| From a430c9166312e1aa3d80bce32374233bdbfeba32 Mon Sep 17 00:00:00 2001 |
| From: Paolo Bonzini <pbonzini@redhat.com> |
| Date: Thu, 23 Oct 2014 14:54:14 +0200 |
| Subject: KVM: emulate: avoid accessing NULL ctxt->memopp |
| |
| From: Paolo Bonzini <pbonzini@redhat.com> |
| |
| commit a430c9166312e1aa3d80bce32374233bdbfeba32 upstream. |
| |
| A failure to decode the instruction can cause a NULL pointer access. |
| This is fixed simply by moving the "done" label as close as possible |
| to the return. |
| |
| This fixes CVE-2014-8481. |
| |
| Reported-by: Andy Lutomirski <luto@amacapital.net> |
| Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5 |
| Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| arch/x86/kvm/emulate.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/arch/x86/kvm/emulate.c |
| +++ b/arch/x86/kvm/emulate.c |
| @@ -4481,10 +4481,10 @@ done_prefixes: |
| /* Decode and fetch the destination operand: register or memory. */ |
| rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask); |
| |
| -done: |
| if (ctxt->rip_relative) |
| ctxt->memopp->addr.mem.ea += ctxt->_eip; |
| |
| +done: |
| return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK; |
| } |
| |
