From patchwork Mon Mar 22 10:29:40 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@siemens.com>
X-Patchwork-Id: 87395
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by demeter.kernel.org (8.14.3/8.14.3) with ESMTP id o2MATuWG028236
	for <patchwork-kvm@patchwork.kernel.org>;
	Mon, 22 Mar 2010 10:29:56 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753615Ab0CVK3y (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Mon, 22 Mar 2010 06:29:54 -0400
Received: from thoth.sbs.de ([192.35.17.2]:20613 "EHLO thoth.sbs.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1753307Ab0CVK3x (ORCPT <rfc822;kvm@vger.kernel.org>);
	Mon, 22 Mar 2010 06:29:53 -0400
Received: from mail2.siemens.de (localhost [127.0.0.1])
	by thoth.sbs.de (8.12.11.20060308/8.12.11) with ESMTP id
	o2MATfla026414; Mon, 22 Mar 2010 11:29:41 +0100
Received: from [139.25.109.167] (mchn012c.ww002.siemens.net [139.25.109.167]
	(may be forged))
	by mail2.siemens.de (8.12.11.20060308/8.12.11) with ESMTP id
	o2MATe1I032556; Mon, 22 Mar 2010 11:29:40 +0100
Message-ID: <4BA74694.2080300@siemens.com>
Date: Mon, 22 Mar 2010 11:29:40 +0100
From: Jan Kiszka <jan.kiszka@siemens.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de;
	rv:1.8.1.12) Gecko/20080226 SUSE/2.0.0.12-1.1
	Thunderbird/2.0.0.12 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: Avi Kivity <avi@redhat.com>, Marcelo Tosatti <mtosatti@redhat.com>
CC: kvm <kvm@vger.kernel.org>
Subject: [PATCH] KVM: x86: Fix TSS size check for 16-bit tasks
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by
	milter-greylist-4.2.3 (demeter.kernel.org [140.211.167.41]);
	Mon, 22 Mar 2010 10:29:56 +0000 (UTC)


diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 266576c..f529f75 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -2355,6 +2355,7 @@ static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
 	u16 old_tss_sel = ops->get_segment_selector(VCPU_SREG_TR, ctxt->vcpu);
 	ulong old_tss_base =
 		get_cached_descriptor_base(ctxt, ops, VCPU_SREG_TR);
+	u32 desc_limit;
 
 	/* FIXME: old_tss_base == ~0 ? */
 
@@ -2375,7 +2376,10 @@ static int emulator_do_task_switch(struct x86_emulate_ctxt *ctxt,
 		}
 	}
 
-	if (!next_tss_desc.p || desc_limit_scaled(&next_tss_desc) < 0x67) {
+	desc_limit = desc_limit_scaled(&next_tss_desc);
+	if (!next_tss_desc.p ||
+	    ((desc_limit < 0x67 && (next_tss_desc.type & 8)) ||
+	     desc_limit < 0x2c)) {
 		kvm_queue_exception_e(ctxt->vcpu, TS_VECTOR,
 				      tss_selector & 0xfffc);
 		return X86EMUL_PROPAGATE_FAULT;