* [Qemu-devel] [Bug 1503031] [NEW] 32-to-64-bit call gate unsupported in IA32e mode
@ 2015-10-05 20:33 Andrew Oates
2015-10-05 20:49 ` [Qemu-devel] [Bug 1503031] " Andrew Oates
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Andrew Oates @ 2015-10-05 20:33 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
In particular, the lcall implementation doesn't support the 64-bit TSS.
helper_lcall_protected (target-i386/seg_helper.c:1884) calls
get_ss_esp_from_tss() on a call gate to a lower privilege level, which
tries to extract a 32-bit ESP and 16-bit SS from the TSS. In IA32e mode
(64-bit or compatibility mode), this instead grabs the lower 32-bits of
the target RSP, and 16 of the upper bits as the SS. Additionally,
several of the subsequent checks are incorrect (even if the correct
stack pointer were extracted).
This isn't a problem for interrupts since the interrupts are given their
own implementation entirely, that uses get_rsp_from_tss() rather than
get_ss_esp_from_tss().
I believe the missing logic is from the branch starting "ELSE (* current
TSS is 64-bit *)" in the CALL pseudocode in the Intel manual (page 3-124
of the PDF I have).
Reproduced at master (c0b520dfb8890294a9f8879f4759172900585995), and
also as of a qemu built a year ago.
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1503031
Title:
32-to-64-bit call gate unsupported in IA32e mode
Status in QEMU:
New
Bug description:
In particular, the lcall implementation doesn't support the 64-bit
TSS.
helper_lcall_protected (target-i386/seg_helper.c:1884) calls
get_ss_esp_from_tss() on a call gate to a lower privilege level, which
tries to extract a 32-bit ESP and 16-bit SS from the TSS. In IA32e
mode (64-bit or compatibility mode), this instead grabs the lower
32-bits of the target RSP, and 16 of the upper bits as the SS.
Additionally, several of the subsequent checks are incorrect (even if
the correct stack pointer were extracted).
This isn't a problem for interrupts since the interrupts are given
their own implementation entirely, that uses get_rsp_from_tss() rather
than get_ss_esp_from_tss().
I believe the missing logic is from the branch starting "ELSE (*
current TSS is 64-bit *)" in the CALL pseudocode in the Intel manual
(page 3-124 of the PDF I have).
Reproduced at master (c0b520dfb8890294a9f8879f4759172900585995), and
also as of a qemu built a year ago.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1503031/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Qemu-devel] [Bug 1503031] Re: 32-to-64-bit call gate unsupported in IA32e mode
2015-10-05 20:33 [Qemu-devel] [Bug 1503031] [NEW] 32-to-64-bit call gate unsupported in IA32e mode Andrew Oates
@ 2015-10-05 20:49 ` Andrew Oates
2020-08-07 18:31 ` Thomas Huth
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Andrew Oates @ 2015-10-05 20:49 UTC (permalink / raw)
To: qemu-devel
I also suspect that qemu will incorrectly allow calls through 32-bit
call gates in compatibility mode (rather than raising a GP fault --- see
Intel manuals volume 3A 5-21). And I doubt 64-to-64-bit call gates work
either. I haven't actually tested either of those scenarios, though,
this is just from reading the code.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1503031
Title:
32-to-64-bit call gate unsupported in IA32e mode
Status in QEMU:
New
Bug description:
In particular, the lcall implementation doesn't support the 64-bit
TSS.
helper_lcall_protected (target-i386/seg_helper.c:1884) calls
get_ss_esp_from_tss() on a call gate to a lower privilege level, which
tries to extract a 32-bit ESP and 16-bit SS from the TSS. In IA32e
mode (64-bit or compatibility mode), this instead grabs the lower
32-bits of the target RSP, and 16 of the upper bits as the SS.
Additionally, several of the subsequent checks are incorrect (even if
the correct stack pointer were extracted).
This isn't a problem for interrupts since the interrupts are given
their own implementation entirely, that uses get_rsp_from_tss() rather
than get_ss_esp_from_tss().
I believe the missing logic is from the branch starting "ELSE (*
current TSS is 64-bit *)" in the CALL pseudocode in the Intel manual
(page 3-124 of the PDF I have).
Reproduced at master (c0b520dfb8890294a9f8879f4759172900585995), and
also as of a qemu built a year ago.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1503031/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 1503031] Re: 32-to-64-bit call gate unsupported in IA32e mode
2015-10-05 20:33 [Qemu-devel] [Bug 1503031] [NEW] 32-to-64-bit call gate unsupported in IA32e mode Andrew Oates
2015-10-05 20:49 ` [Qemu-devel] [Bug 1503031] " Andrew Oates
@ 2020-08-07 18:31 ` Thomas Huth
2020-08-07 18:59 ` Peter Maydell
2020-08-08 8:09 ` Thomas Huth
3 siblings, 0 replies; 5+ messages in thread
From: Thomas Huth @ 2020-08-07 18:31 UTC (permalink / raw)
To: qemu-devel
Looking through old bug tickets... is this still an issue with the
latest version of QEMU? Or could we close this ticket nowadays?
