[Qemu-devel] [Bug 1163065] [NEW] target-i386 cpu_get_phys_page_debug checks bits in wrong order

[Qemu-devel] [Bug 1163065] [NEW] target-i386 cpu_get_phys_page_debug checks bits in wrong order

[Brendan Dolan-Gavitt]

Public bug reported:

In target-i386 cpu_get_phys_page_debug, the CR4_PAE bit is checked
before CR0_PG. This means that if paging is disabled but the PAE bit has
been set in CR4, cpu_get_phys_page_debug will return the wrong result
(it will try to translate the address as virtual rather than using it as
a physical address).

Although this might seem like an unusual case, it in fact happens
consistently when booting Linux on amd64 (from
linux-2.6.32.60/arch/x86/boot/compressed/head_64.S):

    /* Enable PAE mode */
    xorl    %eax, %eax
    orl $(X86_CR4_PAE), %eax
    movl    %eax, %cr4
[... code to set up page tables omitted ...]
    /* Enter paged protected Mode, activating Long Mode */
    movl    $(X86_CR0_PG | X86_CR0_PE), %eax /* Enable Paging and Protected mode */
    movl    %eax, %cr0

The most noticeable effect of this bug is that using the disassembler
during this time will fetch the wrong data by trying to read from page
tables that aren't there. One symptom is that booting Linux amd64 with
-d in_asm will result in several "Disassembler disagrees with translator
over instruction decoding" messages.

Attached is a patch that moves the CR0_PG check to the beginning. I'm
still not 100% certain that the logic of cpu_get_phys_page_debug matches
cpu_x86_handle_mmu_fault, but it's a start.

** Affects: qemu
     Importance: Undecided
         Status: New


** Tags: target-i386

** Patch added: "patch that fixes the issue"
   https://bugs.launchpad.net/bugs/1163065/+attachment/3613229/+files/qemu_cpu_get_phys_page_debug.patch

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1163065

Title:
  target-i386 cpu_get_phys_page_debug checks bits in wrong order

Status in QEMU:
  New

Bug description:
  In target-i386 cpu_get_phys_page_debug, the CR4_PAE bit is checked
  before CR0_PG. This means that if paging is disabled but the PAE bit
  has been set in CR4, cpu_get_phys_page_debug will return the wrong
  result (it will try to translate the address as virtual rather than
  using it as a physical address).

  Although this might seem like an unusual case, it in fact happens
  consistently when booting Linux on amd64 (from
  linux-2.6.32.60/arch/x86/boot/compressed/head_64.S):

      /* Enable PAE mode */
      xorl    %eax, %eax
      orl $(X86_CR4_PAE), %eax
      movl    %eax, %cr4
  [... code to set up page tables omitted ...]
      /* Enter paged protected Mode, activating Long Mode */
      movl    $(X86_CR0_PG | X86_CR0_PE), %eax /* Enable Paging and Protected mode */
      movl    %eax, %cr0

  The most noticeable effect of this bug is that using the disassembler
  during this time will fetch the wrong data by trying to read from page
  tables that aren't there. One symptom is that booting Linux amd64 with
  -d in_asm will result in several "Disassembler disagrees with
  translator over instruction decoding" messages.

  Attached is a patch that moves the CR0_PG check to the beginning. I'm
  still not 100% certain that the logic of cpu_get_phys_page_debug
  matches cpu_x86_handle_mmu_fault, but it's a start.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1163065/+subscriptions

[Qemu-devel] [Bug 1163065] Re: target-i386 cpu_get_phys_page_debug checks bits in wrong order

[Thomas Huth]

Can you still reproduce this problem with the latest version of QEMU? If
so, could you please send a refreshed patch to the qemu-devel mailing
list? We do not pick up patches from the bug tracker. Thanks!

** Changed in: qemu
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1163065

Title:
  target-i386 cpu_get_phys_page_debug checks bits in wrong order

Status in QEMU:
  Incomplete

Bug description:
  In target-i386 cpu_get_phys_page_debug, the CR4_PAE bit is checked
  before CR0_PG. This means that if paging is disabled but the PAE bit
  has been set in CR4, cpu_get_phys_page_debug will return the wrong
  result (it will try to translate the address as virtual rather than
  using it as a physical address).

  Although this might seem like an unusual case, it in fact happens
  consistently when booting Linux on amd64 (from
  linux-2.6.32.60/arch/x86/boot/compressed/head_64.S):

      /* Enable PAE mode */
      xorl    %eax, %eax
      orl $(X86_CR4_PAE), %eax
      movl    %eax, %cr4
  [... code to set up page tables omitted ...]
      /* Enter paged protected Mode, activating Long Mode */
      movl    $(X86_CR0_PG | X86_CR0_PE), %eax /* Enable Paging and Protected mode */
      movl    %eax, %cr0

  The most noticeable effect of this bug is that using the disassembler
  during this time will fetch the wrong data by trying to read from page
  tables that aren't there. One symptom is that booting Linux amd64 with
  -d in_asm will result in several "Disassembler disagrees with
  translator over instruction decoding" messages.

  Attached is a patch that moves the CR0_PG check to the beginning. I'm
  still not 100% certain that the logic of cpu_get_phys_page_debug
  matches cpu_x86_handle_mmu_fault, but it's a start.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1163065/+subscriptions

[Qemu-devel] [Bug 1163065] Re: target-i386 cpu_get_phys_page_debug checks bits in wrong order

[Launchpad Bug Tracker]

[Expired for QEMU because there has been no activity for 60 days.]

** Changed in: qemu
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1163065

Title:
  target-i386 cpu_get_phys_page_debug checks bits in wrong order

Status in QEMU:
  Expired

Bug description:
  In target-i386 cpu_get_phys_page_debug, the CR4_PAE bit is checked
  before CR0_PG. This means that if paging is disabled but the PAE bit
  has been set in CR4, cpu_get_phys_page_debug will return the wrong
  result (it will try to translate the address as virtual rather than
  using it as a physical address).

  Although this might seem like an unusual case, it in fact happens
  consistently when booting Linux on amd64 (from
  linux-2.6.32.60/arch/x86/boot/compressed/head_64.S):

      /* Enable PAE mode */
      xorl    %eax, %eax
      orl $(X86_CR4_PAE), %eax
      movl    %eax, %cr4
  [... code to set up page tables omitted ...]
      /* Enter paged protected Mode, activating Long Mode */
      movl    $(X86_CR0_PG | X86_CR0_PE), %eax /* Enable Paging and Protected mode */
      movl    %eax, %cr0

  The most noticeable effect of this bug is that using the disassembler
  during this time will fetch the wrong data by trying to read from page
  tables that aren't there. One symptom is that booting Linux amd64 with
  -d in_asm will result in several "Disassembler disagrees with
  translator over instruction decoding" messages.

  Attached is a patch that moves the CR0_PG check to the beginning. I'm
  still not 100% certain that the logic of cpu_get_phys_page_debug
  matches cpu_x86_handle_mmu_fault, but it's a start.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1163065/+subscriptions