VirtualBox

Browse Source

Changeset 42427 in vbox

Timestamp:

Jul 26, 2012 11:48:01 PM (12 years ago)

Author:

vboxsync

Message:

VMM: Fixed some selector arithmetic, introducing a new constand and renaming and old one to make things clearer. Also added CPUMGetGuestLdtrEx and make some (but not all) of SELM use this instead of shadow GDT.

Location:

Files:

: 10 edited

include/VBox/vmm/cpum.h (modified) (1 diff)
include/VBox/vmm/cpumctx.h (modified) (1 diff)
include/VBox/vmm/selm.h (modified) (1 diff)
include/iprt/x86.h (modified) (1 diff)
src/VBox/VMM/VMMAll/CPUMAllRegs.cpp (modified) (2 diffs)
src/VBox/VMM/VMMAll/IEMAll.cpp (modified) (8 diffs)
src/VBox/VMM/VMMAll/IEMAllCImpl.cpp.h (modified) (21 diffs)
src/VBox/VMM/VMMAll/SELMAll.cpp (modified) (3 diffs)
src/VBox/VMM/VMMR3/SELM.cpp (modified) (15 diffs)
src/VBox/VMM/VMMRC/SELMRC.cpp (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/include/VBox/vmm/cpum.h

r42420	r42427
91	91	VMMDECL(RTSEL) CPUMGetGuestTR(PVMCPU pVCpu, PCPUMSELREGHID pHidden);
92	92	VMMDECL(RTSEL) CPUMGetGuestLDTR(PVMCPU pVCpu);
	93	VMMDECL(RTSEL) CPUMGetGuestLdtrEx(PVMCPU pVCpu, uint64_t pGCPtrBase, uint32_t pcbLimit);
93	94	VMMDECL(uint64_t) CPUMGetGuestCR0(PVMCPU pVCpu);
94	95	VMMDECL(uint64_t) CPUMGetGuestCR2(PVMCPU pVCpu);

trunk/include/VBox/vmm/cpumctx.h

r42415	r42427
86	86	&& ( (a_pSelReg)->ValidSel == (a_pSelReg)->Sel \
87	87	\|\| ( (a_pVCpu) /!= NULL/ \
88		&& (a_pSelReg)->ValidSel == ((a_pSelReg)->Sel & X86_SEL_MASK_RPL) \
	88	&& (a_pSelReg)->ValidSel == ((a_pSelReg)->Sel & X86_SEL_MASK_OFF_RPL) \
89	89	&& ((a_pSelReg)->Sel & X86_SEL_RPL) == 1 \
90	90	&& ((a_pSelReg)->ValidSel & X86_SEL_RPL) == 0 \

trunk/include/VBox/vmm/selm.h

r42407	r42427
80	80	VMMDECL(int) SELMValidateAndConvertCSAddr(PVMCPU pVCpu, X86EFLAGS eflags, RTSEL SelCPL, RTSEL SelCS,
81	81	PCPUMSELREG pSRegCS, RTGCPTR Addr, PRTGCPTR ppvFlat);
82		~~VMMDECL(int) SELMGetLDTFromSel(PVM pVM, RTSEL SelLdt, PRTGCPTR ppvLdt, unsigned *pcbLimit);~~
83	82	#ifdef VBOX_WITH_RAW_MODE
84	83	VMM_INT_DECL(void) SELMLoadHiddenSelectorReg(PVMCPU pVCpu, PCCPUMCTX pCtx, PCPUMSELREG pSReg);

trunk/include/iprt/x86.h

-              r42407
+              r42427
  * The shift used to convert a selector from and to index an index (C).
  */
 #define X86_SEL_SHIFT       3
+#define X86_SEL_SHIFT           3
 /**
  * The mask used to mask off the table indicator and RPL of an selector.
  */
 #define X86_SEL_MASK        0xfff8U
+#define X86_SEL_MASK            0xfff8U
 /**
  * The mask used to mask off the RPL of an selector.
+ */
+#define X86_SEL_MASK_RPL    0xfffcU
+ * This is suitable for checking for NULL selectors.
+ */
+#define X86_SEL_MASK_OFF_RPL    0xfffcU
 /**
  * The bit indicating that a selector is in the LDT and not in the GDT.
  */
+#define X86_SEL_LDT         0x0004U
+#define X86_SEL_LDT             0x0004U
 /**
  * The bit mask for getting the RPL of a selector.
  */
+#define X86_SEL_RPL         0x0003U
+#define X86_SEL_RPL             0x0003U
+/**
+ * The mask covering both RPL and LDT.
+ * This is incidentally the same as sizeof(X86DESC) - 1, so good for limit
+ * checks.
+ */
+#define X86_SEL_RPL_LDT         0x0007U
 /** @} */

trunk/src/VBox/VMM/VMMAll/CPUMAllRegs.cpp

r42420	r42427
116	116	{
117	117	/* Protected mode - get it from the selector descriptor tables. */
118		if (!(pSReg->Sel & X86_SEL_MASK))
	118	if (!(pSReg->Sel & X86_SEL_MASK_OFF_RPL))
119	119	{
120	120	Assert(!CPUMIsGuestInLongMode(pVCpu));
…	…
1303	1303	VMMDECL(RTSEL) CPUMGetGuestLDTR(PVMCPU pVCpu)
1304	1304	{
	1305	return pVCpu->cpum.s.Guest.ldtr.Sel;
	1306	}
	1307
	1308
	1309	VMMDECL(RTSEL) CPUMGetGuestLdtrEx(PVMCPU pVCpu, uint64_t pGCPtrBase, uint32_t pcbLimit)
	1310	{
	1311	*pGCPtrBase = pVCpu->cpum.s.Guest.ldtr.u64Base;
	1312	*pcbLimit = pVCpu->cpum.s.Guest.ldtr.u32Limit;
1305	1313	return pVCpu->cpum.s.Guest.ldtr.Sel;
1306	1314	}

