Patchwork x86: Fixed incorrect segment base address addition

login
register
mail settings
Submitter Vitaly Chipounov
Date July 2, 2012, 10:29 a.m.
Message ID <1341224967-30471-1-git-send-email-vitaly.chipounov@epfl.ch>
Download mbox | patch
Permalink /patch/168599/
State New
Headers show

Comments

Vitaly Chipounov - July 2, 2012, 10:29 a.m.
An instruction with address and segment size override triggers the bug.
inc dword ptr gs:260h[ebx*4] gets incorrectly translated to:
(uint32_t)(gs.base + ebx * 4 + 0x260)
instead of
gs.base + (uint32_t)(ebx * 4 + 0x260)

Signed-off-by: Vitaly Chipounov <vitaly.chipounov@epfl.ch>
---
 target-i386/translate.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
Max Filippov - July 2, 2012, 3:18 p.m.
On Mon, Jul 2, 2012 at 2:29 PM, Vitaly Chipounov
<vitaly.chipounov@epfl.ch> wrote:
> An instruction with address and segment size override triggers the bug.
> inc dword ptr gs:260h[ebx*4] gets incorrectly translated to:
> (uint32_t)(gs.base + ebx * 4 + 0x260)
> instead of
> gs.base + (uint32_t)(ebx * 4 + 0x260)

Do I understand it right that this fixes address calculation for
64-bit mode but breaks it for compatibility mode?

Quote from "Intel® 64 and IA-32 Architectures Software Developer’s Manual
Volume 3", "3.4.4 Segment Loading Instructions in IA-32e Mode":

When in compatibility mode, FS and GS overrides operate as defined by
32-bit mode
behavior regardless of the value loaded into the upper 32
linear-address bits of the
hidden descriptor register base field. Compatibility mode ignores the
upper 32 bits
when calculating an effective address.

>
> Signed-off-by: Vitaly Chipounov <vitaly.chipounov@epfl.ch>
> ---
>  target-i386/translate.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/target-i386/translate.c b/target-i386/translate.c
> index a902f4a..9ca7375 100644
> --- a/target-i386/translate.c
> +++ b/target-i386/translate.c
> @@ -459,10 +459,10 @@ static inline void gen_op_movl_A0_seg(int reg)
>  static inline void gen_op_addl_A0_seg(int reg)
>  {
>      tcg_gen_ld_tl(cpu_tmp0, cpu_env, offsetof(CPUX86State, segs[reg].base));
> -    tcg_gen_add_tl(cpu_A0, cpu_A0, cpu_tmp0);
>  #ifdef TARGET_X86_64
>      tcg_gen_andi_tl(cpu_A0, cpu_A0, 0xffffffff);
>  #endif
> +    tcg_gen_add_tl(cpu_A0, cpu_A0, cpu_tmp0);
>  }
>
>  #ifdef TARGET_X86_64
> --
> 1.7.4.1
>
>
Vitaly Chipounov - July 2, 2012, 10:09 p.m.
Max,

On 02.07.2012 17:18, Max Filippov wrote:
> On Mon, Jul 2, 2012 at 2:29 PM, Vitaly Chipounov
> <vitaly.chipounov@epfl.ch> wrote:
>> An instruction with address and segment size override triggers the bug.
>> inc dword ptr gs:260h[ebx*4] gets incorrectly translated to:
>> (uint32_t)(gs.base + ebx * 4 + 0x260)
>> instead of
>> gs.base + (uint32_t)(ebx * 4 + 0x260)
> Do I understand it right that this fixes address calculation for
> 64-bit mode but breaks it for compatibility mode?

You are right, it indeed breaks compatibility mode. Thanks for the
reference from the Intel manual.

I will send an updated patch.

Vitaly

>> Signed-off-by: Vitaly Chipounov <vitaly.chipounov@epfl.ch>
>> ---
>>  target-i386/translate.c |    2 +-
>>  1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/target-i386/translate.c b/target-i386/translate.c
>> index a902f4a..9ca7375 100644
>> --- a/target-i386/translate.c
>> +++ b/target-i386/translate.c
>> @@ -459,10 +459,10 @@ static inline void gen_op_movl_A0_seg(int reg)
>>  static inline void gen_op_addl_A0_seg(int reg)
>>  {
>>      tcg_gen_ld_tl(cpu_tmp0, cpu_env, offsetof(CPUX86State, segs[reg].base));
>> -    tcg_gen_add_tl(cpu_A0, cpu_A0, cpu_tmp0);
>>  #ifdef TARGET_X86_64
>>      tcg_gen_andi_tl(cpu_A0, cpu_A0, 0xffffffff);
>>  #endif
>> +    tcg_gen_add_tl(cpu_A0, cpu_A0, cpu_tmp0);
>>  }
>>
>>  #ifdef TARGET_X86_64
>> --
>> 1.7.4.1
>>
>>
>
>

Patch

diff --git a/target-i386/translate.c b/target-i386/translate.c
index a902f4a..9ca7375 100644
--- a/target-i386/translate.c
+++ b/target-i386/translate.c
@@ -459,10 +459,10 @@  static inline void gen_op_movl_A0_seg(int reg)
 static inline void gen_op_addl_A0_seg(int reg)
 {
     tcg_gen_ld_tl(cpu_tmp0, cpu_env, offsetof(CPUX86State, segs[reg].base));
-    tcg_gen_add_tl(cpu_A0, cpu_A0, cpu_tmp0);
 #ifdef TARGET_X86_64
     tcg_gen_andi_tl(cpu_A0, cpu_A0, 0xffffffff);
 #endif
+    tcg_gen_add_tl(cpu_A0, cpu_A0, cpu_tmp0);
 }
 
 #ifdef TARGET_X86_64