KVM: x86: pop sreg accesses only 2 bytes

Although pop sreg updates RSP according to the operand size, only 2 bytes are
read.  The current behavior may result in incorrect #GP or #PF exceptions.

Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index feaba468cce624ed2ce511b9c72fdc8cb6592f40..abe95d2e6848b9014dc6e845e213a254d5957e3a 100644 (file)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1828,12 +1828,14 @@ static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
        unsigned long selector;
        int rc;
 
-       rc = emulate_pop(ctxt, &selector, ctxt->op_bytes);
+       rc = emulate_pop(ctxt, &selector, 2);
        if (rc != X86EMUL_CONTINUE)
                return rc;
 
        if (ctxt->modrm_reg == VCPU_SREG_SS)
                ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
+       if (ctxt->op_bytes > 2)
+               rsp_increment(ctxt, ctxt->op_bytes - 2);
 
        rc = load_segment_descriptor(ctxt, (u16)selector, seg);
        return rc;