trunk/src/VBox/VMM/VMMAll/IEMAll.cpp

r42407	r42427
1514	1514	/* Null selectors are not allowed (we're not called for dispatching
1515	1515	interrupts with SS=0 in long mode). */
1516		if (!(NewSS & ~~(X86_SEL_MASK \| X86_SEL_LDT)~~))
	1516	if (!(NewSS & X86_SEL_MASK_OFF_RPL))
1517	1517	{
1518	1518	Log(("iemMiscValidateNewSSandRsp: #x - null selector -> #GP(0)\n", NewSS));
…	…
1863	1863	/* A null CS is bad. */
1864	1864	RTSEL NewCS = Idte.Gate.u16Sel;
1865		if (!(NewCS & ~~(X86_SEL_MASK \| X86_SEL_LDT)~~))
	1865	if (!(NewCS & X86_SEL_MASK_OFF_RPL))
1866	1866	{
1867	1867	Log(("RaiseXcptOrIntInProtMode %#x - CS=%#x -> #GP\n", u8Vector, NewCS));
…	…
1882	1882	{
1883	1883	Log(("RaiseXcptOrIntInProtMode %#x - CS=%#x - system selector (%#x) -> #GP\n", u8Vector, NewCS, DescCS.Legacy.Gen.u4Type));
1884		return iemRaiseGeneralProtectionFault(pIemCpu, NewCS & ~~(X86_SEL_MASK \| X86_SEL_LDT)~~);
	1884	return iemRaiseGeneralProtectionFault(pIemCpu, NewCS & X86_SEL_MASK_OFF_RPL);
1885	1885	}
1886	1886	if (!(DescCS.Legacy.Gen.u4Type & X86_SEL_TYPE_CODE))
1887	1887	{
1888	1888	Log(("RaiseXcptOrIntInProtMode %#x - CS=%#x - data selector (%#x) -> #GP\n", u8Vector, NewCS, DescCS.Legacy.Gen.u4Type));
1889		return iemRaiseGeneralProtectionFault(pIemCpu, NewCS & ~~(X86_SEL_MASK \| X86_SEL_LDT)~~);
	1889	return iemRaiseGeneralProtectionFault(pIemCpu, NewCS & X86_SEL_MASK_OFF_RPL);
1890	1890	}
1891	1891
…	…
1899	1899	Log(("RaiseXcptOrIntInProtMode %#x - CS=%#x - DPL (%d) > CPL (%d) -> #GP\n",
1900	1900	u8Vector, NewCS, DescCS.Legacy.Gen.u2Dpl, pIemCpu->uCpl));
1901		return iemRaiseGeneralProtectionFault(pIemCpu, NewCS & ~~(X86_SEL_MASK \| X86_SEL_LDT)~~);
	1901	return iemRaiseGeneralProtectionFault(pIemCpu, NewCS & X86_SEL_MASK_OFF_RPL);
1902	1902	}
1903	1903	/** @todo is the RPL of the interrupt/trap gate descriptor checked? */
…	…
1913	1913	Log(("RaiseXcptOrIntInProtMode %#x - CS=%#x - DPL (%d) > CPL (%d) -> #GP\n",
1914	1914	u8Vector, NewCS, DescCS.Legacy.Gen.u2Dpl, pIemCpu->uCpl));
1915		return iemRaiseGeneralProtectionFault(pIemCpu, NewCS & ~~(X86_SEL_MASK \| X86_SEL_LDT)~~);
	1915	return iemRaiseGeneralProtectionFault(pIemCpu, NewCS & X86_SEL_MASK_OFF_RPL);
1916	1916	}
1917	1917
…	…
5816	5816	{
5817	5817	if ( !pCtx->ldtr.Attr.n.u1Present
5818		\|\| (uSel \| ~~0x7U~~) > pCtx->ldtr.u32Limit )
	5818	\|\| (uSel \| X86_SEL_RPL_LDT) > pCtx->ldtr.u32Limit )
5819	5819	{
5820	5820	Log(("iemMemFetchSelDesc: LDT selector %#x is out of bounds (%3x) or ldtr is NP (%#x)\n",
…	…
5829	5829	else
5830	5830	{
5831		if ((uSel \| ~~0x7U~~) > pCtx->gdtr.cbGdt)
	5831	if ((uSel \| X86_SEL_RPL_LDT) > pCtx->gdtr.cbGdt)
5832	5832	{
5833	5833	Log(("iemMemFetchSelDesc: GDT selector %#x is out of bounds (%3x)\n", uSel, pCtx->gdtr.cbGdt));
…	…
5848	5848	\|\| pDesc->Legacy.Gen.u1DescType)
5849	5849	pDesc->Long.au64[1] = 0;
5850		else if ((uint32_t)(uSel ~~& X86_SEL_MASK) + 15 <~~ (uSel & X86_SEL_LDT ? pCtx->ldtr.u32Limit : pCtx->gdtr.cbGdt))
5851		rcStrict = iemMemFetchSysU64(pIemCpu, &pDesc->L~~egacy.u, UINT8_MAX, GCPtrBase + (uSel & X86_SEL_MASK)~~);
	5850	else if ((uint32_t)(uSel \| X86_SEL_RPL_LDT) + 8 <= (uSel & X86_SEL_LDT ? pCtx->ldtr.u32Limit : pCtx->gdtr.cbGdt))
	5851	rcStrict = iemMemFetchSysU64(pIemCpu, &pDesc->Long.au64[1], UINT8_MAX, GCPtrBase + (uSel \| X86_SEL_RPL_LDT) + 1);
5852	5852	else
5853	5853	{

