A developer building a Type-2 hypervisor as a kernel module discovered a sign-extension bug in a C helper function borrowed from Linux KVM selftests. The bug in `get_desc64_base` caused incorrect TSS base addresses to be written into VMCS HOST_TR_BASE when `base2` had its most significant bit set, leading to catastrophic CPU core crashes and cascading IPI lockups on multi-core systems. The root cause was C integer promotion: shifting a uint8_t left by 24 bits produces a signed int with the high bit set, which sign-extends to all 1s when cast to uint64_t during OR, corrupting the upper 32 bits. The fix is casting each field to uint64_t before shifting. The patch was submitted to the Linux kernel mailing list and merged. An LLM consulted during debugging incorrectly concluded the hardware was faulty.
Table of contents
Introx86 Task State Segment (TSS)Why do hypervisors care?SymptomsThe questThe smoking gunThe Kernel patchOutro1 Comment
Sort: