diff options
| author | Paolo Bonzini <pbonzini@redhat.com> | 2014-10-23 08:54:14 -0400 |
|---|---|---|
| committer | Paolo Bonzini <pbonzini@redhat.com> | 2014-10-24 07:30:35 -0400 |
| commit | a430c9166312e1aa3d80bce32374233bdbfeba32 (patch) | |
| tree | 33b03640ee6fa653470485c4e7691e0ea7fe3004 /arch/x86/kvm | |
| parent | 08da44aedba0f493e10695fa334348a7a4f72eb3 (diff) | |
KVM: emulate: avoid accessing NULL ctxt->memopp
A failure to decode the instruction can cause a NULL pointer access.
This is fixed simply by moving the "done" label as close as possible
to the return.
This fixes CVE-2014-8481.
Reported-by: Andy Lutomirski <luto@amacapital.net>
Cc: stable@vger.kernel.org
Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'arch/x86/kvm')
| -rw-r--r-- | arch/x86/kvm/emulate.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index 02c8ea804aaf..eb3b1c46f995 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c | |||
| @@ -4580,10 +4580,10 @@ done_prefixes: | |||
| 4580 | /* Decode and fetch the destination operand: register or memory. */ | 4580 | /* Decode and fetch the destination operand: register or memory. */ |
| 4581 | rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask); | 4581 | rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask); |
| 4582 | 4582 | ||
| 4583 | done: | ||
| 4584 | if (ctxt->rip_relative) | 4583 | if (ctxt->rip_relative) |
| 4585 | ctxt->memopp->addr.mem.ea += ctxt->_eip; | 4584 | ctxt->memopp->addr.mem.ea += ctxt->_eip; |
| 4586 | 4585 | ||
| 4586 | done: | ||
| 4587 | return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK; | 4587 | return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK; |
| 4588 | } | 4588 | } |
| 4589 | 4589 | ||