trunk/src/VBox/VMM/VMMAll/IEMAllCImpl.cpp.h

-              r42407
+              r42427
+{
     Assert(enmBranch == IEMBRANCH_JUMP || enmBranch == IEMBRANCH_CALL);
     Assert((uSel & (X86_SEL_MASK | X86_SEL_LDT)));
+    Assert((uSel & X86_SEL_MASK_OFF_RPL));
     if (IEM_IS_LONG_MODE(pIemCpu))
 …
      * Protected mode. Need to parse the specified descriptor...
      */
     if (!(uSel & (X86_SEL_MASK | X86_SEL_LDT)))
+    if (!(uSel & X86_SEL_MASK_OFF_RPL))
+    {
         Log(("jmpf %04x:%08RX64 -> invalid selector, #GP(0)\n", uSel, offSeg));
 …
     /* commit */
     pCtx->rip = offSeg;
     pCtx->cs.Sel         = uSel & (X86_SEL_MASK | X86_SEL_LDT);
+    pCtx->cs.Sel         = uSel & X86_SEL_MASK_OFF_RPL;
     pCtx->cs.Sel        |= pIemCpu->uCpl; /** @todo is this right for conforming segs? or in general? */
     pCtx->cs.ValidSel    = pCtx->cs.Sel;
 …
      * Protected mode. Need to parse the specified descriptor...
      */
     if (!(uSel & (X86_SEL_MASK | X86_SEL_LDT)))
+    if (!(uSel & X86_SEL_MASK_OFF_RPL))
+    {
         Log(("callf %04x:%08RX64 -> invalid selector, #GP(0)\n", uSel, offSeg));
 …
     /* commit */
     pCtx->rip = offSeg;
     pCtx->cs.Sel         = uSel & (X86_SEL_MASK | X86_SEL_LDT);
+    pCtx->cs.Sel         = uSel & X86_SEL_MASK_OFF_RPL;
     pCtx->cs.Sel        |= pIemCpu->uCpl;
     pCtx->cs.ValidSel    = pCtx->cs.Sel;
 …
      * Protected mode is complicated, of course.
      */
     if (!(uNewCs & (X86_SEL_MASK | X86_SEL_LDT)))
+    if (!(uNewCs & X86_SEL_MASK_OFF_RPL))
+    {
         Log(("retf %04x:%08RX64 -> invalid selector, #GP(0)\n", uNewCs, uNewRip));
 …
            and read the selector. */
         IEMSELDESC DescSs;
         if (!(uNewOuterSs & (X86_SEL_MASK | X86_SEL_LDT)))
+        if (!(uNewOuterSs & X86_SEL_MASK_OFF_RPL))
+        {
             if (   !DescCs.Legacy.Gen.u1Long
 …
              */
             /* Read the CS descriptor. */
             if (!(uNewCs & (X86_SEL_MASK | X86_SEL_LDT)))
+            if (!(uNewCs & X86_SEL_MASK_OFF_RPL))
+            {
                 Log(("iret %04x:%08x -> invalid CS selector, #GP(0)\n", uNewCs, uNewEip));
 …
                 /* Read the SS descriptor. */
                 if (!(uNewSS & (X86_SEL_MASK | X86_SEL_LDT)))
+                if (!(uNewSS & X86_SEL_MASK_OFF_RPL))
+                {
                     Log(("iret %04x:%08x/%04x:%08x -> invalid SS selector, #GP(0)\n", uNewCs, uNewEip, uNewSS, uNewESP));
 …
      * FS and GS.  If not null, then we have to load and parse the descriptor.
      */
     if (!(uSel & (X86_SEL_MASK | X86_SEL_LDT)))
+    if (!(uSel & X86_SEL_MASK_OFF_RPL))
+    {
         if (iSegReg == X86_SREG_SS)
 …
      * Now, loading a NULL selector is easy.
      */
     if ((uNewLdt & X86_SEL_MASK) == 0)
+    if (!(uNewLdt & X86_SEL_MASK_OFF_RPL))
+    {
         Log(("lldt %04x: Loading NULL selector.\n",  uNewLdt));
 …
+    {
         Log(("lldt %#x - not system selector (type %x) -> #GP\n", uNewLdt, Desc.Legacy.Gen.u4Type));
         return iemRaiseGeneralProtectionFault(pIemCpu, uNewLdt & X86_SEL_MASK);
+        return iemRaiseGeneralProtectionFault(pIemCpu, uNewLdt & X86_SEL_MASK_OFF_RPL);
+    }
     if (Desc.Legacy.Gen.u4Type != X86_SEL_TYPE_SYS_LDT)
+    {
         Log(("lldt %#x - not LDT selector (type %x) -> #GP\n", uNewLdt, Desc.Legacy.Gen.u4Type));
         return iemRaiseGeneralProtectionFault(pIemCpu, uNewLdt & X86_SEL_MASK);
+        return iemRaiseGeneralProtectionFault(pIemCpu, uNewLdt & X86_SEL_MASK_OFF_RPL);
+    }
     uint64_t u64Base;
 …
+        {
             Log(("lldt %#x - u5Zeros=%#x -> #GP\n", uNewLdt, Desc.Long.Gen.u5Zeros));
             return iemRaiseGeneralProtectionFault(pIemCpu, uNewLdt & X86_SEL_MASK);
+            return iemRaiseGeneralProtectionFault(pIemCpu, uNewLdt & X86_SEL_MASK_OFF_RPL);
+        }
 …
+        {
             Log(("lldt %#x - non-canonical base address %#llx -> #GP\n", uNewLdt, u64Base));
             return iemRaiseGeneralProtectionFault(pIemCpu, uNewLdt & X86_SEL_MASK);
+            return iemRaiseGeneralProtectionFault(pIemCpu, uNewLdt & X86_SEL_MASK_OFF_RPL);
+        }
+    }
 …
 /** @todo check if the actual value is loaded or if the RPL is dropped */
     if (!IEM_VERIFICATION_ENABLED(pIemCpu))
         CPUMSetGuestLDTR(IEMCPU_TO_VMCPU(pIemCpu), uNewLdt & X86_SEL_MASK);
+        CPUMSetGuestLDTR(IEMCPU_TO_VMCPU(pIemCpu), uNewLdt & X86_SEL_MASK_OFF_RPL);
     else
         pCtx->ldtr.Sel  = uNewLdt & X86_SEL_MASK;
     pCtx->ldtr.ValidSel = uNewLdt & X86_SEL_MASK;
+        pCtx->ldtr.Sel  = uNewLdt & X86_SEL_MASK_OFF_RPL;
+    pCtx->ldtr.ValidSel = uNewLdt & X86_SEL_MASK_OFF_RPL;
     pCtx->ldtr.fFlags   = CPUMSELREG_FLAGS_VALID;
     pCtx->ldtr.Attr.u   = X86DESC_GET_HID_ATTR(&Desc.Legacy);
 …
         return iemRaiseGeneralProtectionFaultBySelector(pIemCpu, uNewTr);
+    }
     if ((uNewTr & X86_SEL_MASK) == 0)
+    if (!(uNewTr & X86_SEL_MASK_OFF_RPL))
+    {
         Log(("ltr %04x - NULL selector -> #GP(0)\n", uNewTr));
 …
+    {
         Log(("ltr %#x - not system selector (type %x) -> #GP\n", uNewTr, Desc.Legacy.Gen.u4Type));
         return iemRaiseGeneralProtectionFault(pIemCpu, uNewTr & X86_SEL_MASK);
+        return iemRaiseGeneralProtectionFault(pIemCpu, uNewTr & X86_SEL_MASK_OFF_RPL);
+    }
     if (   Desc.Legacy.Gen.u4Type != X86_SEL_TYPE_SYS_386_TSS_AVAIL /* same as AMD64_SEL_TYPE_SYS_TSS_AVAIL */
 …
+    {
         Log(("ltr %#x - not an available TSS selector (type %x) -> #GP\n", uNewTr, Desc.Legacy.Gen.u4Type));
         return iemRaiseGeneralProtectionFault(pIemCpu, uNewTr & X86_SEL_MASK);
+        return iemRaiseGeneralProtectionFault(pIemCpu, uNewTr & X86_SEL_MASK_OFF_RPL);
+    }
     uint64_t u64Base;
 …
+        {
             Log(("ltr %#x - u5Zeros=%#x -> #GP\n", uNewTr, Desc.Long.Gen.u5Zeros));
             return iemRaiseGeneralProtectionFault(pIemCpu, uNewTr & X86_SEL_MASK);
+            return iemRaiseGeneralProtectionFault(pIemCpu, uNewTr & X86_SEL_MASK_OFF_RPL);
+        }
 …
+        {
             Log(("ltr %#x - non-canonical base address %#llx -> #GP\n", uNewTr, u64Base));
             return iemRaiseGeneralProtectionFault(pIemCpu, uNewTr & X86_SEL_MASK);
+            return iemRaiseGeneralProtectionFault(pIemCpu, uNewTr & X86_SEL_MASK_OFF_RPL);
+        }
+    }
 …
 /** @todo check if the actual value is loaded or if the RPL is dropped */
     if (!IEM_VERIFICATION_ENABLED(pIemCpu))
         CPUMSetGuestTR(IEMCPU_TO_VMCPU(pIemCpu), uNewTr & X86_SEL_MASK);
+        CPUMSetGuestTR(IEMCPU_TO_VMCPU(pIemCpu), uNewTr & X86_SEL_MASK_OFF_RPL);
     else
         pCtx->tr.Sel  = uNewTr & X86_SEL_MASK;
     pCtx->tr.ValidSel = uNewTr & X86_SEL_MASK;
+        pCtx->tr.Sel  = uNewTr & X86_SEL_MASK_OFF_RPL;
+    pCtx->tr.ValidSel = uNewTr & X86_SEL_MASK_OFF_RPL;
     pCtx->tr.fFlags   = CPUMSELREG_FLAGS_VALID;
     pCtx->tr.Attr.u   = X86DESC_GET_HID_ATTR(&Desc.Legacy);

trunk/src/VBox/VMM/VMMAll/SELMAll.cpp

-              r42420
+              r42427
+    {
         if (   !(fFlags & SELMTOFLAT_FLAGS_HYPER)
             && (unsigned)(Sel & X86_SEL_MASK) >= pVM->selm.s.GuestGdtr.cbGdt)
+            && (Sel | X86_SEL_RPL_LDT) > pVM->selm.s.GuestGdtr.cbGdt)
             return VERR_INVALID_SELECTOR;
         Desc = pVM->selm.s.CTX_SUFF(paGdt)[Sel >> X86_SEL_SHIFT];
 …
     else
+    {
         if ((unsigned)(Sel & X86_SEL_MASK) >= pVM->selm.s.cbLdtLimit)
+        if ((Sel | X86_SEL_RPL_LDT) > pVM->selm.s.cbLdtLimit)
             return VERR_INVALID_SELECTOR;
         /** @todo handle LDT page(s) not present! */
         PX86DESC    paLDT = (PX86DESC)((char *)pVM->selm.s.CTX_SUFF(pvLdt) + pVM->selm.s.offLdtHyper);
+        PX86DESC paLDT = (PX86DESC)((char *)pVM->selm.s.CTX_SUFF(pvLdt) + pVM->selm.s.offLdtHyper);
         Desc = paLDT[Sel >> X86_SEL_SHIFT];
+    }
 …
     CPUMSELREGHID trHid;
     RTSEL tr = CPUMGetGuestTR(pVCpu, &trHid);
     if (!(tr & X86_SEL_MASK))
+    if (!(tr & X86_SEL_MASK_OFF_RPL))
         return VERR_SELM_NO_TSS;

