target/i386: Fix tss access size in switch_tss_ra

The two limit_max variables represent size - 1, just like the encoding in the GDT, thus the 'old' access was off by one. Access the minimal size of the new tss: the complete tss contains the iopb, which may be a larger block than the access api expects, and irrelevant because the iopb is not accessed during the switch itself. Fixes: 8b13106 ("target/i386/tcg: use X86Access for TSS access") Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2511 Signed-off-by: Richard Henderson <[email protected]> Message-Id: <[email protected]> Reviewed-by: Peter Maydell <[email protected]> Reviewed-by: Pierrick Bouvier <[email protected]>
cube0x8 · Aug 20, 2024 · ded1db4 · ded1db4
1 parent 83a3a20
commit ded1db4
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/target/i386/tcg/seg_helper.c b/target/i386/tcg/seg_helper.c
@@ -378,15 +378,16 @@ static int switch_tss_ra(CPUX86State *env, int tss_selector,
 
     /* X86Access avoids memory exceptions during the task switch */
     mmu_index = cpu_mmu_index_kernel(env);
-    access_prepare_mmu(&old, env, env->tr.base, old_tss_limit_max,
+    access_prepare_mmu(&old, env, env->tr.base, old_tss_limit_max + 1,
                        MMU_DATA_STORE, mmu_index, retaddr);
 
     if (source == SWITCH_TSS_CALL) {
         /* Probe for future write of parent task */
         probe_access(env, tss_base, 2, MMU_DATA_STORE,
                      mmu_index, retaddr);
     }
-    access_prepare_mmu(&new, env, tss_base, tss_limit,
+    /* While true tss_limit may be larger, we don't access the iopb here. */
+    access_prepare_mmu(&new, env, tss_base, tss_limit_max + 1,
                        MMU_DATA_LOAD, mmu_index, retaddr);
 
     /* save the current state in the old TSS */