KVM: x86: Emulator fixes for eip canonical checks on near branches
authorNadav Amit <namit@cs.technion.ac.il>
Thu, 18 Sep 2014 19:39:38 +0000 (22:39 +0300)
committerPaolo Bonzini <pbonzini@redhat.com>
Fri, 24 Oct 2014 11:21:16 +0000 (13:21 +0200)
commit234f3ce485d54017f15cf5e0699cff4100121601
tree62918ccdcac761cf86db931110482b089c905abb
parent05c83ec9b73c8124555b706f6af777b10adf0862
KVM: x86: Emulator fixes for eip canonical checks on near branches

Before changing rip (during jmp, call, ret, etc.) the target should be asserted
to be canonical one, as real CPUs do.  During sysret, both target rsp and rip
should be canonical. If any of these values is noncanonical, a #GP exception
should occur.  The exception to this rule are syscall and sysenter instructions
in which the assigned rip is checked during the assignment to the relevant
MSRs.

This patch fixes the emulator to behave as real CPUs do for near branches.
Far branches are handled by the next patch.

This fixes CVE-2014-3647.

Cc: stable@vger.kernel.org
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
arch/x86/kvm/emulate.c