Missing privilege level checks in x86 emulation of far branches

The emulation of far branch instructions (CALL, JMP, and RETF in Intel assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax) incompletely performs privilege checks.

privilege uncheck (missing)



x86emul: enforce privilege level restrictions when loading CS Privilege level checks were basically missing for the CS case, the only check that was done (RPL == DPL for nonconforming segments) was solely covering a single special case (return to non-conforming segment).

Additionally in long mode the L bit set requires the D bit to be clear,

Finally we also need to force the loaded selector’s RPL to CPL (at least as long as lret/retf emulation doesn’t support privilege level changes).


Malicious HVM guest user mode code may be able to elevate its privileges to guest supervisor mode, or to crash the guest.

privilege escalation, guest DoS