diff options
| author | Nadav Amit <namit@cs.technion.ac.il> | 2014-12-24 19:52:17 -0500 |
|---|---|---|
| committer | Paolo Bonzini <pbonzini@redhat.com> | 2015-01-08 16:48:04 -0500 |
| commit | 3313bc4ee83c4e2870d8e83800c6064b0d215679 (patch) | |
| tree | eda0f8afbeadc3fbb84290dc92949c9d678c137a /arch | |
| parent | fa4a2c080e37d362ae603f4ea157fe779bd85cb5 (diff) | |
KVM: x86: pop sreg accesses only 2 bytes
Although pop sreg updates RSP according to the operand size, only 2 bytes are
read. The current behavior may result in incorrect #GP or #PF exceptions.
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'arch')
| -rw-r--r-- | arch/x86/kvm/emulate.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index feaba468cce6..abe95d2e6848 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c | |||
| @@ -1828,12 +1828,14 @@ static int em_pop_sreg(struct x86_emulate_ctxt *ctxt) | |||
| 1828 | unsigned long selector; | 1828 | unsigned long selector; |
| 1829 | int rc; | 1829 | int rc; |
| 1830 | 1830 | ||
| 1831 | rc = emulate_pop(ctxt, &selector, ctxt->op_bytes); | 1831 | rc = emulate_pop(ctxt, &selector, 2); |
| 1832 | if (rc != X86EMUL_CONTINUE) | 1832 | if (rc != X86EMUL_CONTINUE) |
| 1833 | return rc; | 1833 | return rc; |
| 1834 | 1834 | ||
| 1835 | if (ctxt->modrm_reg == VCPU_SREG_SS) | 1835 | if (ctxt->modrm_reg == VCPU_SREG_SS) |
| 1836 | ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS; | 1836 | ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS; |
| 1837 | if (ctxt->op_bytes > 2) | ||
| 1838 | rsp_increment(ctxt, ctxt->op_bytes - 2); | ||
| 1837 | 1839 | ||
| 1838 | rc = load_segment_descriptor(ctxt, (u16)selector, seg); | 1840 | rc = load_segment_descriptor(ctxt, (u16)selector, seg); |
| 1839 | return rc; | 1841 | return rc; |