Commit 08da44aedba0f493e10695fa334348a7a4f72eb3
Committed by
Paolo Bonzini
1 parent
2bc19dc375
Exists in
ti-lsk-linux-4.1.y
and in
10 other branches
KVM: x86: Decoding guest instructions which cross page boundary may fail
Once an instruction crosses a page boundary, the size read from the second page disregards the common case that part of the operand resides on the first page. As a result, fetch of long insturctions may fail, and thereby cause the decoding to fail as well. Cc: stable@vger.kernel.org Fixes: 5cfc7e0f5e5e1adf998df94f8e36edaf5d30d38e Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Showing 1 changed file with 4 additions and 2 deletions Side-by-side Diff
arch/x86/kvm/emulate.c
... | ... | @@ -778,8 +778,10 @@ |
778 | 778 | static __always_inline int do_insn_fetch_bytes(struct x86_emulate_ctxt *ctxt, |
779 | 779 | unsigned size) |
780 | 780 | { |
781 | - if (unlikely(ctxt->fetch.end - ctxt->fetch.ptr < size)) | |
782 | - return __do_insn_fetch_bytes(ctxt, size); | |
781 | + unsigned done_size = ctxt->fetch.end - ctxt->fetch.ptr; | |
782 | + | |
783 | + if (unlikely(done_size < size)) | |
784 | + return __do_insn_fetch_bytes(ctxt, size - done_size); | |
783 | 785 | else |
784 | 786 | return X86EMUL_CONTINUE; |
785 | 787 | } |