From: Roy Hopkins <roy.hopkins@randomman.co.uk>
Date: Thu, 3 Jul 2025 15:31:58 +0000 (+0100)
Subject: target/i386: Allow setting of R_LDTR and R_TR with cpu_x86_load_seg_cache()
X-Git-Tag: v10.1.0-rc0~21^2~54
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b0e8986668426dbd2bb3eee4c6e14fe6262ca34e;p=thirdparty%2Fqemu.git

target/i386: Allow setting of R_LDTR and R_TR with cpu_x86_load_seg_cache()

The x86 segment registers are identified by the X86Seg enumeration which
includes LDTR and TR as well as the normal segment registers. The
function 'cpu_x86_load_seg_cache()' uses the enum to determine which
segment to set. However, specifying R_LDTR or R_TR results in an
out-of-bounds access of the segment array.

Possibly by coincidence, the function does correctly set LDTR or TR in
this case as the structures for these registers immediately follow the
array which is accessed out of bounds.

This patch adds correct handling for R_LDTR and R_TR in the function.

Signed-off-by: Roy Hopkins <roy.hopkins@randomman.co.uk>
Acked-by: Gerd Hoffman <kraxel@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Ani Sinha <anisinha@redhat.com>
Link: https://lore.kernel.org/r/95c69253ea4f91107625872d5e3f0c586376771d.1751554099.git.roy.hopkins@randomman.co.uk
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---

diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index be3ae6d546..9829824ac8 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -2417,7 +2417,14 @@ static inline void cpu_x86_load_seg_cache(CPUX86State *env,
     SegmentCache *sc;
     unsigned int new_hflags;
 
-    sc = &env->segs[seg_reg];
+    if (seg_reg == R_LDTR) {
+        sc = &env->ldt;
+    } else if (seg_reg == R_TR) {
+        sc = &env->tr;
+    } else {
+        sc = &env->segs[seg_reg];
+    }
+
     sc->selector = selector;
     sc->base = base;
     sc->limit = limit;