Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3f6f1480 authored by Nadav Amit's avatar Nadav Amit Committed by Paolo Bonzini
Browse files

KVM: x86: PREFETCH and HINT_NOP should have SrcMem flag 



The decode phase of the x86 emulator assumes that every instruction with the
ModRM flag, and which can be used with RIP-relative addressing, has either
SrcMem or DstMem.  This is not the case for several instructions - prefetch,
hint-nop and clflush.

Adding SrcMem|NoAccess for prefetch and hint-nop and SrcMem for clflush.

This fixes CVE-2014-8480.

Fixes: 41061cdb
Cc: stable@vger.kernel.org
Signed-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
parent 13e457e0

arch/x86/kvm/emulate.c

+4 −3
Original line number Diff line number Diff line
@@ -3807,7 +3807,7 @@ static const struct opcode group11[] = { 
};



static const struct gprefix pfx_0f_ae_7 = {

	I(0, em_clflush), N, N, N,

	I(SrcMem | ByteOp, em_clflush), N, N, N,

};



static const struct group_dual group15 = { {
@@ -4024,10 +4024,11 @@ static const struct opcode twobyte_table[256] = { 
	N, I(ImplicitOps | EmulateOnUD, em_syscall),

	II(ImplicitOps | Priv, em_clts, clts), N,

	DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,

	N, D(ImplicitOps | ModRM), N, N,

	N, D(ImplicitOps | ModRM | SrcMem | NoAccess), N, N,

	/* 0x10 - 0x1F */

	N, N, N, N, N, N, N, N,

	D(ImplicitOps | ModRM), N, N, N, N, N, N, D(ImplicitOps | ModRM),

	D(ImplicitOps | ModRM | SrcMem | NoAccess),

	N, N, N, N, N, N, D(ImplicitOps | ModRM | SrcMem | NoAccess),

	/* 0x20 - 0x2F */

	DIP(ModRM | DstMem | Priv | Op3264 | NoMod, cr_read, check_cr_read),

	DIP(ModRM | DstMem | Priv | Op3264 | NoMod, dr_read, check_dr_read),