trunk/src/VBox/VMM/VMMR3/SELM.cpp

-              r42418
+              r42427
      */
     RTSEL SelLdt = CPUMGetGuestLDTR(pVCpu);
     if ((SelLdt & X86_SEL_MASK) == 0)
+    if (!(SelLdt & X86_SEL_MASK_OFF_RPL))
+    {
         /* ldtr = 0 - update hyper LDTR and deregister any active handler. */
 …
      * Get the LDT selector.
      */
+/** @todo this is wrong, use CPUMGetGuestLdtrEx */
     PX86DESC    pDesc    = &pVM->selm.s.paGdtR3[SelLdt >> X86_SEL_SHIFT];
     RTGCPTR     GCPtrLdt = X86DESC_BASE(pDesc);
 …
     for (uint32_t iSReg = 0; iSReg < X86_SREG_COUNT; iSReg++)
+    {
         RTSEL const Sel = paSReg[iSReg].Sel & (X86_SEL_MASK | X86_SEL_LDT);
         if (Sel & (X86_SEL_MASK | X86_SEL_LDT))
+        RTSEL const Sel = paSReg[iSReg].Sel;
+        if (Sel & X86_SEL_MASK_OFF_RPL)
+        {
             /* Get the shadow descriptor entry corresponding to this. */
 …
      *       make sure cbTss is 0.
      */
+/** @todo use the hidden bits, not shadow GDT. */
     CPUMSELREGHID   trHid;
     RTSEL           SelTss   = CPUMGetGuestTR(pVCpu, &trHid);
     RTGCPTR         GCPtrTss = trHid.u64Base;
     uint32_t        cbTss    = trHid.u32Limit;
     Assert(     (SelTss & X86_SEL_MASK)
            ||   (cbTss == 0 && GCPtrTss == 0 && trHid.Attr.u == 0 /* TR=0 */)
            ||   (cbTss == 0xffff && GCPtrTss == 0 && trHid.Attr.n.u1Present && trHid.Attr.n.u4Type == X86_SEL_TYPE_SYS_386_TSS_BUSY /* RESET */));
     if (SelTss & X86_SEL_MASK)
+    Assert(   (SelTss & X86_SEL_MASK_OFF_RPL)
+           || (cbTss == 0 && GCPtrTss == 0 && trHid.Attr.u == 0 /* TR=0 */)
+           || (cbTss == 0xffff && GCPtrTss == 0 && trHid.Attr.n.u1Present && trHid.Attr.n.u4Type == X86_SEL_TYPE_SYS_386_TSS_BUSY /* RESET */));
+    if (SelTss & X86_SEL_MASK_OFF_RPL)
+    {
         Assert(!(SelTss & X86_SEL_LDT));
 …
      */
     RTSEL SelLdt = CPUMGetGuestLDTR(pVCpu);
     if ((SelLdt & X86_SEL_MASK) == 0)
+    if ((SelLdt & X86_SEL_MASK_OFF_RPL) == 0)
         return VINF_SUCCESS;
+    Assert(!(SelLdt & X86_SEL_LDT));
     if (SelLdt > GDTR.cbGdt)
+    {
 …
     RTGCPTR         GCPtrTss = trHid.u64Base;
     uint32_t        cbTss    = trHid.u32Limit;
     Assert(     (SelTss & X86_SEL_MASK)
            ||   (cbTss == 0 && GCPtrTss == 0 && trHid.Attr.u == 0 /* TR=0 */)
            ||   (cbTss == 0xffff && GCPtrTss == 0 && trHid.Attr.n.u1Present && trHid.Attr.n.u4Type == X86_SEL_TYPE_SYS_386_TSS_BUSY /* RESET */));
     if (SelTss & X86_SEL_MASK)
+    Assert(   (SelTss & X86_SEL_MASK_OFF_RPL)
+           || (cbTss == 0 && GCPtrTss == 0 && trHid.Attr.u == 0 /* TR=0 */)
+           || (cbTss == 0xffff && GCPtrTss == 0 && trHid.Attr.n.u1Present && trHid.Attr.n.u4Type == X86_SEL_TYPE_SYS_386_TSS_BUSY /* RESET */));
+    if (SelTss & X86_SEL_MASK_OFF_RPL)
+    {
         AssertReturn(!(SelTss & X86_SEL_LDT), false);
 …
 /**
- * Returns flat address and limit of LDT by LDT selector from guest GDTR.
+ *
- * Fully validate selector.
+ *
- * @returns VBox status.
- * @param   pVM       Pointer to the VM.
- * @param   SelLdt    LDT selector.
- * @param   ppvLdt    Where to store the flat address of LDT.
- * @param   pcbLimit  Where to store LDT limit.
- */
-VMMDECL(int) SELMGetLDTFromSel(PVM pVM, RTSEL SelLdt, PRTGCPTR ppvLdt, unsigned *pcbLimit)
+{
-    PVMCPU pVCpu = VMMGetCpu(pVM);
-    /* Get guest GDTR. */
-    VBOXGDTR GDTR;
-    CPUMGetGuestGDTR(pVCpu, &GDTR);
-    /* Check selector TI and GDT limit. */
-    if (   (SelLdt & X86_SEL_LDT)
-        || SelLdt > GDTR.cbGdt)
-        return VERR_INVALID_SELECTOR;
-    /* Read descriptor from GC. */
-    X86DESC Desc;
-    int rc = PGMPhysSimpleReadGCPtr(pVCpu, (void *)&Desc, (RTGCPTR)(GDTR.pGdt + (SelLdt & X86_SEL_MASK)), sizeof(Desc));
-    if (RT_FAILURE(rc))
+    {
-        /* fatal */
-        Log(("Can't read LDT descriptor for selector=%04X\n", SelLdt));
-        return VERR_SELECTOR_NOT_PRESENT;
+    }
-    /* Check if LDT descriptor is not present. */
-    if (Desc.Gen.u1Present == 0)
-        return VERR_SELECTOR_NOT_PRESENT;
