1 files changed, 14 insertions, 7 deletions

diff --git a/src/VBox/VMM/VMMR0/HMVMXR0.cpp b/src/VBox/VMM/VMMR0/HMVMXR0.cpp
index 26b6252e..0bb3b490 100644
--- a/src/VBox/VMM/VMMR0/HMVMXR0.cpp
+++ b/src/VBox/VMM/VMMR0/HMVMXR0.cpp
@@ -382,13 +382,20 @@ static void hmR0VmxLazyLoadGuestMsrs(PVMCPUCC pVCpu)
         }
         else
         {
-            ASMWrMsr(MSR_K8_KERNEL_GS_BASE, pCtx->msrKERNELGSBASE);
-            ASMWrMsr(MSR_K8_LSTAR,          pCtx->msrLSTAR);
-            ASMWrMsr(MSR_K6_STAR,           pCtx->msrSTAR);
-            /* The system call flag mask register isn't as benign and accepting of all
-               values as the above, so mask it to avoid #GP'ing on corrupted input. */
-            Assert(!(pCtx->msrSFMASK & ~(uint64_t)UINT32_MAX));
-            ASMWrMsr(MSR_K8_SF_MASK,        pCtx->msrSFMASK & UINT32_MAX);
+            /* Avoid raising #GP caused by writing illegal values to these MSRs. */
+            if (   X86_IS_CANONICAL(pCtx->msrKERNELGSBASE)
+                && X86_IS_CANONICAL(pCtx->msrLSTAR))
+            {
+                ASMWrMsr(MSR_K8_KERNEL_GS_BASE, pCtx->msrKERNELGSBASE);
+                ASMWrMsr(MSR_K8_LSTAR,          pCtx->msrLSTAR);
+                ASMWrMsr(MSR_K6_STAR,           pCtx->msrSTAR);
+                /* The system call flag mask register isn't as benign and accepting of all
+                   values as the above, so mask it to avoid #GP'ing on corrupted input. */
+                Assert(!(pCtx->msrSFMASK & ~(uint64_t)UINT32_MAX));
+                ASMWrMsr(MSR_K8_SF_MASK,        pCtx->msrSFMASK & UINT32_MAX);
+            }
+            else
+                AssertMsgFailed(("Incompatible lazily-loaded guest MSR values\n"));
         }
     }
     pVCpu->hmr0.s.vmx.fLazyMsrs |= VMX_LAZY_MSRS_LOADED_GUEST;