]> xenbits.xensource.com Git - xen.git/commitdiff
projects / xen.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bbf1b2b)
x86emul: fully ignore segment override for register-only operations
authorJan Beulich <jbeulich@suse.com>
Tue, 10 Mar 2015 13:00:22 +0000 (14:00 +0100)
committerJan Beulich <jbeulich@suse.com>
Tue, 10 Mar 2015 13:00:22 +0000 (14:00 +0100)
For ModRM encoded instructions with register operands we must not
overwrite ea.mem.seg (if a - bogus in that case - segment override was
present) as it aliases with ea.reg.

This is CVE-2015-2151 / XSA-123.

Reported-by: Felix Wilhelm <fwilhelm@ernw.de>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
Reviewed-by: Keir Fraser <keir@xen.org>
master commit: bcf92a5382b75fd964c1f8678b2d9a3abe6dec39
master date: 2015-03-10 13:45:51 +0100

xen/arch/x86/x86_emulate/x86_emulate.c patch | blob | blame | history

diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
index 6480a2764a2cf3b21435216438c27f6ae3f6e6b9..0bad3f05633bf553019833b93e334ddabf3a2e7b 100644 (file)
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -1640,7 +1640,7 @@ x86_emulate(
         }
     }
 
-    if ( override_seg != -1 )
+    if ( override_seg != -1 && ea.type == OP_MEM )
         ea.mem.seg = override_seg;
 
     /* Decode and fetch the source operand: register, memory or immediate. */
Xen (staging and unstable) mirror