[PATCH 0/2] KVM: x86/emulator: Fix wrong checks when loading code segment in emulator

["Hou Wenlong" <houwenlong.hwl@antgroup.com>]

Per Intel's SDM on "Instruction Set Reference", code segment
can be loaded by far jmp/call/ret, iret and int. For all those
instructions, not-present segment check should be after type and
privilege checks. But the emulator checks it first, so #NP is
triggered instead of #GP if privilege check fails and the segment
is not present.

When loading code segment above realmode, RPL/CPL/DPL should be
checked, but the privilege checks are different between those
instructions. Since iret and int are only implemented for realmode
in emulator, no checks ared needed.

The current implement only checks if DPL > CPL for conforming
code or (RPL > CPL or DPL != CPL) for non-conforming code. Since
far call/jump to call gate, task gate and task state segment are
not implemented for in emulator, the current checks are enough.

As for far return, outer level return is not implemented above
virtual-8086 mode in emulator, so RPL <= CPL. Per Intel's SDM,
if RPL < CPL, it should trigger #GP, but it is missing in
emulator. Other checks are satisfied in current implementation.

When vmexit for task switch, code segment would also be loaded
from tss. Since segment selector is loaded before segment descriptor
when load state from tss, it implies that RPL = CPL, the checks
are satisfied too.

I add some tests in kvm-unit-tests[*] for the wrong checks in
emulator. Enable kvm.force_enable_emulation to test them on emulator.

[*] https://lore.kernel.org/kvm/cover.1642669912.git.houwenlong.hwl@antgroup.com

Hou Wenlong (2):
  KVM: x86/emulator: Defer not-present segment check in
    __load_segment_descriptor()
  KVM: x86: Fix wrong privilege check for code segment in
    __load_segment_descriptor()

 arch/x86/kvm/emulate.c | 44 +++++++++++++++++++++++++++++-------------
 1 file changed, 31 insertions(+), 13 deletions(-)

--
2.31.1