    KVM: x86: Emulator fixes for eip canonical checks on near branches · 234f3ce4
    Nadav Amit authored
    Before changing rip (during jmp, call, ret, etc.) the target should be asserted
    to be canonical one, as real CPUs do.  During sysret, both target rsp and rip
    should be canonical. If any of these values is noncanonical, a #GP exception
    should occur.  The exception to this rule are syscall and sysenter instructions
    in which the assigned rip is checked during the assignment to the relevant
    This patch fixes the emulator to behave as real CPUs do for near branches.
    Far branches are handled by the next patch.
    This fixes CVE-2014-3647.
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
    Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
emulate.c 127 KB