On 11/03/2025 11:36 pm, Andrew Cooper wrote: > On 11/03/2025 9:27 pm, Andrew Cooper wrote: >> On 11/03/2025 9:22 pm, Andrew Cooper wrote: >>> When PV is enabled, entry_int80 needs to be DPL3, not DPL0. >>> >>> This causes the XSA-259 PoC to fail with: >>> >>> --- Xen Test Framework --- >>> Environment: PV 64bit (Long mode 4 levels) >>> XSA-259 PoC >>> Error: Unexpected fault 0x800d0802, #GP[IDT[256]] >>> Test result: ERROR >>> >>> (Clearly I have a bug in XTF's rendering of the error code too.) > Nope, it's a QEMU bug. Under QEMU, we get: > > --- Xen Test Framework --- > Environment: PV 64bit (Long mode 4 levels) > XSA-259 PoC > (XEN) [ 3.982447] *** #GP/IDT ec 00000802 > (XEN) [ 3.982668] *** #GP/IDT ec 00000802, not permitted > (XEN) [ 3.982849] *** #GP inject ec 00000802 > Error: Unexpected fault 0x800d0802, #GP[IDT[256]] > Test result: ERROR > > > On real hardware: > > (d1) --- Xen Test Framework --- > (d1) Environment: PV 64bit (Long mode 4 levels) > (d1) XSA-259 PoC > (XEN) *** #GP/IDT ec 00000402 > (XEN) *** #GP/IDT ec 00000402, not permitted > (XEN) *** #GP inject ec 00000402 > (d1) Success: Not vulnerable to XSA-259 > (d1) Test result: SUCCESS > > So it's by chance that Luca's testing even picked up this failure. The > XSA-259 PoC can't distinguish between the #GP INT emulation path and the > INT80 fastpath's error path which injects #GP.
And a patch submitted. https://lore.kernel.org/qemu-devel/[email protected]/T/#u ~Andrew