-    /* Check LDT descriptor type. */
-    if (    Desc.Gen.u1DescType == 1
-        ||  Desc.Gen.u4Type != X86_SEL_TYPE_SYS_LDT)
-        return VERR_INVALID_SELECTOR;
-    /* LDT descriptor is ok. */
-    if (ppvLdt)
+    {
-        *ppvLdt = (RTGCPTR)X86DESC_BASE(&Desc);
-        *pcbLimit = X86DESC_LIMIT_G(&Desc);
+    }
-    return VINF_SUCCESS;
+}
-/**
  * Gets information about a 64-bit selector, SELMR3GetSelectorInfo helper.
+ *
 …
      * Read it from the guest descriptor table.
      */
+/** @todo this is bogus wrt the LDT/GDT limit on long selectors. */
     X86DESC64   Desc;
-    VBOXGDTR    Gdtr;
     RTGCPTR     GCPtrDesc;
-    CPUMGetGuestGDTR(pVCpu, &Gdtr);
     if (!(Sel & X86_SEL_LDT))
+    {
         /* GDT */
+        if ((unsigned)(Sel & X86_SEL_MASK) + sizeof(X86DESC) - 1 > (unsigned)Gdtr.cbGdt)
+        VBOXGDTR Gdtr;
+        CPUMGetGuestGDTR(pVCpu, &Gdtr);
+        if ((Sel | X86_SEL_RPL_LDT) > Gdtr.cbGdt)
             return VERR_INVALID_SELECTOR;
         GCPtrDesc = Gdtr.pGdt + (Sel & X86_SEL_MASK);
 …
     else
+    {
+        /*
+         * LDT - must locate the LDT first.
+         */
+        RTSEL SelLdt = CPUMGetGuestLDTR(pVCpu);
+        if (    (unsigned)(SelLdt & X86_SEL_MASK) < sizeof(X86DESC) /* the first selector is invalid, right? */ /** @todo r=bird: No, I don't think so */
+            ||  (unsigned)(SelLdt & X86_SEL_MASK) + sizeof(X86DESC) - 1 > (unsigned)Gdtr.cbGdt)
+        /* LDT */
+        uint64_t GCPtrBase;
+        uint32_t cbLimit;
+        CPUMGetGuestLdtrEx(pVCpu, &GCPtrBase, &cbLimit);
+        if ((Sel | X86_SEL_RPL_LDT) > cbLimit)
             return VERR_INVALID_SELECTOR;
-        GCPtrDesc = Gdtr.pGdt + (SelLdt & X86_SEL_MASK);
-        int rc = PGMPhysSimpleReadGCPtr(pVCpu, &Desc, GCPtrDesc, sizeof(Desc));
-        if (RT_FAILURE(rc))
-            return rc;
-        /* validate the LDT descriptor. */
-        if (Desc.Gen.u1Present == 0)
-            return VERR_SELECTOR_NOT_PRESENT;
-        if (    Desc.Gen.u1DescType == 1
-            ||  Desc.Gen.u4Type != AMD64_SEL_TYPE_SYS_LDT)
-            return VERR_INVALID_SELECTOR;
-        uint32_t cbLimit = X86DESC_LIMIT_G(&Desc);
-        if ((uint32_t)(Sel & X86_SEL_MASK) + sizeof(X86DESC) - 1 > cbLimit)
-            return VERR_INVALID_SELECTOR;
         /* calc the descriptor location. */
+        GCPtrDesc = X86DESC64_BASE(&Desc);
+        GCPtrDesc += (Sel & X86_SEL_MASK);
+        GCPtrDesc = GCPtrBase + (Sel & X86_SEL_MASK);
+    }
 …
     X86DESC Desc;
     if (    !(Sel & X86_SEL_LDT)
         && (    pVM->selm.s.aHyperSel[SELM_HYPER_SEL_CS] == (Sel & X86_SEL_MASK)
             ||  pVM->selm.s.aHyperSel[SELM_HYPER_SEL_DS] == (Sel & X86_SEL_MASK)
             ||  pVM->selm.s.aHyperSel[SELM_HYPER_SEL_CS64] == (Sel & X86_SEL_MASK)
             ||  pVM->selm.s.aHyperSel[SELM_HYPER_SEL_TSS] == (Sel & X86_SEL_MASK)
             ||  pVM->selm.s.aHyperSel[SELM_HYPER_SEL_TSS_TRAP08] == (Sel & X86_SEL_MASK))
+        && (    pVM->selm.s.aHyperSel[SELM_HYPER_SEL_CS]         == (Sel & X86_SEL_RPL_LDT)
+            ||  pVM->selm.s.aHyperSel[SELM_HYPER_SEL_DS]         == (Sel & X86_SEL_RPL_LDT)
+            ||  pVM->selm.s.aHyperSel[SELM_HYPER_SEL_CS64]       == (Sel & X86_SEL_RPL_LDT)
+            ||  pVM->selm.s.aHyperSel[SELM_HYPER_SEL_TSS]        == (Sel & X86_SEL_RPL_LDT)
+            ||  pVM->selm.s.aHyperSel[SELM_HYPER_SEL_TSS_TRAP08] == (Sel & X86_SEL_RPL_LDT))
+       )
+    {
 …
         pSelInfo->fFlags = DBGFSELINFO_FLAGS_PROT_MODE;
-        VBOXGDTR    Gdtr;
         RTGCPTR     GCPtrDesc;
-        CPUMGetGuestGDTR(pVCpu, &Gdtr);
         if (!(Sel & X86_SEL_LDT))
+        {
             /* GDT */
+            if ((unsigned)(Sel & X86_SEL_MASK) + sizeof(X86DESC) - 1 > (unsigned)Gdtr.cbGdt)
+            VBOXGDTR Gdtr;
+            CPUMGetGuestGDTR(pVCpu, &Gdtr);
+            if ((Sel | X86_SEL_RPL_LDT) > Gdtr.cbGdt)
                 return VERR_INVALID_SELECTOR;
             GCPtrDesc = Gdtr.pGdt + (Sel & X86_SEL_MASK);
 …
         else
+        {
+            /*
+             * LDT - must locate the LDT first...
+             */
+            RTSEL SelLdt = CPUMGetGuestLDTR(pVCpu);
+            if (    (unsigned)(SelLdt & X86_SEL_MASK) < sizeof(X86DESC) /* the first selector is invalid, right? */ /** @todo r=bird: No, I don't think so */
+                ||  (unsigned)(SelLdt & X86_SEL_MASK) + sizeof(X86DESC) - 1 > (unsigned)Gdtr.cbGdt)
+            /* LDT */
+            uint64_t GCPtrBase;
+            uint32_t cbLimit;
+            CPUMGetGuestLdtrEx(pVCpu, &GCPtrBase, &cbLimit);
+            if ((Sel | X86_SEL_RPL_LDT) > cbLimit)
                 return VERR_INVALID_SELECTOR;
-            GCPtrDesc = Gdtr.pGdt + (SelLdt & X86_SEL_MASK);
-            int rc = PGMPhysSimpleReadGCPtr(pVCpu, &Desc, GCPtrDesc, sizeof(Desc));
-            if (RT_FAILURE(rc))
-                return rc;
-            /* validate the LDT descriptor. */
-            if (Desc.Gen.u1Present == 0)
-                return VERR_SELECTOR_NOT_PRESENT;
-            if (    Desc.Gen.u1DescType == 1
-                ||  Desc.Gen.u4Type != X86_SEL_TYPE_SYS_LDT)
-                return VERR_INVALID_SELECTOR;
-            uint32_t cbLimit = X86DESC_LIMIT_G(&Desc);
-            if ((uint32_t)(Sel & X86_SEL_MASK) + sizeof(X86DESC) - 1 > cbLimit)
-                return VERR_INVALID_SELECTOR;
             /* calc the descriptor location. */
+            GCPtrDesc = X86DESC_BASE(&Desc);
+            GCPtrDesc += (Sel & X86_SEL_MASK);
+            GCPtrDesc = GCPtrBase + (Sel & X86_SEL_MASK);
+        }
 …
          */
         Desc = pVM->selm.s.paGdtR3[Sel >> X86_SEL_SHIFT];
         pSelInfo->fFlags =    pVM->selm.s.aHyperSel[SELM_HYPER_SEL_CS] == (Sel & X86_SEL_MASK)
                            || pVM->selm.s.aHyperSel[SELM_HYPER_SEL_DS] == (Sel & X86_SEL_MASK)
                            || pVM->selm.s.aHyperSel[SELM_HYPER_SEL_CS64] == (Sel & X86_SEL_MASK)
                            || pVM->selm.s.aHyperSel[SELM_HYPER_SEL_TSS] == (Sel & X86_SEL_MASK)
                            || pVM->selm.s.aHyperSel[SELM_HYPER_SEL_TSS_TRAP08] == (Sel & X86_SEL_MASK)
+        pSelInfo->fFlags =    pVM->selm.s.aHyperSel[SELM_HYPER_SEL_CS]         == (Sel & X86_SEL_MASK_OFF_RPL)
+                           || pVM->selm.s.aHyperSel[SELM_HYPER_SEL_DS]         == (Sel & X86_SEL_MASK_OFF_RPL)
+                           || pVM->selm.s.aHyperSel[SELM_HYPER_SEL_CS64]       == (Sel & X86_SEL_MASK_OFF_RPL)
+                           || pVM->selm.s.aHyperSel[SELM_HYPER_SEL_TSS]        == (Sel & X86_SEL_MASK_OFF_RPL)
+                           || pVM->selm.s.aHyperSel[SELM_HYPER_SEL_TSS_TRAP08] == (Sel & X86_SEL_MASK_OFF_RPL)
                          ? DBGFSELINFO_FLAGS_HYPER
                          : 0;
 …
+{
     /** @todo SMP support! */
+    PVMCPU      pVCpu = &pVM->aCpus[0];
+    RTSEL SelLdt = CPUMGetGuestLDTR(pVCpu);
+    if (!(SelLdt & X86_SEL_MASK))
+    PVMCPU   pVCpu = &pVM->aCpus[0];
+    uint64_t GCPtrLdt;
+    uint32_t cbLdt;
+    RTSEL    SelLdt = CPUMGetGuestLdtrEx(pVCpu, &GCPtrLdt, &cbLdt);
+    if (!(SelLdt & X86_SEL_MASK_OFF_RPL))
+    {
         pHlp->pfnPrintf(pHlp, "Guest LDT (Sel=%x): Null-Selector\n", SelLdt);
 …
+    }
+    RTGCPTR     GCPtrLdt;
+    unsigned    cbLdt;
+    int rc = SELMGetLDTFromSel(pVM, SelLdt, &GCPtrLdt, &cbLdt);
+    if (RT_FAILURE(rc))
+    {
+        pHlp->pfnPrintf(pHlp, "Guest LDT (Sel=%x): rc=%Rrc\n", SelLdt, rc);
+        return;
+    }
+    pHlp->pfnPrintf(pHlp, "Guest LDT (Sel=%x GCAddr=%RGv limit=%x):\n", SelLdt, GCPtrLdt, cbLdt);
+    unsigned    cLdts  = (cbLdt + 1) >> X86_SEL_SHIFT;
+    pHlp->pfnPrintf(pHlp, "Guest LDT (Sel=%x GCAddr=%RX64 limit=%x):\n", SelLdt, GCPtrLdt, cbLdt);
+    unsigned cLdts  = (cbLdt + 1) >> X86_SEL_SHIFT;
     for (unsigned iLdt = 0; iLdt < cLdts; iLdt++, GCPtrLdt += sizeof(X86DESC))
+    {
         X86DESC LdtE;
         rc = PGMPhysSimpleReadGCPtr(pVCpu, &LdtE, GCPtrLdt, sizeof(LdtE));
+        int rc = PGMPhysSimpleReadGCPtr(pVCpu, &LdtE, GCPtrLdt, sizeof(LdtE));
         if (RT_SUCCESS(rc))
+        {

