Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 512d5649 authored by Avi Kivity's avatar Avi Kivity Committed by Marcelo Tosatti
Browse files

KVM: VMX: Fix %ds/%es clobber 



The vmx exit code unconditionally restores %ds and %es to __USER_DS.  This
can override the user's values, since %ds and %es are not saved and restored
in x86_64 syscalls.  In practice, this isn't dangerous since nobody uses
segment registers in long mode, least of all programs that use KVM.

Signed-off-by: default avatarAvi Kivity <avi@redhat.com>
Signed-off-by: default avatarMarcelo Tosatti <mtosatti@redhat.com>
parent d54e4237

arch/x86/kvm/vmx.c

+5 −1
Original line number Diff line number Diff line
@@ -6102,7 +6102,10 @@ static void atomic_switch_perf_msrs(struct vcpu_vmx *vmx) 
static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)

{

	struct vcpu_vmx *vmx = to_vmx(vcpu);

	u16 _ds, _es;



	savesegment(ds, _ds);

	savesegment(es, _es);

	if (is_guest_mode(vcpu) && !vmx->nested.nested_run_pending) {

		struct vmcs12 *vmcs12 = get_vmcs12(vcpu);

		if (vmcs12->idt_vectoring_info_field &
@@ -6263,7 +6266,8 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu) 
		}

	}



	asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));

	loadsegment(ds, _ds);

	loadsegment(es, _es);

	vmx->loaded_vmcs->launched = 1;



	vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);