From: Jan Beulich <jbeulich@suse.com>
Date: Tue, 23 Sep 2014 12:33:50 +0000 (+0200)
Subject: x86emul: only emulate software interrupt injection for real mode
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~4357
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=346d4545569928b652c40c7815c1732676f8587c;p=xen.git

x86emul: only emulate software interrupt injection for real mode

Protected mode emulation currently lacks proper privilege checking of
the referenced IDT entry, and there's currently no legitimate way for
any of the respective instructions to reach the emulator when the guest
is in protected mode.

This is XSA-106.

Reported-by: Andrei LUTAS <vlutas@bitdefender.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
---

diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
index 4810e6877c..5fbe0243fe 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -2634,6 +2634,7 @@ x86_emulate(
     case 0xcd: /* int imm8 */
         src.val = insn_fetch_type(uint8_t);
     swint:
+        fail_if(!in_realmode(ctxt, ops)); /* XSA-106 */
         fail_if(ops->inject_sw_interrupt == NULL);
         rc = ops->inject_sw_interrupt(src.val, _regs.eip - ctxt->regs->eip,
                                       ctxt) ? : X86EMUL_EXCEPTION;