Changeset 104219 in vbox for trunk

Timestamp:

Apr 8, 2024 6:01:43 AM (10 months ago)

Author:

vboxsync

Message:

VMM: bugref:10610 Fixed MSR loading.

Location:

trunk/src/VBox/VMM

Files:

• VMMAll/CPUMAllMsrs.cpp (modified) (4 diffs)
• VMMR0/HMVMXR0.cpp (modified) (1 diff)

trunk/src/VBox/VMM/VMMAll/CPUMAllMsrs.cpp

@@ -1780 +1780 @@
 {
     RT_NOREF_PV(idMsr); RT_NOREF_PV(pRange); RT_NOREF_PV(uRawValue);
-    pVCpu->cpum.s.Guest.msrSFMASK = uValue;
+    /* The high bits are ignored and read-as-zero, writing to them does not raise #GP. See @bugref{10610}.*/
+    pVCpu->cpum.s.Guest.msrSFMASK = uValue & UINT32_MAX;
     return VINF_SUCCESS;
 }
@@ -1798 +1799 @@
 {
     RT_NOREF_PV(idMsr); RT_NOREF_PV(pRange); RT_NOREF_PV(uRawValue);
-    pVCpu->cpum.s.Guest.fs.u64Base = uValue;
-    return VINF_SUCCESS;
+    if (X86_IS_CANONICAL(uValue))
+    {
+        pVCpu->cpum.s.Guest.fs.u64Base = uValue;
+        return VINF_SUCCESS;
+    }
+    Log(("CPUM: wrmsr %s(%#x), %#llx -> #GP - not canonical\n", pRange->szName, idMsr, uValue));
+    return VERR_CPUM_RAISE_GP_0;
 }
 
@@ -1815 +1821 @@
 {
     RT_NOREF_PV(idMsr); RT_NOREF_PV(pRange); RT_NOREF_PV(uRawValue);
-    pVCpu->cpum.s.Guest.gs.u64Base = uValue;
-    return VINF_SUCCESS;
+    if (X86_IS_CANONICAL(uValue))
+    {
+        pVCpu->cpum.s.Guest.gs.u64Base = uValue;
+        return VINF_SUCCESS;
+    }
+    Log(("CPUM: wrmsr %s(%#x), %#llx -> #GP - not canonical\n", pRange->szName, idMsr, uValue));
+    return VERR_CPUM_RAISE_GP_0;
 }
 
@@ -1833 +1844 @@
 {
     RT_NOREF_PV(idMsr); RT_NOREF_PV(pRange); RT_NOREF_PV(uRawValue);
-    pVCpu->cpum.s.Guest.msrKERNELGSBASE = uValue;
-    return VINF_SUCCESS;
+    if (X86_IS_CANONICAL(uValue))
+    {
+        pVCpu->cpum.s.Guest.msrKERNELGSBASE = uValue;
+        return VINF_SUCCESS;
+    }
+    Log(("CPUM: wrmsr %s(%#x), %#llx -> #GP - not canonical\n", pRange->szName, idMsr, uValue));
+    return VERR_CPUM_RAISE_GP_0;
 }
 

trunk/src/VBox/VMM/VMMR0/HMVMXR0.cpp

@@ -380 +380 @@
         else
         {
-            ASMWrMsr(MSR_K8_KERNEL_GS_BASE, pCtx->msrKERNELGSBASE);
-            ASMWrMsr(MSR_K8_LSTAR,          pCtx->msrLSTAR);
-            ASMWrMsr(MSR_K6_STAR,           pCtx->msrSTAR);
-            /* The system call flag mask register isn't as benign and accepting of all
-               values as the above, so mask it to avoid #GP'ing on corrupted input. */
-            Assert(!(pCtx->msrSFMASK & ~(uint64_t)UINT32_MAX));
-            ASMWrMsr(MSR_K8_SF_MASK,        pCtx->msrSFMASK & UINT32_MAX);
+            /* Avoid raising #GP caused by writing illegal values to these MSRs. */
+            if (   X86_IS_CANONICAL(pCtx->msrKERNELGSBASE)
+                && X86_IS_CANONICAL(pCtx->msrLSTAR))
+            {
+                ASMWrMsr(MSR_K8_KERNEL_GS_BASE, pCtx->msrKERNELGSBASE);
+                ASMWrMsr(MSR_K8_LSTAR,          pCtx->msrLSTAR);
+                ASMWrMsr(MSR_K6_STAR,           pCtx->msrSTAR);
+                /* The system call flag mask register isn't as benign and accepting of all
+                   values as the above, so mask it to avoid #GP'ing on corrupted input. */
+                Assert(!(pCtx->msrSFMASK & ~(uint64_t)UINT32_MAX));
+                ASMWrMsr(MSR_K8_SF_MASK,        pCtx->msrSFMASK & UINT32_MAX);
+            }
+            else
+                AssertMsgFailed(("Incompatible lazily-loaded guest MSR values\n"));
         }
     }