On Fri, Jul 29, 2022, Michal Luczaj wrote:
- To trigger the emulator and feed it with LEA, we VM-exit on IO (with a
- single OUTS), then race decoder's instruction fetch - hoping to replace the
- initial IO op with an illegal LEA.
Rather than play games with memory, can't we just require and use force_emulation_prefix to force KVM to emulate a bogus LEA encoding? emulator.c in KVM-unit-tests already has most of what you need, e.g. I believe it's just a matter of implementing test_illegal_lea(). That test already has test_smsw_reg(), which is darn near the same thing, it just expects a different result (success instead of #UD).
diff --git a/x86/emulator.c b/x86/emulator.c index cd78e3cb..dd50578d 100644 --- a/x86/emulator.c +++ b/x86/emulator.c @@ -1193,6 +1193,7 @@ int main(void) test_smsw_reg(mem); test_nop(mem); test_mov_dr(mem); + test_illegal_lea(); } else { report_skip("skipping register-only tests, " "use kvm.force_emulation_prefix=1 to enable");