diff mbox series

target/i386/tcg: Check for valid descriptor table before loading segment descriptor

Message ID 20230824104637.216258-2-rayhan.faizel@gmail.com (mailing list archive)
State New, archived
Headers show
Series target/i386/tcg: Check for valid descriptor table before loading segment descriptor | expand

Commit Message

Rayhan Faizel Aug. 24, 2023, 10:46 a.m. UTC 
LSL and LAR can cause segmentation faults in certain scenarios under QEMU. 
This occurs particularly when the base of either GDT or LDT depending on 
bit 2 of selector is NULL.

On real CPU, invalid LSL/LAR does nothing besides clearing ZF.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1376
Signed-off-by: Rayhan Faizel <rayhan.faizel@gmail.com>
---
 target/i386/tcg/seg_helper.c | 4 ++++
 1 file changed, 4 insertions(+)
diff mbox series

Patch

diff --git a/target/i386/tcg/seg_helper.c b/target/i386/tcg/seg_helper.c
index e8d19c65fd..4c36462162 100644
--- a/target/i386/tcg/seg_helper.c
+++ b/target/i386/tcg/seg_helper.c
@@ -78,6 +78,10 @@  static inline int load_segment_ra(CPUX86State *env, uint32_t *e1_ptr,
     } else {
         dt = &env->gdt;
     }
+    /* Check valid DT base before fetching segment descriptor*/
+    if (!dt->base) {
+        return -1;
+    }
     index = selector & ~7;
     if ((index + 7) > dt->limit) {
         return -1;