blob: b8ce0e123afdf1daab8fb4d0e470235c78f9d0eb (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
target/i386/seg_helper.c: 16-bit TSS struct format wrong?
In target/i386/seg_helper.c:switch_tss_ra() we have the following code to load registers from a 16-bit TSS struct:
/* 16 bit */
new_cr3 = 0;
new_eip = cpu_lduw_kernel_ra(env, tss_base + 0x0e, retaddr);
new_eflags = cpu_lduw_kernel_ra(env, tss_base + 0x10, retaddr);
for (i = 0; i < 8; i++) {
new_regs[i] = cpu_lduw_kernel_ra(env, tss_base + (0x12 + i * 2),
retaddr) | 0xffff0000;
}
for (i = 0; i < 4; i++) {
new_segs[i] = cpu_lduw_kernel_ra(env, tss_base + (0x22 + i * 4),
retaddr);
}
new_ldt = cpu_lduw_kernel_ra(env, tss_base + 0x2a, retaddr);
This doesn't match up with the structure described here: https://www.sandpile.org/x86/tss.htm -- which has only 2-byte slots for the segment registers. It also makes the 3rd segreg use the same offset as the LDTR, which is very suspicious. I suspect that this should use "(0x22 + i * 2)".
The code later in the same function that stores the segment registers to the struct has the same bug.
Found by code inspection; I don't have a test case to check this. As a non-x86-expert I'm just going to file a bug report in case somebody else feels like confirming the issue and sending a patch.
|