diff options
| author | Nadav Amit <namit@cs.technion.ac.il> | 2014-11-02 04:54:47 -0500 |
|---|---|---|
| committer | Paolo Bonzini <pbonzini@redhat.com> | 2014-11-05 06:36:58 -0500 |
| commit | d29b9d7ed76c0b961603ca692b8a562556a20212 (patch) | |
| tree | 73703f51dcce80a433eb6e628f59258896e2319b /arch/x86 | |
| parent | bc79a3179a1da387d730af81ce857d481915efdb (diff) | |
KVM: x86: Fix uninitialized op->type for some immediate values
The emulator could reuse an op->type from a previous instruction for some
immediate values. If it mistakenly considers the operands as memory
operands, it will performs a memory read and overwrite op->val.
Consider for instance the ROR instruction - src2 (the number of times)
would be read from memory instead of being used as immediate.
Mark every immediate operand as such to avoid this problem.
Cc: stable@vger.kernel.org
Fixes: c44b4c6ab80eef3a9c52c7b3f0c632942e6489aa
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'arch/x86')
| -rw-r--r-- | arch/x86/kvm/emulate.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index 5edf088ca51e..9f8a2faf5040 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c | |||
| @@ -4287,6 +4287,7 @@ static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op, | |||
| 4287 | fetch_register_operand(op); | 4287 | fetch_register_operand(op); |
| 4288 | break; | 4288 | break; |
| 4289 | case OpCL: | 4289 | case OpCL: |
| 4290 | op->type = OP_IMM; | ||
| 4290 | op->bytes = 1; | 4291 | op->bytes = 1; |
| 4291 | op->val = reg_read(ctxt, VCPU_REGS_RCX) & 0xff; | 4292 | op->val = reg_read(ctxt, VCPU_REGS_RCX) & 0xff; |
| 4292 | break; | 4293 | break; |
| @@ -4294,6 +4295,7 @@ static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op, | |||
| 4294 | rc = decode_imm(ctxt, op, 1, true); | 4295 | rc = decode_imm(ctxt, op, 1, true); |
| 4295 | break; | 4296 | break; |
| 4296 | case OpOne: | 4297 | case OpOne: |
| 4298 | op->type = OP_IMM; | ||
| 4297 | op->bytes = 1; | 4299 | op->bytes = 1; |
| 4298 | op->val = 1; | 4300 | op->val = 1; |
| 4299 | break; | 4301 | break; |
| @@ -4352,21 +4354,27 @@ static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op, | |||
| 4352 | ctxt->memop.bytes = ctxt->op_bytes + 2; | 4354 | ctxt->memop.bytes = ctxt->op_bytes + 2; |
| 4353 | goto mem_common; | 4355 | goto mem_common; |
| 4354 | case OpES: | 4356 | case OpES: |
| 4357 | op->type = OP_IMM; | ||
| 4355 | op->val = VCPU_SREG_ES; | 4358 | op->val = VCPU_SREG_ES; |
| 4356 | break; | 4359 | break; |
| 4357 | case OpCS: | 4360 | case OpCS: |
| 4361 | op->type = OP_IMM; | ||
| 4358 | op->val = VCPU_SREG_CS; | 4362 | op->val = VCPU_SREG_CS; |
| 4359 | break; | 4363 | break; |
| 4360 | case OpSS: | 4364 | case OpSS: |
| 4365 | op->type = OP_IMM; | ||
| 4361 | op->val = VCPU_SREG_SS; | 4366 | op->val = VCPU_SREG_SS; |
| 4362 | break; | 4367 | break; |
| 4363 | case OpDS: | 4368 | case OpDS: |
| 4369 | op->type = OP_IMM; | ||
| 4364 | op->val = VCPU_SREG_DS; | 4370 | op->val = VCPU_SREG_DS; |
| 4365 | break; | 4371 | break; |
| 4366 | case OpFS: | 4372 | case OpFS: |
| 4373 | op->type = OP_IMM; | ||
| 4367 | op->val = VCPU_SREG_FS; | 4374 | op->val = VCPU_SREG_FS; |
| 4368 | break; | 4375 | break; |
| 4369 | case OpGS: | 4376 | case OpGS: |
| 4377 | op->type = OP_IMM; | ||
| 4370 | op->val = VCPU_SREG_GS; | 4378 | op->val = VCPU_SREG_GS; |
| 4371 | break; | 4379 | break; |
| 4372 | case OpImplicit: | 4380 | case OpImplicit: |