diff options
author | Paolo Bonzini <pbonzini@redhat.com> | 2014-10-23 14:54:14 +0200 |
---|---|---|
committer | Paolo Bonzini <pbonzini@redhat.com> | 2014-10-24 13:30:35 +0200 |
commit | a430c9166312e1aa3d80bce32374233bdbfeba32 (patch) | |
tree | 33b03640ee6fa653470485c4e7691e0ea7fe3004 | |
parent | 08da44aedba0f493e10695fa334348a7a4f72eb3 (diff) | |
download | linux-a430c9166312e1aa3d80bce32374233bdbfeba32.tar.bz2 |
KVM: emulate: avoid accessing NULL ctxt->memopp
A failure to decode the instruction can cause a NULL pointer access.
This is fixed simply by moving the "done" label as close as possible
to the return.
This fixes CVE-2014-8481.
Reported-by: Andy Lutomirski <luto@amacapital.net>
Cc: stable@vger.kernel.org
Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-rw-r--r-- | arch/x86/kvm/emulate.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index 02c8ea804aaf..eb3b1c46f995 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -4580,10 +4580,10 @@ done_prefixes: /* Decode and fetch the destination operand: register or memory. */ rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask); -done: if (ctxt->rip_relative) ctxt->memopp->addr.mem.ea += ctxt->_eip; +done: return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK; } |