[v2,07/50] target/i386: Assert CPL is 3 for user-only

Message ID	20210514151342.384376-8-richard.henderson@linaro.org
State	Superseded
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; From: Richard Henderson <richard.henderson@linaro.org> To: qemu-devel@nongnu.org Subject: [PATCH v2 07/50] target/i386: Assert CPL is 3 for user-only Date: Fri, 14 May 2021 10:12:59 -0500 Message-Id: <20210514151342.384376-8-richard.henderson@linaro.org> In-Reply-To: <20210514151342.384376-1-richard.henderson@linaro.org> References: <20210514151342.384376-1-richard.henderson@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::82d; envelope-from=richard.henderson@linaro.org; helo=mail-qt1-x82d.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Precedence: list Cc: pbonzini@redhat.com, f4bug@amsat.org, ehabkost@redhat.com, cfontana@suse.de Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+patch=linaro.org@nongnu.org>
Series	target/i386 translate cleanups \| expand [v2,00/50] target/i386 translate cleanups [v2,01/50] target/i386: Split out gen_exception_gpf [v2,02/50] target/i386: Split out check_cpl0 [v2,03/50] target/i386: Unify code paths for IRET [v2,04/50] target/i386: Split out check_vm86_iopl [v2,05/50] target/i386: Split out check_iopl [v2,06/50] target/i386: Assert PE is set for user-only [v2,07/50] target/i386: Assert CPL is 3 for user-only [v2,08/50] target/i386: Assert IOPL is 0 for user-only [v2,09/50] target/i386: Assert !VM86 for x86_64 user-only [v2,10/50] target/i386: Assert CODE32 for x86_64 user-only [v2,11/50] target/i386: Assert SS32 for x86_64 user-only [v2,12/50] target/i386: Assert CODE64 for x86_64 user-only [v2,13/50] target/i386: Assert LMA for x86_64 user-only [v2,14/50] target/i386: Assert !ADDSEG for x86_64 user-only [v2,15/50] target/i386: Introduce REX_PREFIX [v2,16/50] target/i386: Tidy REX_B, REX_X definition [v2,17/50] target/i386: Move rex_r into DisasContext [v2,18/50] target/i386: Move rex_w into DisasContext [v2,19/50] target/i386: Remove DisasContext.f_st as unused [v2,20/50] target/i386: Reduce DisasContext.flags to uint32_t [v2,21/50] target/i386: Reduce DisasContext.override to int8_t [v2,22/50] target/i386: Reduce DisasContext.prefix to uint8_t [v2,23/50] target/i386: Reduce DisasContext.vex_[lv] to uint8_t [v2,24/50] target/i386: Reduce DisasContext popl_esp_hack and rip_offset to uint8_t [v2,25/50] target/i386: Leave TF in DisasContext.flags [v2,26/50] target/i386: Reduce DisasContext jmp_opt, repz_opt to bool [v2,27/50] target/i386: Fix the comment for repz_opt [v2,28/50] target/i386: Reorder DisasContext members [v2,29/50] target/i386: Add stub generator for helper_set_dr [v2,30/50] target/i386: Assert !SVME for user-only [v2,31/50] target/i386: Assert !GUEST for user-only [v2,32/50] target/i386: Implement skinit in translate.c [v2,33/50] target/i386: Eliminate SVM helpers for user-only [v2,34/50] target/i386: Mark some helpers as noreturn [v2,35/50] target/i386: Simplify gen_debug usage [v2,36/50] target/i386: Tidy svm_check_intercept from tcg [v2,37/50] target/i386: Remove pc_start argument to gen_svm_check_intercept [v2,38/50] target/i386: Remove user stub for cpu_vmexit [v2,39/50] target/i386: Cleanup read_crN, write_crN, lmsw [v2,40/50] target/i386: Pass env to do_pause and do_hlt [v2,41/50] target/i386: Move invlpg, hlt, monitor, mwait to sysemu [v2,42/50] target/i386: Unify invlpg, invlpga [v2,43/50] target/i386: Inline user cpu_svm_check_intercept_param [v2,44/50] target/i386: Eliminate user stubs for read/write_crN, rd/wrmsr [v2,45/50] target/i386: Exit tb after wrmsr [v2,46/50] target/i386: Tidy gen_check_io [v2,47/50] target/i386: Pass in port to gen_check_io [v2,48/50] target/i386: Create helper_check_io [v2,49/50] target/i386: Move helper_check_io to sysemu [v2,50/50] target/i386: Remove user-only i/o stubs