** Changed in: qemu
Status: New => Incomplete
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1503031
Title:
32-to-64-bit call gate unsupported in IA32e mode
Status in QEMU:
Incomplete
Bug description:
In particular, the lcall implementation doesn't support the 64-bit
TSS.
helper_lcall_protected (target-i386/seg_helper.c:1884) calls
get_ss_esp_from_tss() on a call gate to a lower privilege level, which
tries to extract a 32-bit ESP and 16-bit SS from the TSS. In IA32e
mode (64-bit or compatibility mode), this instead grabs the lower
32-bits of the target RSP, and 16 of the upper bits as the SS.
Additionally, several of the subsequent checks are incorrect (even if
the correct stack pointer were extracted).
This isn't a problem for interrupts since the interrupts are given
their own implementation entirely, that uses get_rsp_from_tss() rather
than get_ss_esp_from_tss().
I believe the missing logic is from the branch starting "ELSE (*
current TSS is 64-bit *)" in the CALL pseudocode in the Intel manual
(page 3-124 of the PDF I have).
Reproduced at master (c0b520dfb8890294a9f8879f4759172900585995), and
also as of a qemu built a year ago.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1503031/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 1503031] Re: 32-to-64-bit call gate unsupported in IA32e mode
2015-10-05 20:33 [Qemu-devel] [Bug 1503031] [NEW] 32-to-64-bit call gate unsupported in IA32e mode Andrew Oates
2015-10-05 20:49 ` [Qemu-devel] [Bug 1503031] " Andrew Oates
2020-08-07 18:31 ` Thomas Huth
@ 2020-08-07 18:59 ` Peter Maydell
2020-08-08 8:09 ` Thomas Huth
3 siblings, 0 replies; 5+ messages in thread
From: Peter Maydell @ 2020-08-07 18:59 UTC (permalink / raw)
To: qemu-devel
Looking at the commit log it looks like Andrew fixed this in commit
0aca060526d3ff9632aaed in 2018 ?
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1503031
Title:
32-to-64-bit call gate unsupported in IA32e mode
Status in QEMU:
Incomplete
Bug description:
In particular, the lcall implementation doesn't support the 64-bit
TSS.
helper_lcall_protected (target-i386/seg_helper.c:1884) calls
get_ss_esp_from_tss() on a call gate to a lower privilege level, which
tries to extract a 32-bit ESP and 16-bit SS from the TSS. In IA32e
mode (64-bit or compatibility mode), this instead grabs the lower
32-bits of the target RSP, and 16 of the upper bits as the SS.
Additionally, several of the subsequent checks are incorrect (even if
the correct stack pointer were extracted).
This isn't a problem for interrupts since the interrupts are given
their own implementation entirely, that uses get_rsp_from_tss() rather
than get_ss_esp_from_tss().
I believe the missing logic is from the branch starting "ELSE (*
current TSS is 64-bit *)" in the CALL pseudocode in the Intel manual
(page 3-124 of the PDF I have).
Reproduced at master (c0b520dfb8890294a9f8879f4759172900585995), and
also as of a qemu built a year ago.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1503031/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 1503031] Re: 32-to-64-bit call gate unsupported in IA32e mode
2015-10-05 20:33 [Qemu-devel] [Bug 1503031] [NEW] 32-to-64-bit call gate unsupported in IA32e mode Andrew Oates
` (2 preceding siblings ...)
2020-08-07 18:59 ` Peter Maydell
@ 2020-08-08 8:09 ` Thomas Huth
3 siblings, 0 replies; 5+ messages in thread
From: Thomas Huth @ 2020-08-08 8:09 UTC (permalink / raw)
To: qemu-devel
That looks like the corresponding fix, indeed. Let's close this ticket.
** Changed in: qemu
Status: Incomplete => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1503031
Title:
32-to-64-bit call gate unsupported in IA32e mode
Status in QEMU:
Fix Released
Bug description:
In particular, the lcall implementation doesn't support the 64-bit
TSS.
helper_lcall_protected (target-i386/seg_helper.c:1884) calls
get_ss_esp_from_tss() on a call gate to a lower privilege level, which
tries to extract a 32-bit ESP and 16-bit SS from the TSS. In IA32e
mode (64-bit or compatibility mode), this instead grabs the lower
32-bits of the target RSP, and 16 of the upper bits as the SS.
Additionally, several of the subsequent checks are incorrect (even if
the correct stack pointer were extracted).
This isn't a problem for interrupts since the interrupts are given
their own implementation entirely, that uses get_rsp_from_tss() rather
than get_ss_esp_from_tss().
I believe the missing logic is from the branch starting "ELSE (*
current TSS is 64-bit *)" in the CALL pseudocode in the Intel manual
(page 3-124 of the PDF I have).
Reproduced at master (c0b520dfb8890294a9f8879f4759172900585995), and
also as of a qemu built a year ago.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1503031/+subscriptions
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-08-08 8:20 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-10-05 20:33 [Qemu-devel] [Bug 1503031] [NEW] 32-to-64-bit call gate unsupported in IA32e mode Andrew Oates
2015-10-05 20:49 ` [Qemu-devel] [Bug 1503031] " Andrew Oates
2020-08-07 18:31 ` Thomas Huth
2020-08-07 18:59 ` Peter Maydell
2020-08-08 8:09 ` Thomas Huth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).