From: Paolo Bonzini <pbonzini@redhat.com>
Date: Mon, 13 Oct 2025 16:34:28 +0000 (+0200)
Subject: target/i386: user: do not set up a valid LDT on reset
X-Git-Tag: v10.2.0-rc1~64^2~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=58aa1d08bbc406ba3982f32ffb1bef0ff4f8f369;p=thirdparty%2Fqemu.git

target/i386: user: do not set up a valid LDT on reset

In user-mode emulation, QEMU uses the default setting of the LDT base
and limit, which places it at the bottom 64K of virtual address space.
However, by default there is no LDT at all in Linux processes, and
therefore the limit should be 0.

This is visible as a NULL pointer dereference in LSL and LAR instructions
when they try to read the LDT at an unmapped address.

Resolves: #1376
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 4f99cbc5c0..455caff6b2 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -8649,7 +8649,11 @@ static void x86_cpu_reset_hold(Object *obj, ResetType type)
 
     env->idt.limit = 0xffff;
     env->gdt.limit = 0xffff;
+#if defined(CONFIG_USER_ONLY)
+    env->ldt.limit = 0;
+#else
     env->ldt.limit = 0xffff;
+#endif
     env->ldt.flags = DESC_P_MASK | (2 << DESC_TYPE_SHIFT);
     env->tr.limit = 0xffff;
     env->tr.flags = DESC_P_MASK | (11 << DESC_TYPE_SHIFT);