mirrors/aports
1
0
Fork 0
mirror of https://gitlab.alpinelinux.org/alpine/aports.git synced 2026-01-07 17:52:10 +01:00
Code Issues Packages Projects Releases Wiki Activity
aports/main/xen/xsa195.patch
Natanael Copa 64afb5ab10 main/xen: fix various security issues 
- XSA-198 CVE-2016-9379 CVE-2016-9380
  delimiter injection vulnerabilities in pygrub

- XSA-197 CVE-2016-9381
  qemu incautious about shared ring processing

- XSA-196 CVE-2016-9377 CVE-2016-9378
  x86 software interrupt injection mis-handled

- XSA-195 CVE-2016-9383
  x86 64-bit bit test instruction emulation broken

- XSA-194 CVE-2016-9384
  guest 32-bit ELF symbol table load leaking host data

- XSA-193 CVE-2016-9385
  x86 segment base write emulation lacking canonical address checks

- XSA-192 CVE-2016-9382
  x86 task switch to VM86 mode mis-handled

- XSA-191 CVE-2016-9386
  x86 null segments not always treated as unusable

fixes #6495
2016-11-25 17:00:23 +00:00

46 lines
1.7 KiB
Diff
Raw Blame History

From: Jan Beulich <jbeulich@suse.com>
Subject: x86emul: fix huge bit offset handling
We must never chop off the high 32 bits.
This is XSA-195.
Reported-by: George Dunlap <george.dunlap@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -2549,6 +2549,12 @@ x86_emulate(
else
{
/*
+ * Instructions such as bt can reference an arbitrary offset from
+ * their memory operand, but the instruction doing the actual
+ * emulation needs the appropriate op_bytes read from memory.
+ * Adjust both the source register and memory operand to make an
+ * equivalent instruction.
+ *
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
@@ -2560,14 +2566,15 @@ x86_emulate(
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
- unsigned long byte_offset;
- byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
+ unsigned long byte_offset =
+ op_bytes + (((-src.val - 1) >> 3) & ~(op_bytes - 1L));
+
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
- ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
+ ea.mem.off += (src.val >> 3) & ~(op_bytes - 1L);
src.val &= (op_bytes << 3) - 1;
}
}
Reference in New Issue View Git Blame Copy Permalink