4ac9db0e26
- CVE-2014-3611 kvm: PIT timer race condition (rhbz 1144878 1156537) - CVE-2014-3646 kvm: vmx: invvpid vm exit not handled (rhbz 1144825 1156534) - CVE-2014-8369 kvm: excessive pages un-pinning in kvm_iommu_map error path (rhbz 1156518 1156522) - CVE-2014-8480 CVE-2014-8481 kvm: NULL pointer dereference during rip relative instruction emulation (rhbz 1156615 1156616)
38 lines
1.1 KiB
Diff
38 lines
1.1 KiB
Diff
From: Paolo Bonzini <pbonzini@redhat.com>
|
|
Date: Fri, 24 Oct 2014 17:07:21 +0200
|
|
Subject: [PATCH] KVM: emulate: avoid accessing NULL ctxt->memopp
|
|
|
|
A failure to decode the instruction can cause a NULL pointer access.
|
|
This is fixed simply by moving the "done" label as close as possible
|
|
to the return.
|
|
|
|
This fixes CVE-2014-8481.
|
|
|
|
Reported-by: Andy Lutomirski <luto@amacapital.net>
|
|
Cc: stable@vger.kernel.org
|
|
Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5
|
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
---
|
|
arch/x86/kvm/emulate.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
|
|
index 02c8ea804aaf..eb3b1c46f995 100644
|
|
--- a/arch/x86/kvm/emulate.c
|
|
+++ b/arch/x86/kvm/emulate.c
|
|
@@ -4580,10 +4580,10 @@ done_prefixes:
|
|
/* Decode and fetch the destination operand: register or memory. */
|
|
rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
|
|
|
|
-done:
|
|
if (ctxt->rip_relative)
|
|
ctxt->memopp->addr.mem.ea += ctxt->_eip;
|
|
|
|
+done:
|
|
return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
|
|
}
|
|
|
|
--
|
|
1.9.3
|
|
|