Message ID

20210514151342.384376-8-richard.henderson@linaro.org

State

Superseded

Headers

Received-SPF: pass (google.com: domain of
	qemu-devel-bounces+patch=linaro.org@nongnu.org designates
	209.51.188.17 as permitted sender) client-ip=209.51.188.17; 
From: Richard Henderson <richard.henderson@linaro.org>
To: qemu-devel@nongnu.org
Subject: [PATCH v2 07/50] target/i386: Assert CPL is 3 for user-only
Date: Fri, 14 May 2021 10:12:59 -0500
Message-Id: <20210514151342.384376-8-richard.henderson@linaro.org>
In-Reply-To: <20210514151342.384376-1-richard.henderson@linaro.org>
References: <20210514151342.384376-1-richard.henderson@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2607:f8b0:4864:20::82d;
	envelope-from=richard.henderson@linaro.org;
	helo=mail-qt1-x82d.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
	DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
	RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
	SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: pbonzini@redhat.com, f4bug@amsat.org, ehabkost@redhat.com,
	cfontana@suse.de
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+patch=linaro.org@nongnu.org>

Series

target/i386 translate cleanups | expand

A user-mode executable always runs in ring 3. Signed-off-by: Richard Henderson <richard.henderson@linaro.org> --- target/i386/tcg/translate.c | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) -- 2.25.1

Comments

Paolo Bonzini May 18, 2021, 9:17 a.m. UTC | #1

On 14/05/21 17:12, Richard Henderson wrote:
> A user-mode executable always runs in ring 3.

> 

> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>


Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index 7f3993fccb..4c9194416d 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -94,6 +94,11 @@  typedef struct DisasContext {
     target_ulong pc; /* pc = eip + cs_base */
     /* current block context */
     target_ulong cs_base; /* base of CS segment */
+
+#ifndef CONFIG_USER_ONLY
+    uint8_t cpl;   /* code priv level */
+#endif
+
     int code32; /* 32 bit code segment */
 #ifdef TARGET_X86_64
     int lma;    /* long mode active */
@@ -111,7 +116,6 @@  typedef struct DisasContext {
     int addseg; /* non zero if either DS/ES/SS have a non zero base */
     int f_st;   /* currently unused */
     int vm86;   /* vm86 mode */
-    int cpl;
     int iopl;
     int tf;     /* TF cpu flag */
     int jmp_opt; /* use direct block chaining for direct jumps */
@@ -148,8 +152,10 @@  typedef struct DisasContext {
 /* The environment in which user-only runs is constrained. */
 #ifdef CONFIG_USER_ONLY
 #define PE(S)     true
+#define CPL(S)    3
 #else
 #define PE(S)     (((S)->flags & HF_PE_MASK) != 0)
+#define CPL(S)    ((S)->cpl)
 #endif
 
 static void gen_eob(DisasContext *s);
@@ -623,7 +629,7 @@  static void gen_check_io(DisasContext *s, MemOp ot, target_ulong cur_eip,
 {
     target_ulong next_eip;
 
-    if (PE(s) && (s->cpl > s->iopl || s->vm86)) {
+    if (PE(s) && (CPL(s) > s->iopl || s->vm86)) {
         tcg_gen_trunc_tl_i32(s->tmp2_i32, s->T0);
         switch (ot) {
         case MO_8:
@@ -1291,7 +1297,7 @@  static void gen_exception_gpf(DisasContext *s)
 /* Check for cpl == 0; if not, raise #GP and return false. */
 static bool check_cpl0(DisasContext *s)
 {
-    if (s->cpl == 0) {
+    if (CPL(s) == 0) {
         return true;
     }
     gen_exception_gpf(s);
@@ -1311,7 +1317,7 @@  static bool check_vm86_iopl(DisasContext *s)
 /* Check for iopl allowing access; if not, raise #GP and return false. */
 static bool check_iopl(DisasContext *s)
 {
-    if (s->vm86 ? s->iopl == 3 : s->cpl <= s->iopl) {
+    if (s->vm86 ? s->iopl == 3 : CPL(s) <= s->iopl) {
         return true;
     }
     gen_exception_gpf(s);
@@ -6735,7 +6741,7 @@  static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
         gen_svm_check_intercept(s, pc_start, SVM_EXIT_POPF);
         if (check_vm86_iopl(s)) {
             ot = gen_pop_T0(s);
-            if (s->cpl == 0) {
+            if (CPL(s) == 0) {
                 if (dflag != MO_16) {
                     gen_helper_write_eflags(cpu_env, s->T0,
                                             tcg_const_i32((TF_MASK | AC_MASK |
@@ -6750,7 +6756,7 @@  static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
                                                           & 0xffff));
                 }
             } else {
-                if (s->cpl <= s->iopl) {
+                if (CPL(s) <= s->iopl) {
                     if (dflag != MO_16) {
                         gen_helper_write_eflags(cpu_env, s->T0,
                                                 tcg_const_i32((TF_MASK |
@@ -7380,7 +7386,7 @@  static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
             break;
 
         case 0xc8: /* monitor */
-            if (!(s->cpuid_ext_features & CPUID_EXT_MONITOR) || s->cpl != 0) {
+            if (!(s->cpuid_ext_features & CPUID_EXT_MONITOR) || CPL(s) != 0) {
                 goto illegal_op;
             }
             gen_update_cc_op(s);
@@ -7392,7 +7398,7 @@  static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
             break;
 
         case 0xc9: /* mwait */
-            if (!(s->cpuid_ext_features & CPUID_EXT_MONITOR) || s->cpl != 0) {
+            if (!(s->cpuid_ext_features & CPUID_EXT_MONITOR) || CPL(s) != 0) {
                 goto illegal_op;
             }
             gen_update_cc_op(s);
@@ -7403,7 +7409,7 @@  static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
 
         case 0xca: /* clac */
             if (!(s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_SMAP)
-                || s->cpl != 0) {
+                || CPL(s) != 0) {
                 goto illegal_op;
             }
             gen_helper_clac(cpu_env);
@@ -7413,7 +7419,7 @@  static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
 
         case 0xcb: /* stac */
             if (!(s->cpuid_7_0_ebx_features & CPUID_7_0_EBX_SMAP)
-                || s->cpl != 0) {
+                || CPL(s) != 0) {
                 goto illegal_op;
             }
             gen_helper_stac(cpu_env);
@@ -8467,19 +8473,23 @@  static void i386_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
     DisasContext *dc = container_of(dcbase, DisasContext, base);
     CPUX86State *env = cpu->env_ptr;
     uint32_t flags = dc->base.tb->flags;
+    int cpl = (flags >> HF_CPL_SHIFT) & 3;
 
     dc->cs_base = dc->base.tb->cs_base;
     dc->flags = flags;
+#ifndef CONFIG_USER_ONLY
+    dc->cpl = cpl;
+#endif
 
     /* We make some simplifying assumptions; validate they're correct. */
     g_assert(PE(dc) == ((flags & HF_PE_MASK) != 0));
+    g_assert(CPL(dc) == cpl);
 
     dc->code32 = (flags >> HF_CS32_SHIFT) & 1;
     dc->ss32 = (flags >> HF_SS32_SHIFT) & 1;
     dc->addseg = (flags >> HF_ADDSEG_SHIFT) & 1;
     dc->f_st = 0;
     dc->vm86 = (flags >> VM_SHIFT) & 1;
-    dc->cpl = (flags >> HF_CPL_SHIFT) & 3;
     dc->iopl = (flags >> IOPL_SHIFT) & 3;
     dc->tf = (flags >> TF_SHIFT) & 1;
     dc->cc_op = CC_OP_DYNAMIC;

[v2,07/50] target/i386: Assert CPL is 3 for user-only

Commit Message

Comments

Patch