204175 – Segmentation: incorrect base calculation in VMX

Bug 204175 - Segmentation: incorrect base calculation in VMX

Summary: Segmentation: incorrect base calculation in VMX

Status:	NEW

Alias:	None

Product:	Virtualization
Classification:	Unclassified
Component:	kvm (show other bugs)
Hardware:	Intel Linux

Importance:	P1 normal
Assignee:	virtualization_kvm

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-07-14 15:42 UTC by Maxime Villard
Modified:	2019-07-14 15:42 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	5.*
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Maxime Villard 2019-07-14 15:42:06 UTC

In vmx/nested.c::get_vmx_mem_address(), when the guest runs in long mode, the base address of the memory operand is computed with a simple:

    *ret = s.base + off;

This is incorrect, the base applies only to FS and GS, not to the others.

Because of that, if the guest uses a VMX instruction based on DS and has a DS.base that is non-zero, KVM wrongfully adds the base to the resulting address.

Note You need to log in before you can comment on or make changes to this bug.