From: Jan Beulich <jbeulich@suse.com>
Date: Tue, 10 Mar 2015 12:45:51 +0000 (+0100)
Subject: x86emul: fully ignore segment override for register-only operations
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~3650
X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/success//%22http:/www.example.com/cgi/success/?a=commitdiff_plain;h=bcf92a5382b75fd964c1f8678b2d9a3abe6dec39;p=xen.git

x86emul: fully ignore segment override for register-only operations

For ModRM encoded instructions with register operands we must not
overwrite ea.mem.seg (if a - bogus in that case - segment override was
present) as it aliases with ea.reg.

This is CVE-2015-2151 / XSA-123.

Reported-by: Felix Wilhelm <fwilhelm@ernw.de>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
Reviewed-by: Keir Fraser <keir@xen.org>
---

diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
index 5e9e0403c7..0c73695fc1 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -1757,7 +1757,7 @@ x86_emulate(
         }
     }
 
-    if ( override_seg != -1 )
+    if ( override_seg != -1 && ea.type == OP_MEM )
         ea.mem.seg = override_seg;
 
     /* Early operand adjustments. */