KVM: x86: PREFETCH and HINT_NOP should have SrcMem flag

The decode phase of the x86 emulator assumes that every instruction with the ModRM flag, and which can be used with RIP-relative addressing, has either SrcMem or DstMem. This is not the case for several instructions - prefetch, hint-nop and clflush. Adding SrcMem|NoAccess for prefetch and hint-nop and SrcMem for clflush. This fixes CVE-2014-8480. Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5 Cc: stable@vger.kernel.org Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

KVM: x86: PREFETCH and HINT_NOP should have SrcMem flag
The decode phase of the x86 emulator assumes that every instruction with the ModRM flag, and which can be used with RIP-relative addressing, has either SrcMem or DstMem. This is not the case for several instructions - prefetch, hint-nop and clflush. Adding SrcMem|NoAccess for prefetch and hint-nop and SrcMem for clflush. This fixes CVE-2014-8480. Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5 Cc: stable@vger.kernel.org Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Nadav Amit · Paolo Bonzini
1 parent 13e457e0ee
Showing 1 changed file with 4 additions and 3 deletions Side-by-side Diff
arch/x86/kvm/emulate.c
@@ -3807,7 +3807,7 @@
 };
  
 static const struct gprefix pfx_0f_ae_7 = {
-	I(0, em_clflush), N, N, N,
+	I(SrcMem | ByteOp, em_clflush), N, N, N,
 };
  
 static const struct group_dual group15 = { {
  
@@ -4024,10 +4024,11 @@
 	N, I(ImplicitOps | EmulateOnUD, em_syscall),
 	II(ImplicitOps | Priv, em_clts, clts), N,
 	DI(ImplicitOps | Priv, invd), DI(ImplicitOps | Priv, wbinvd), N, N,
-	N, D(ImplicitOps | ModRM), N, N,
+	N, D(ImplicitOps | ModRM | SrcMem | NoAccess), N, N,
 	/* 0x10 - 0x1F */
 	N, N, N, N, N, N, N, N,
-	D(ImplicitOps | ModRM), N, N, N, N, N, N, D(ImplicitOps | ModRM),
+	D(ImplicitOps | ModRM | SrcMem | NoAccess),
+	N, N, N, N, N, N, D(ImplicitOps | ModRM | SrcMem | NoAccess),
 	/* 0x20 - 0x2F */
 	DIP(ModRM | DstMem | Priv | Op3264 | NoMod, cr_read, check_cr_read),
 	DIP(ModRM | DstMem | Priv | Op3264 | NoMod, dr_read, check_dr_read),
...	...	@@ -3807,7 +3807,7 @@
3807	3807	};
3808	3808
3809	3809	static const struct gprefix pfx_0f_ae_7 = {
3810		- I(0, em_clflush), N, N, N,
	3810	+ I(SrcMem \| ByteOp, em_clflush), N, N, N,
3811	3811	};
3812	3812
3813	3813	static const struct group_dual group15 = { {
3814	3814
...	...	@@ -4024,10 +4024,11 @@
4024	4024	N, I(ImplicitOps \| EmulateOnUD, em_syscall),
4025	4025	II(ImplicitOps \| Priv, em_clts, clts), N,
4026	4026	DI(ImplicitOps \| Priv, invd), DI(ImplicitOps \| Priv, wbinvd), N, N,
4027		- N, D(ImplicitOps \| ModRM), N, N,
	4027	+ N, D(ImplicitOps \| ModRM \| SrcMem \| NoAccess), N, N,
4028	4028	/* 0x10 - 0x1F */
4029	4029	N, N, N, N, N, N, N, N,
4030		- D(ImplicitOps \| ModRM), N, N, N, N, N, N, D(ImplicitOps \| ModRM),
	4030	+ D(ImplicitOps \| ModRM \| SrcMem \| NoAccess),
	4031	+ N, N, N, N, N, N, D(ImplicitOps \| ModRM \| SrcMem \| NoAccess),
4031	4032	/* 0x20 - 0x2F */
4032	4033	DIP(ModRM \| DstMem \| Priv \| Op3264 \| NoMod, cr_read, check_cr_read),
4033	4034	DIP(ModRM \| DstMem \| Priv \| Op3264 \| NoMod, dr_read, check_dr_read),