Changeset 10687 in vbox for trunk/src/VBox

Timestamp:

Jul 16, 2008 9:22:28 AM (16 years ago)

Author:

vboxsync

Message:

Save the FPU control word and MXCSR on entry and restore them afterwards. (VT-x & AMD-V)
Security measure so the guest can't cause fpu/sse exceptions as we no longer restore the entire
host fpu state.

Location:

trunk/src/VBox/VMM

Files:

• CPUM.cpp (modified) (2 diffs)
• CPUMInternal.h (modified) (2 diffs)
• CPUMInternal.mac (modified) (1 diff)
• VMMAll/CPUMAllA.asm (modified) (3 diffs)
• VMMR0/CPUMR0.cpp (modified) (3 diffs)
• VMMR0/HWACCMR0.cpp (modified) (1 diff)

trunk/src/VBox/VMM/CPUM.cpp

@@ -83 +83 @@
 typedef CPUMDUMPTYPE *PCPUMDUMPTYPE;
 
-
 /*******************************************************************************
 *   Internal Functions                                                         *
@@ -135 +134 @@
     }
     ASMCpuId_ECX_EDX(1, &pVM->cpum.s.CPUFeatures.ecx, &pVM->cpum.s.CPUFeatures.edx);
+    ASMCpuId_ECX_EDX(0x80000001, &pVM->cpum.s.CPUFeaturesExt.ecx, &pVM->cpum.s.CPUFeaturesExt.edx);
 
     /* Setup the CR4 AND and OR masks used in the switcher */

trunk/src/VBox/VMM/CPUMInternal.h

@@ -322 +322 @@
         X86CPUIDFEATECX     ecx;
     }   CPUFeatures;
+    /** Host extended CPU features. */
+    struct
+    {
+        /** edx part */
+        uint32_t     edx;
+        /** ecx part */
+        uint32_t     ecx;
+    }   CPUFeaturesExt;
 
     /* CPU manufacturer. */
@@ -360 +368 @@
 __BEGIN_DECLS
 
-DECLASM(int)  CPUMHandleLazyFPUAsm(PCPUM pCPUM);
-DECLASM(int)  CPUMRestoreHostFPUStateAsm(PCPUM pCPUM);
-DECLASM(void) CPUMLoadFPUAsm(PCPUMCTX pCtx);
-DECLASM(void) CPUMSaveFPUAsm(PCPUMCTX pCtx);
-DECLASM(void) CPUMLoadXMMAsm(PCPUMCTX pCtx);
-DECLASM(void) CPUMSaveXMMAsm(PCPUMCTX pCtx);
-
+DECLASM(int)      CPUMHandleLazyFPUAsm(PCPUM pCPUM);
+DECLASM(int)      CPUMRestoreHostFPUStateAsm(PCPUM pCPUM);
+DECLASM(void)     CPUMLoadFPUAsm(PCPUMCTX pCtx);
+DECLASM(void)     CPUMSaveFPUAsm(PCPUMCTX pCtx);
+DECLASM(void)     CPUMLoadXMMAsm(PCPUMCTX pCtx);
+DECLASM(void)     CPUMSaveXMMAsm(PCPUMCTX pCtx);
+DECLASM(void)     CPUMSetFCW(uint16_t u16FCW);
+DECLASM(uint16_t) CPUMGetFCW();
+DECLASM(void)     CPUMSetMXCSR(uint32_t u32MXCSR);
+DECLASM(uint32_t) CPUMGetMXCSR();
 
 __END_DECLS

trunk/src/VBox/VMM/CPUMInternal.mac

@@ -406 +406 @@
     .CPUFeatures.ecx      resd    1
 
+    ; CPUID eax=0x80000001
+    .CPUFeaturesExt.edx   resd    1
+    .CPUFeaturesExt.ecx   resd    1
+
     .enmCPUVendor         resd    1
 

trunk/src/VBox/VMM/VMMAll/CPUMAllA.asm

@@ -291 +291 @@
 ; @param    pCtx  x86:[esp+4] GCC:rdi MSC:rcx     CPUMCTX pointer
 ;
+align 16
 BEGINPROC   CPUMLoadXMMAsm
 %ifdef RT_ARCH_AMD64
@@ -334 +335 @@
 ; @param    pCtx  x86:[esp+4] GCC:rdi MSC:rcx     CPUMCTX pointer
 ;
+align 16
 BEGINPROC   CPUMSaveXMMAsm
 %ifdef RT_ARCH_AMD64
@@ -371 +373 @@
 ENDPROC     CPUMSaveXMMAsm
 
