> wrong sys selector (32-bit): %d\n", uSel, offSeg, Desc.Legacy.Gen.u4Type));
-            return iemRaiseGeneralProtectionFault(pIemCpu, uSel & (X86_SEL_MASK | X86_SEL_LDT));
+            return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uSel);
     }
 }
@@ -1346 +1346 @@
     {
         Log(("load sreg %d - system selector (%#x) -> #GP\n", iSegReg, uSel, Desc.Legacy.Gen.u4Type));
-        return iemRaiseGeneralProtectionFault(pIemCpu, uSel & (X86_SEL_MASK | X86_SEL_LDT));
+        return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uSel);
     }
     if (iSegReg == X86_SREG_SS) /* SS gets different treatment */
@@ -1354 +1354 @@
         {
             Log(("load sreg SS, %#x - code or read only (%#x) -> #GP\n", uSel, Desc.Legacy.Gen.u4Type));
-            return iemRaiseGeneralProtectionFault(pIemCpu, uSel & (X86_SEL_MASK | X86_SEL_LDT));
+            return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uSel);
         }
         if (    (Desc.Legacy.Gen.u4Type & X86_SEL_TYPE_CODE)
@@ -1360 +1360 @@
         {
             Log(("load sreg SS, %#x - code or read only (%#x) -> #GP\n", uSel, Desc.Legacy.Gen.u4Type));
-            return iemRaiseGeneralProtectionFault(pIemCpu, uSel & (X86_SEL_MASK | X86_SEL_LDT));
+            return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uSel);
         }
         if ((uSel & X86_SEL_RPL) != pIemCpu->uCpl)
         {
             Log(("load sreg SS, %#x - RPL and CPL (%d) differs -> #GP\n", uSel, pIemCpu->uCpl));
-            return iemRaiseGeneralProtectionFault(pIemCpu, uSel & (X86_SEL_MASK | X86_SEL_LDT));
+            return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uSel);
         }
         if (Desc.Legacy.Gen.u2Dpl != pIemCpu->uCpl)
         {
             Log(("load sreg SS, %#x - DPL (%d) and CPL (%d) differs -> #GP\n", uSel, Desc.Legacy.Gen.u2Dpl, pIemCpu->uCpl));
-            return iemRaiseGeneralProtectionFault(pIemCpu, uSel & (X86_SEL_MASK | X86_SEL_LDT));
+            return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uSel);
         }
     }
@@ -1378 +1378 @@
         {
             Log(("load sreg%u, %#x - execute only segment -> #GP\n", iSegReg, uSel));
-            return iemRaiseGeneralProtectionFault(pIemCpu, uSel & (X86_SEL_MASK | X86_SEL_LDT));
+            return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uSel);
         }
         if (   (Desc.Legacy.Gen.u4Type & (X86_SEL_TYPE_CODE | X86_SEL_TYPE_CONF))
@@ -1389 +1389 @@
                 Log(("load sreg%u, %#x - both RPL (%d) and CPL (%d) are greater than DPL (%d) -> #GP\n",
                      iSegReg, uSel, (uSel & X86_SEL_RPL), pIemCpu->uCpl, Desc.Legacy.Gen.u2Dpl));
-                return iemRaiseGeneralProtectionFault(pIemCpu, uSel & (X86_SEL_MASK | X86_SEL_LDT));
+                return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uSel);
             }
 #else /* this is what makes more sense. */
@@ -1396 +1396 @@
                 Log(("load sreg%u, %#x - RPL (%d) is greater than DPL (%d) -> #GP\n",
                      iSegReg, uSel, (uSel & X86_SEL_RPL), Desc.Legacy.Gen.u2Dpl));
-                return iemRaiseGeneralProtectionFault(pIemCpu, uSel & (X86_SEL_MASK | X86_SEL_LDT));
+                return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uSel);
             }
             if (pIemCpu->uCpl > Desc.Legacy.Gen.u2Dpl)
@@ -1402 +1402 @@
                 Log(("load sreg%u, %#x - CPL (%d) is greater than DPL (%d) -> #GP\n",
                      iSegReg, uSel, pIemCpu->uCpl, Desc.Legacy.Gen.u2Dpl));
-                return iemRaiseGeneralProtectionFault(pIemCpu, uSel & (X86_SEL_MASK | X86_SEL_LDT));
+                return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uSel);
             }
 #endif
@@ -1671 +1671 @@
     {
         Log(("lldt %04x - LDT selector -> #GP\n", uNewLdt));
-        return iemRaiseGeneralProtectionFault(pIemCpu, uNewLdt & (X86_SEL_MASK | X86_SEL_LDT));
+        return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uNewLdt);
     }
 
@@ -1780 +1780 @@
     {
         Log(("ltr %04x - LDT selector -> #GP\n", uNewTr));
-        return iemRaiseGeneralProtectionFault(pIemCpu, uNewTr & (X86_SEL_MASK | X86_SEL_LDT));
+        return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uNewTr);
     }
     if ((uNewTr & X86_SEL_MASK) == 0)