Changeset 5342 in vbox for trunk/src/VBox/VMM

Timestamp:

Oct 17, 2007 7:30:36 AM (17 years ago)

Author:

vboxsync

Message:

Protect cmpxchg emulation

Location:

trunk/src/VBox/VMM/VMMGC

Files:

• EMGCA.asm (modified) (3 diffs)
• MMRamGC.cpp (modified) (3 diffs)

trunk/src/VBox/VMM/VMMGC/EMGCA.asm

@@ -26 +26 @@
 ;;
 ; Emulate lock CMPXCHG instruction, CDECL calling conv.
-; EMGCDECL(uint32_t) EMGCEmulateLockCmpXchg(RTGCPTR pu32Param1, uint32_t *pu32Param2, uint32_t u32Param3, size_t cbSize);
+; EMGCDECL(uint32_t) EMGCEmulateLockCmpXchg(RTGCPTR pu32Param1, uint32_t *pu32Param2, uint32_t u32Param3, size_t cbSize, uint32_t *pEflags);
 ;
-; @returns EFLAGS after the operation, only arithmetic flags is valid.
+; @returns eax=0 if data written, other code - invalid access, #PF was generated.
 ; @param    [esp + 04h]    Param 1 - First parameter - pointer to first parameter
 ; @param    [esp + 08h]    Param 2 - Second parameter - pointer to second parameter (eax)
 ; @param    [esp + 0ch]    Param 3 - Third parameter - third parameter
 ; @param    [esp + 10h]    Param 4 - Size of parameters, only 1/2/4 is valid.
+; @param    [esp + 14h]    Param 4 - Pointer to eflags (out)
 ; @uses     eax, ecx, edx
 ;
@@ -79 +80 @@
     pop     eax
 
+    mov     edx, [esp + 14h + 4]            ; eflags pointer
+    mov     dword [edx], eax
+
     pop     ebx
+    mov     eax, VINF_SUCCESS
     retn
+
+; Read error - we will be here after our page fault handler.
+GLOBALNAME EMGCEmulateLockCmpXchg_Error
+    pop     ebx
+    mov     eax, VERR_ACCESS_DENIED
+    ret
+
 ENDPROC     EMGCEmulateLockCmpXchg
 
 ;;
 ; Emulate CMPXCHG instruction, CDECL calling conv.
-; EMGCDECL(uint32_t) EMGCEmulateCmpXchg(RTGCPTR pu32Param1, uint32_t *pu32Param2, uint32_t u32Param3, size_t cbSize);
+; EMGCDECL(uint32_t) EMGCEmulateCmpXchg(RTGCPTR pu32Param1, uint32_t *pu32Param2, uint32_t u32Param3, size_t cbSize, uint32_t *pEflags);
 ;
-; @returns EFLAGS after the operation, only arithmetic flags is valid.
+; @returns eax=0 if data written, other code - invalid access, #PF was generated.
 ; @param    [esp + 04h]    Param 1 - First parameter - pointer to first parameter
 ; @param    [esp + 08h]    Param 2 - Second parameter - pointer to second parameter (eax)
 ; @param    [esp + 0ch]    Param 3 - Third parameter - third parameter
 ; @param    [esp + 10h]    Param 4 - Size of parameters, only 1/2/4 is valid.
+; @param    [esp + 14h]    Param 4 - Pointer to eflags (out)
 ; @uses     eax, ecx, edx
 ;
@@ -138 +151 @@
     pop     eax
 
+    mov     edx, [esp + 14h + 4]        ; eflags pointer
+    mov     dword [edx], eax
+
     pop     ebx
+    mov     eax, VINF_SUCCESS
     retn
+
+; Read error - we will be here after our page fault handler.
+GLOBALNAME EMGCEmulateCmpXchg_Error
+    pop     ebx
+    mov     eax, VERR_ACCESS_DENIED
+    ret
 ENDPROC     EMGCEmulateCmpXchg

trunk/src/VBox/VMM/VMMGC/MMRamGC.cpp

@@ -24 +24 @@
 #include <VBox/cpum.h>
 #include <VBox/trpm.h>
+#include <VBox/em.h>
 #include "MMInternal.h"
 #include <VBox/vm.h>
@@ -40 +41 @@
 DECLASM(void) MMGCRamReadNoTrapHandler_EndProc(void);
 DECLASM(void) MMGCRamWriteNoTrapHandler_EndProc(void);
-
+DECLASM(void) EMGCEmulateCmpXchg_EndProc(void);
+DECLASM(void) EMGCEmulateLockCmpXchg_EndProc(void);
+DECLASM(void) EMGCEmulateCmpXchg_Error(void);
+DECLASM(void) EMGCEmulateLockCmpXchg_Error(void);
 DECLASM(void) MMGCRamRead_Error(void);
 DECLASM(void) MMGCRamWrite_Error(void);
@@ -166 +170 @@
         return VINF_SUCCESS;
     }
+    else if (    (uintptr_t)&EMGCEmulateLockCmpXchg < (uintptr_t)pRegFrame->eip
+             &&  (uintptr_t)pRegFrame->eip < (uintptr_t)&EMGCEmulateLockCmpXchg_EndProc)
+    {
+        /*
+         * Page fault inside EMGCEmulateLockCmpXchg() func.
+         */
+
+        /* Return execution to func at error label. */
+        pRegFrame->eip = (uintptr_t)&EMGCEmulateLockCmpXchg_Error;
+        return VINF_SUCCESS;
+    }
+    else if (    (uintptr_t)&EMGCEmulateCmpXchg < (uintptr_t)pRegFrame->eip
+             &&  (uintptr_t)pRegFrame->eip < (uintptr_t)&EMGCEmulateCmpXchg_EndProc)
+    {
+        /*
+         * Page fault inside EMGCEmulateCmpXchg() func.
+         */
+
+        /* Return execution to func at error label. */
+        pRegFrame->eip = (uintptr_t)&EMGCEmulateCmpXchg_Error;
+        return VINF_SUCCESS;
+    }
 
     /* #PF is not handled - kill the Hypervisor. */