85165d8b92
XSA-104 (CVE-2014-7154) - Race condition in HVMOP_track_dirty_vram XSA-105 (CVE-2014-7155) - Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation XSA-106 (CVE-2014-7156) - Missing privilege level checks in x86 emulation of software interrupts bump PKGREVISION
25 lines
992 B
Text
25 lines
992 B
Text
$NetBSD: patch-CVE-2014-7156,v 1.1 2014/09/26 10:45:00 bouyer Exp $
|
|
|
|
x86emul: only emulate software interrupt injection for real mode
|
|
|
|
Protected mode emulation currently lacks proper privilege checking of
|
|
the referenced IDT entry, and there's currently no legitimate way for
|
|
any of the respective instructions to reach the emulator when the guest
|
|
is in protected mode.
|
|
|
|
This is XSA-106.
|
|
|
|
Reported-by: Andrei LUTAS <vlutas@bitdefender.com>
|
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
Acked-by: Keir Fraser <keir@xen.org>
|
|
|
|
--- xen/arch/x86/x86_emulate/x86_emulate.c.orig
|
|
+++ xen/arch/x86/x86_emulate/x86_emulate.c
|
|
@@ -2634,6 +2634,7 @@ x86_emulate(
|
|
case 0xcd: /* int imm8 */
|
|
src.val = insn_fetch_type(uint8_t);
|
|
swint:
|
|
+ fail_if(!in_realmode(ctxt, ops)); /* XSA-106 */
|
|
fail_if(ops->inject_sw_interrupt == NULL);
|
|
rc = ops->inject_sw_interrupt(src.val, _regs.eip - ctxt->regs->eip,
|
|
ctxt) ? : X86EMUL_EXCEPTION;
|