[x86] kvm: Check memopp before dereference (CVE-2016-8630)
This commit is contained in:
parent
790f2d1ab5
commit
d99e060fe3
|
@ -122,6 +122,9 @@ linux (4.8.6-1) UNRELEASED; urgency=medium
|
|||
* cpupower: Fix checks for CPU existence (Closes: #843071)
|
||||
* perf: Disable use of libcrypto (Closes: #843199)
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* [x86] kvm: Check memopp before dereference (CVE-2016-8630)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Wed, 02 Nov 2016 12:01:42 -0600
|
||||
|
||||
linux (4.8.5-1) unstable; urgency=medium
|
||||
|
|
34
debian/patches/bugfix/x86/kvm-x86-Check-memopp-before-dereference-CVE-2016-863.patch
vendored
Normal file
34
debian/patches/bugfix/x86/kvm-x86-Check-memopp-before-dereference-CVE-2016-863.patch
vendored
Normal file
|
@ -0,0 +1,34 @@
|
|||
From: Owen Hofmann <osh@google.com>
|
||||
Date: Thu, 27 Oct 2016 11:25:52 -0700
|
||||
Subject: kvm: x86: Check memopp before dereference (CVE-2016-8630)
|
||||
Origin: https://git.kernel.org/linus/d9092f52d7e61dd1557f2db2400ddb430e85937e
|
||||
|
||||
Commit 41061cdb98 ("KVM: emulate: do not initialize memopp") removes a
|
||||
check for non-NULL under incorrect assumptions. An undefined instruction
|
||||
with a ModR/M byte with Mod=0 and R/M-5 (e.g. 0xc7 0x15) will attempt
|
||||
to dereference a null pointer here.
|
||||
|
||||
Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5
|
||||
Message-Id: <1477592752-126650-2-git-send-email-osh@google.com>
|
||||
Signed-off-by: Owen Hofmann <osh@google.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/emulate.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
|
||||
index 4e95d3e..cbd7b92 100644
|
||||
--- a/arch/x86/kvm/emulate.c
|
||||
+++ b/arch/x86/kvm/emulate.c
|
||||
@@ -5045,7 +5045,7 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
|
||||
/* Decode and fetch the destination operand: register or memory. */
|
||||
rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
|
||||
|
||||
- if (ctxt->rip_relative)
|
||||
+ if (ctxt->rip_relative && likely(ctxt->memopp))
|
||||
ctxt->memopp->addr.mem.ea = address_mask(ctxt,
|
||||
ctxt->memopp->addr.mem.ea + ctxt->_eip);
|
||||
|
||||
--
|
||||
2.10.2
|
||||
|
|
@ -96,6 +96,7 @@ bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
|
|||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/net-add-recursion-limit-to-gro.patch
|
||||
bugfix/all/KEYS-Fix-short-sprintf-buffer-in-proc-keys-show-func.patch
|
||||
bugfix/x86/kvm-x86-Check-memopp-before-dereference-CVE-2016-863.patch
|
||||
|
||||
# ABI maintenance
|
||||
|
||||
|
|
Loading…
Reference in New Issue