trunk/src/VBox/VMM/VMMRC/SELMRC.cpp

-              r42407
+              r42427
      */
     RTSEL   Sel = iGDTEntry << X86_SEL_SHIFT;
     Assert(   !(pVM->selm.s.aHyperSel[SELM_HYPER_SEL_CS] & ~X86_SEL_MASK)
            && !(pVM->selm.s.aHyperSel[SELM_HYPER_SEL_DS] & ~X86_SEL_MASK)
            && !(pVM->selm.s.aHyperSel[SELM_HYPER_SEL_CS64] & ~X86_SEL_MASK)
            && !(pVM->selm.s.aHyperSel[SELM_HYPER_SEL_TSS] & ~X86_SEL_MASK)
            && !(pVM->selm.s.aHyperSel[SELM_HYPER_SEL_TSS_TRAP08] & ~X86_SEL_MASK));
+    Assert(   !(pVM->selm.s.aHyperSel[SELM_HYPER_SEL_CS]         & ~X86_SEL_MASK_OFF_RPL)
+           && !(pVM->selm.s.aHyperSel[SELM_HYPER_SEL_DS]         & ~X86_SEL_MASK_OFF_RPL)
+           && !(pVM->selm.s.aHyperSel[SELM_HYPER_SEL_CS64]       & ~X86_SEL_MASK_OFF_RPL)
+           && !(pVM->selm.s.aHyperSel[SELM_HYPER_SEL_TSS]        & ~X86_SEL_MASK_OFF_RPL)
+           && !(pVM->selm.s.aHyperSel[SELM_HYPER_SEL_TSS_TRAP08] & ~X86_SEL_MASK_OFF_RPL));
     if (    pVM->selm.s.aHyperSel[SELM_HYPER_SEL_CS]         == Sel
         ||  pVM->selm.s.aHyperSel[SELM_HYPER_SEL_DS]         == Sel
 …
     for (unsigned iSReg = 0; iSReg <= X86_SREG_COUNT; iSReg++)
+    {
         if (Sel == (paSReg[iSReg].Sel & X86_SEL_MASK_RPL))
+        if (Sel == (paSReg[iSReg].Sel & X86_SEL_MASK_OFF_RPL))
+        {
             if (CPUMSELREG_ARE_HIDDEN_PARTS_VALID(pVCpu, &paSReg[iSReg]))
 …
     for (unsigned iSReg = 0; iSReg <= X86_SREG_COUNT; iSReg++)
+    {
         if (iGDTEntry == (paSReg[iSReg].Sel & X86_SEL_MASK_RPL))
+        if (iGDTEntry == (paSReg[iSReg].Sel & X86_SEL_MASK_OFF_RPL))
+        {
             if (!CPUMSELREG_ARE_HIDDEN_PARTS_VALID(pVCpu, &paSReg[iSReg]))

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats:

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette