2 files changed, 5 insertions, 2 deletions

diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
index b7ed2c423116..7c18e1230f54 100644
--- a/arch/x86/include/asm/kvm_emulate.h
+++ b/arch/x86/include/asm/kvm_emulate.h
@@ -129,7 +129,7 @@ struct decode_cache {
         u8 seg_override;
         unsigned int d;
         unsigned long regs[NR_VCPU_REGS];
-        unsigned long eip;
+        unsigned long eip, eip_orig;
         /* modrm */
         u8 modrm;
         u8 modrm_mod;
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index d226dff47d77..7e8faea4651e 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -622,6 +622,9 @@ static int do_insn_fetch(struct x86_emulate_ctxt *ctxt,
 {
         int rc = 0;
 
+        /* x86 instructions are limited to 15 bytes. */
+        if (eip + size - ctxt->decode.eip_orig > 15)
+                return X86EMUL_UNHANDLEABLE;
         eip += ctxt->cs_base;
         while (size--) {
                 rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
@@ -880,7 +883,7 @@ x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
         /* Shadow copy of register state. Committed on successful emulation. */
 
         memset(c, 0, sizeof(struct decode_cache));
-        c->eip = kvm_rip_read(ctxt->vcpu);
+        c->eip = c->eip_orig = kvm_rip_read(ctxt->vcpu);
         ctxt->cs_base = seg_base(ctxt, VCPU_SREG_CS);
         memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);