[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] x86emul: fix huge bit offset handling

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Fri, 25 Nov 2016 11:22:42 +0000
Delivery-date: Fri, 25 Nov 2016 11:22:52 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>

commit 1c6c2d60d205f71ede0fbbd9047e459112f576db
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Nov 22 13:49:06 2016 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Nov 22 13:49:06 2016 +0100

    x86emul: fix huge bit offset handling
    
    We must never chop off the high 32 bits.
    
    This is CVE-2016-9383 / XSA-195.
    
    Reported-by: George Dunlap <george.dunlap@xxxxxxxxxx>
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 xen/arch/x86/x86_emulate/x86_emulate.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c 
b/xen/arch/x86/x86_emulate/x86_emulate.c
index f9cdb63..90add39 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -2537,6 +2537,12 @@ x86_emulate(
         else
         {
             /*
+             * Instructions such as bt can reference an arbitrary offset from
+             * their memory operand, but the instruction doing the actual
+             * emulation needs the appropriate op_bytes read from memory.
+             * Adjust both the source register and memory operand to make an
+             * equivalent instruction.
+             *
              * EA       += BitOffset DIV op_bytes*8
              * BitOffset = BitOffset MOD op_bytes*8
              * DIV truncates towards negative infinity.
@@ -2548,14 +2554,15 @@ x86_emulate(
                 src.val = (int32_t)src.val;
             if ( (long)src.val < 0 )
             {
-                unsigned long byte_offset;
-                byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
+                unsigned long byte_offset =
+                    op_bytes + (((-src.val - 1) >> 3) & ~(op_bytes - 1L));
+
                 ea.mem.off -= byte_offset;
                 src.val = (byte_offset << 3) + src.val;
             }
             else
             {
-                ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
+                ea.mem.off += (src.val >> 3) & ~(op_bytes - 1L);
                 src.val &= (op_bytes << 3) - 1;
             }
         }
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

Prev by Date: [Xen-changelog] [xen master] libelf: fix stack memory leak when loading 32 bit symbol tables
Next by Date: [Xen-changelog] [xen master] x86/emul: correct the IDT entry calculation in inject_swint()
Previous by thread: [Xen-changelog] [xen master] libelf: fix stack memory leak when loading 32 bit symbol tables
Next by thread: [Xen-changelog] [xen master] x86/emul: correct the IDT entry calculation in inject_swint()
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.