85165d8b92
XSA-104 (CVE-2014-7154) - Race condition in HVMOP_track_dirty_vram XSA-105 (CVE-2014-7155) - Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation XSA-106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation of software interrupts bump PKGREVISION
39 lines
1.3 KiB
Text
39 lines
1.3 KiB
Text
$NetBSD: patch-CVE-2014-7155,v 1.1 2014/09/26 10:45:00 bouyer Exp $
|
|
|
|
x86/emulate: check cpl for all privileged instructions
|
|
|
|
Without this, it is possible for userspace to load its own IDT or GDT.
|
|
|
|
This is XSA-105.
|
|
|
|
Reported-by: Andrei LUTAS <vlutas@bitdefender.com>
|
|
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
Reviewed-by: Jan Beulich <jbeulich@suse.com>
|
|
Tested-by: Andrei LUTAS <vlutas@bitdefender.com>
|
|
|
|
--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
|
|
+++ xen/arch/x86/x86_emulate/x86_emulate.c
|
|
@@ -3314,6 +3314,7 @@ x86_emulate(
|
|
goto swint;
|
|
|
|
case 0xf4: /* hlt */
|
|
+ generate_exception_if(!mode_ring0(), EXC_GP, 0);
|
|
ctxt->retire.flags.hlt = 1;
|
|
break;
|
|
|
|
@@ -3710,6 +3711,7 @@ x86_emulate(
|
|
break;
|
|
case 2: /* lgdt */
|
|
case 3: /* lidt */
|
|
+ generate_exception_if(!mode_ring0(), EXC_GP, 0);
|
|
generate_exception_if(ea.type != OP_MEM, EXC_UD, -1);
|
|
fail_if(ops->write_segment == NULL);
|
|
memset(®, 0, sizeof(reg));
|
|
@@ -3738,6 +3740,7 @@ x86_emulate(
|
|
case 6: /* lmsw */
|
|
fail_if(ops->read_cr == NULL);
|
|
fail_if(ops->write_cr == NULL);
|
|
+ generate_exception_if(!mode_ring0(), EXC_GP, 0);
|
|
if ( (rc = ops->read_cr(0, &cr0, ctxt)) )
|
|
goto done;
|
|
if ( ea.type == OP_REG )
|