From 8d246db03eaa339c88e04ba5bea356164ea26d2a Mon Sep 17 00:00:00 2001 From: Andrew Cooper Date: Tue, 29 Nov 2016 18:35:46 +0000 Subject: [PATCH] x86/emul: Correct the behaviour of pop %ss and interrupt shadowing The mov_ss retire flag should only be set once load_seg() has returned success. In particular, it should not be set if an exception occured when trying to load %ss. _hvm_emulate_one(), currently the sole user of mov_ss, only consideres it in the case that x86_emulate() returns X86EMUL_OKAY, so this bug isn't actually exposed to guests. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- xen/arch/x86/x86_emulate/x86_emulate.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c index 2ead6dbb46..bfcc05dff3 100644 --- a/xen/arch/x86/x86_emulate/x86_emulate.c +++ b/xen/arch/x86/x86_emulate/x86_emulate.c @@ -2656,6 +2656,8 @@ x86_emulate( &dst.val, op_bytes, ctxt, ops)) != 0 || (rc = load_seg(src.val, dst.val, 0, NULL, ctxt, ops)) != 0 ) goto done; + if ( src.val == x86_seg_ss ) + ctxt->retire.mov_ss = true; break; case 0x0e: /* push %%cs */ @@ -2668,7 +2670,6 @@ x86_emulate( case 0x17: /* pop %%ss */ src.val = x86_seg_ss; - ctxt->retire.mov_ss = true; goto pop_seg; case 0x1e: /* push %%ds */ -- 2.30.2