+
+;;
+; Set the FPU control word; clearing exceptions first
+;
+; @param  u16FCW    x86:[esp+4] GCC:rdi MSC:rcx     New FPU control word
+align 16
+BEGINPROC CPUMSetFCW
+%ifdef RT_ARCH_AMD64
+ %ifdef RT_OS_WINDOWS
+    mov     xAX, rcx
+ %else
+    mov     xAX, rdi
+ %endif
+%else
+    mov     xAX, dword [esp + 4]
+%endif
+    fnclex
+    push    xAX
+    fldcw   [xSP]
+    pop     xAX
+    ret
+ENDPROC   CPUMSetFCW
+
+;;
+; Get the FPU control word
+;
+align 16
+BEGINPROC CPUMGetFCW
+    fnstcw  [xSP - 8]
+    mov     ax, word [xSP - 8]
+    ret
+ENDPROC   CPUMGetFCW
+
+
+;;
+; Set the MXCSR; 
+;
+; @param  u32MXCSR    x86:[esp+4] GCC:rdi MSC:rcx     New MXCSR
+align 16
+BEGINPROC CPUMSetMXCSR
+%ifdef RT_ARCH_AMD64
+ %ifdef RT_OS_WINDOWS
+    mov     xAX, rcx
+ %else
+    mov     xAX, rdi
+ %endif
+%else
+    mov     xAX, dword [esp + 4]
+%endif
+    push    xAX
+    ldmxcsr [xSP]
+    pop     xAX
+    ret
+ENDPROC   CPUMSetMXCSR
+
+;;
+; Get the MXCSR
+;
+align 16
+BEGINPROC CPUMGetMXCSR
+    stmxcsr [xSP - 8]
+    mov     eax, dword [xSP - 8]
+    ret
+ENDPROC   CPUMGetMXCSR

trunk/src/VBox/VMM/VMMR0/CPUMR0.cpp

@@ -163 +163 @@
         break;
     }
+    /* Save the FPU control word and MXCSR, so we can restore the properly afterwards. 
+     * We don't want the guest to be able to trigger floating point/SSE exceptions on the host.
+     */
+    pVM->cpum.s.Host.fpu.FCW = CPUMGetFCW();
+    if (pVM->cpum.s.CPUFeatures.edx.u1SSE)
+        pVM->cpum.s.Host.fpu.MXCSR = CPUMGetMXCSR();
+
     CPUMLoadFPUAsm(pCtx);
 
@@ -169 +176 @@
      * MSR_K6_EFER_FFXSR changes the behaviour of fxsave and fxrstore: the XMM state isn't saved/restored
      */
-    if (pVM->cpum.s.aGuestCpuIdExt[1].edx & X86_CPUID_AMD_FEATURE_EDX_FFXSR /* cpuid 0x80000001 */)
+    if (pVM->cpum.s.CPUFeaturesExt.edx & X86_CPUID_AMD_FEATURE_EDX_FFXSR)
     {
         /* @todo Do we really need to read this every time?? The host could change this on the fly though. */
-        /* Note: Solaris sets this bit on a per-process basis, so we do need to check each time. */
         uint64_t msrEFERHost = ASMRdMsr(MSR_K6_EFER);
 
@@ -207 +213 @@
         CPUMSaveXMMAsm(pCtx);
     }
+    /* Restore the original FPU control word and MXCSR. 
+     * We don't want the guest to be able to trigger floating point/SSE exceptions on the host.
+     */
+    CPUMSetFCW(pVM->cpum.s.Host.fpu.FCW);
+    if (pVM->cpum.s.CPUFeatures.edx.u1SSE)
+        CPUMSetMXCSR(pVM->cpum.s.Host.fpu.MXCSR);
+
     pVM->cpum.s.fUseFlags &= ~(CPUM_USED_FPU|CPUM_MANUAL_XMM_RESTORE);
     return VINF_SUCCESS;

trunk/src/VBox/VMM/VMMR0/HWACCMR0.cpp

@@ -770 +770 @@
     /*        We must restore the host FPU here to make absolutely sure we don't leave the guest FPU state active
      *        or trash somebody else's FPU state.
-     */
-
-    /*
-     * @note We are trashing our own FPU state. That could be a problem if some ring 3 code relies on the FPU control
-     *       word having a specific value (exceptions, precision etc).
      */
     /* Save the guest FPU and XMM state if necessary. */