Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3313bc4e authored by Nadav Amit's avatar Nadav Amit Committed by Paolo Bonzini
Browse files

KVM: x86: pop sreg accesses only 2 bytes 



Although pop sreg updates RSP according to the operand size, only 2 bytes are
read.  The current behavior may result in incorrect #GP or #PF exceptions.

Signed-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
parent fa4a2c08

arch/x86/kvm/emulate.c

+3 −1
Original line number Original line Diff line number Diff line
@@ -1828,12 +1828,14 @@ static int em_pop_sreg(struct x86_emulate_ctxt *ctxt) 
	unsigned long selector;

	unsigned long selector;

	int rc;

	int rc;





	rc = emulate_pop(ctxt, &selector, ctxt->op_bytes);

	rc = emulate_pop(ctxt, &selector, 2);

	if (rc != X86EMUL_CONTINUE)

	if (rc != X86EMUL_CONTINUE)

		return rc;

		return rc;





	if (ctxt->modrm_reg == VCPU_SREG_SS)

	if (ctxt->modrm_reg == VCPU_SREG_SS)

		ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;

		ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;

	if (ctxt->op_bytes > 2)

		rsp_increment(ctxt, ctxt->op_bytes - 2);





	rc = load_segment_descriptor(ctxt, (u16)selector, seg);

	rc = load_segment_descriptor(ctxt, (u16)selector, seg);

	return rc;

	return rc;