Commit c277c3f5 authored by Paolo Bonzini's avatar Paolo Bonzini Committed by Stefan Bader

KVM: x86: introduce linear_{read,write}_system

commit 79367a65 upstream.

Wrap the common invocation of ctxt->ops->read_std and ctxt->ops->write_std, so
as to have a smaller patch when the functions grow another argument.

Fixes: 129a72a0 ("KVM: x86: Introduce segmented_write_std", 2017-01-12)
Cc: stable@vger.kernel.org
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>

CVE-2018-3620
CVE-2018-3646
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
parent 05da82e1
...@@ -790,6 +790,19 @@ static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel) ...@@ -790,6 +790,19 @@ static inline int jmp_rel(struct x86_emulate_ctxt *ctxt, int rel)
return assign_eip_near(ctxt, ctxt->_eip + rel); return assign_eip_near(ctxt, ctxt->_eip + rel);
} }
static int linear_read_system(struct x86_emulate_ctxt *ctxt, ulong linear,
void *data, unsigned size)
{
return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
}
static int linear_write_system(struct x86_emulate_ctxt *ctxt,
ulong linear, void *data,
unsigned int size)
{
return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception);
}
static int segmented_read_std(struct x86_emulate_ctxt *ctxt, static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
struct segmented_address addr, struct segmented_address addr,
void *data, void *data,
...@@ -1488,8 +1501,7 @@ static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt, ...@@ -1488,8 +1501,7 @@ static int read_interrupt_descriptor(struct x86_emulate_ctxt *ctxt,
return emulate_gp(ctxt, index << 3 | 0x2); return emulate_gp(ctxt, index << 3 | 0x2);
addr = dt.address + index * 8; addr = dt.address + index * 8;
return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc, return linear_read_system(ctxt, addr, desc, sizeof *desc);
&ctxt->exception);
} }
static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt, static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt,
...@@ -1552,8 +1564,7 @@ static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt, ...@@ -1552,8 +1564,7 @@ static int read_segment_descriptor(struct x86_emulate_ctxt *ctxt,
if (rc != X86EMUL_CONTINUE) if (rc != X86EMUL_CONTINUE)
return rc; return rc;
return ctxt->ops->read_std(ctxt, *desc_addr_p, desc, sizeof(*desc), return linear_read_system(ctxt, *desc_addr_p, desc, sizeof(*desc));
&ctxt->exception);
} }
/* allowed just for 8 bytes segments */ /* allowed just for 8 bytes segments */
...@@ -1567,8 +1578,7 @@ static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt, ...@@ -1567,8 +1578,7 @@ static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
if (rc != X86EMUL_CONTINUE) if (rc != X86EMUL_CONTINUE)
return rc; return rc;
return ctxt->ops->write_std(ctxt, addr, desc, sizeof *desc, return linear_write_system(ctxt, addr, desc, sizeof *desc);
&ctxt->exception);
} }
static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
...@@ -1729,8 +1739,7 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, ...@@ -1729,8 +1739,7 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
return ret; return ret;
} }
} else if (ctxt->mode == X86EMUL_MODE_PROT64) { } else if (ctxt->mode == X86EMUL_MODE_PROT64) {
ret = ctxt->ops->read_std(ctxt, desc_addr+8, &base3, ret = linear_read_system(ctxt, desc_addr+8, &base3, sizeof(base3));
sizeof(base3), &ctxt->exception);
if (ret != X86EMUL_CONTINUE) if (ret != X86EMUL_CONTINUE)
return ret; return ret;
if (is_noncanonical_address(get_desc_base(&seg_desc) | if (is_noncanonical_address(get_desc_base(&seg_desc) |
...@@ -2043,11 +2052,11 @@ static int __emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq) ...@@ -2043,11 +2052,11 @@ static int __emulate_int_real(struct x86_emulate_ctxt *ctxt, int irq)
eip_addr = dt.address + (irq << 2); eip_addr = dt.address + (irq << 2);
cs_addr = dt.address + (irq << 2) + 2; cs_addr = dt.address + (irq << 2) + 2;
rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception); rc = linear_read_system(ctxt, cs_addr, &cs, 2);
if (rc != X86EMUL_CONTINUE) if (rc != X86EMUL_CONTINUE)
return rc; return rc;
rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception); rc = linear_read_system(ctxt, eip_addr, &eip, 2);
if (rc != X86EMUL_CONTINUE) if (rc != X86EMUL_CONTINUE)
return rc; return rc;
...@@ -3025,35 +3034,30 @@ static int task_switch_16(struct x86_emulate_ctxt *ctxt, ...@@ -3025,35 +3034,30 @@ static int task_switch_16(struct x86_emulate_ctxt *ctxt,
u16 tss_selector, u16 old_tss_sel, u16 tss_selector, u16 old_tss_sel,
ulong old_tss_base, struct desc_struct *new_desc) ulong old_tss_base, struct desc_struct *new_desc)
{ {
const struct x86_emulate_ops *ops = ctxt->ops;
struct tss_segment_16 tss_seg; struct tss_segment_16 tss_seg;
int ret; int ret;
u32 new_tss_base = get_desc_base(new_desc); u32 new_tss_base = get_desc_base(new_desc);
ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg, ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg);
&ctxt->exception);
if (ret != X86EMUL_CONTINUE) if (ret != X86EMUL_CONTINUE)
return ret; return ret;
save_state_to_tss16(ctxt, &tss_seg); save_state_to_tss16(ctxt, &tss_seg);
ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg, ret = linear_write_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg);
&ctxt->exception);
if (ret != X86EMUL_CONTINUE) if (ret != X86EMUL_CONTINUE)
return ret; return ret;
ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg, ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof tss_seg);
&ctxt->exception);
if (ret != X86EMUL_CONTINUE) if (ret != X86EMUL_CONTINUE)
return ret; return ret;
if (old_tss_sel != 0xffff) { if (old_tss_sel != 0xffff) {
tss_seg.prev_task_link = old_tss_sel; tss_seg.prev_task_link = old_tss_sel;
ret = ops->write_std(ctxt, new_tss_base, ret = linear_write_system(ctxt, new_tss_base,
&tss_seg.prev_task_link, &tss_seg.prev_task_link,
sizeof tss_seg.prev_task_link, sizeof tss_seg.prev_task_link);
&ctxt->exception);
if (ret != X86EMUL_CONTINUE) if (ret != X86EMUL_CONTINUE)
return ret; return ret;
} }
...@@ -3169,38 +3173,34 @@ static int task_switch_32(struct x86_emulate_ctxt *ctxt, ...@@ -3169,38 +3173,34 @@ static int task_switch_32(struct x86_emulate_ctxt *ctxt,
u16 tss_selector, u16 old_tss_sel, u16 tss_selector, u16 old_tss_sel,
ulong old_tss_base, struct desc_struct *new_desc) ulong old_tss_base, struct desc_struct *new_desc)
{ {
const struct x86_emulate_ops *ops = ctxt->ops;
struct tss_segment_32 tss_seg; struct tss_segment_32 tss_seg;
int ret; int ret;
u32 new_tss_base = get_desc_base(new_desc); u32 new_tss_base = get_desc_base(new_desc);
u32 eip_offset = offsetof(struct tss_segment_32, eip); u32 eip_offset = offsetof(struct tss_segment_32, eip);
u32 ldt_sel_offset = offsetof(struct tss_segment_32, ldt_selector); u32 ldt_sel_offset = offsetof(struct tss_segment_32, ldt_selector);
ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg, ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg);
&ctxt->exception);
if (ret != X86EMUL_CONTINUE) if (ret != X86EMUL_CONTINUE)
return ret; return ret;
save_state_to_tss32(ctxt, &tss_seg); save_state_to_tss32(ctxt, &tss_seg);
/* Only GP registers and segment selectors are saved */ /* Only GP registers and segment selectors are saved */
ret = ops->write_std(ctxt, old_tss_base + eip_offset, &tss_seg.eip, ret = linear_write_system(ctxt, old_tss_base + eip_offset, &tss_seg.eip,
ldt_sel_offset - eip_offset, &ctxt->exception); ldt_sel_offset - eip_offset);
if (ret != X86EMUL_CONTINUE) if (ret != X86EMUL_CONTINUE)
return ret; return ret;
ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg, ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof tss_seg);
&ctxt->exception);
if (ret != X86EMUL_CONTINUE) if (ret != X86EMUL_CONTINUE)
return ret; return ret;
if (old_tss_sel != 0xffff) { if (old_tss_sel != 0xffff) {
tss_seg.prev_task_link = old_tss_sel; tss_seg.prev_task_link = old_tss_sel;
ret = ops->write_std(ctxt, new_tss_base, ret = linear_write_system(ctxt, new_tss_base,
&tss_seg.prev_task_link, &tss_seg.prev_task_link,
sizeof tss_seg.prev_task_link, sizeof tss_seg.prev_task_link);
&ctxt->exception);
if (ret != X86EMUL_CONTINUE) if (ret != X86EMUL_CONTINUE)
return ret; return ret;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment