ia64/xen-unstable

changeset 17254:2c2b442902e2

x86: check ModR/M mod bits for CR/DR access insns

Signed-off-by: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
author Keir Fraser <keir.fraser@citrix.com>
date Tue Mar 18 16:02:36 2008 +0000 (2008-03-18)
parents bdaf721c3616
children 4b157affc08f
files xen/arch/x86/traps.c xen/arch/x86/x86_emulate.c
line diff
     1.1 --- a/xen/arch/x86/traps.c	Tue Mar 18 15:51:19 2008 +0000
     1.2 +++ b/xen/arch/x86/traps.c	Tue Mar 18 16:02:36 2008 +0000
     1.3 @@ -1801,6 +1801,8 @@ static int emulate_privileged_op(struct 
     1.4  
     1.5      case 0x20: /* MOV CR?,<reg> */
     1.6          opcode = insn_fetch(u8, code_base, eip, code_limit);
     1.7 +        if ( opcode < 0xc0 )
     1.8 +            goto fail;
     1.9          modrm_reg += ((opcode >> 3) & 7) + (lock << 3);
    1.10          modrm_rm  |= (opcode >> 0) & 7;
    1.11          reg = decode_register(modrm_rm, regs, 0);
    1.12 @@ -1841,6 +1843,8 @@ static int emulate_privileged_op(struct 
    1.13  
    1.14      case 0x21: /* MOV DR?,<reg> */
    1.15          opcode = insn_fetch(u8, code_base, eip, code_limit);
    1.16 +        if ( opcode < 0xc0 )
    1.17 +            goto fail;
    1.18          modrm_reg += ((opcode >> 3) & 7) + (lock << 3);
    1.19          modrm_rm  |= (opcode >> 0) & 7;
    1.20          reg = decode_register(modrm_rm, regs, 0);
    1.21 @@ -1851,6 +1855,8 @@ static int emulate_privileged_op(struct 
    1.22  
    1.23      case 0x22: /* MOV <reg>,CR? */
    1.24          opcode = insn_fetch(u8, code_base, eip, code_limit);
    1.25 +        if ( opcode < 0xc0 )
    1.26 +            goto fail;
    1.27          modrm_reg += ((opcode >> 3) & 7) + (lock << 3);
    1.28          modrm_rm  |= (opcode >> 0) & 7;
    1.29          reg = decode_register(modrm_rm, regs, 0);
    1.30 @@ -1897,6 +1903,8 @@ static int emulate_privileged_op(struct 
    1.31  
    1.32      case 0x23: /* MOV <reg>,DR? */
    1.33          opcode = insn_fetch(u8, code_base, eip, code_limit);
    1.34 +        if ( opcode < 0xc0 )
    1.35 +            goto fail;
    1.36          modrm_reg += ((opcode >> 3) & 7) + (lock << 3);
    1.37          modrm_rm  |= (opcode >> 0) & 7;
    1.38          reg = decode_register(modrm_rm, regs, 0);
     2.1 --- a/xen/arch/x86/x86_emulate.c	Tue Mar 18 15:51:19 2008 +0000
     2.2 +++ b/xen/arch/x86/x86_emulate.c	Tue Mar 18 16:02:36 2008 +0000
     2.3 @@ -3219,8 +3219,8 @@ x86_emulate(
     2.4      case 0x21: /* mov dr,reg */
     2.5      case 0x22: /* mov reg,cr */
     2.6      case 0x23: /* mov reg,dr */
     2.7 +        generate_exception_if(ea.type != OP_REG, EXC_UD, -1);
     2.8          generate_exception_if(!mode_ring0(), EXC_GP, 0);
     2.9 -        modrm_rm  |= (rex_prefix & 1) << 3;
    2.10          modrm_reg |= lock_prefix << 3;
    2.11          if ( b & 2 )
    2.12          {