Commit 4ac5b423 authored by Michal Luczaj's avatar Michal Luczaj Committed by Paolo Bonzini
Browse files

KVM: x86: emulator: Fix illegal LEA handling 



The emulator mishandles LEA with register source operand. Even though such
LEA is illegal, it can be encoded and fed to CPU. In which case real
hardware throws #UD. The emulator, instead, returns address of
x86_emulate_ctxt._regs. This info leak hurts host's kASLR.

Tell the decoder that illegal LEA is not to be emulated.

Signed-off-by: default avatarMichal Luczaj <mhal@rbox.co>
Message-Id: <20220729134801.1120-1-mhal@rbox.co>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
parent 2bc685e6

arch/x86/kvm/emulate.c

+5 −1
Original line number Diff line number Diff line
@@ -4578,6 +4578,10 @@ static const struct mode_dual mode_dual_63 = { 
	N, I(DstReg | SrcMem32 | ModRM | Mov, em_movsxd)

};



static const struct instr_dual instr_dual_8d = {

	D(DstReg | SrcMem | ModRM | NoAccess), N

};



static const struct opcode opcode_table[256] = {

	/* 0x00 - 0x07 */

	F6ALU(Lock, em_add),
@@ -4634,7 +4638,7 @@ static const struct opcode opcode_table[256] = { 
	I2bv(DstMem | SrcReg | ModRM | Mov | PageTable, em_mov),

	I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),

	I(DstMem | SrcNone | ModRM | Mov | PageTable, em_mov_rm_sreg),

	D(ModRM | SrcMem | NoAccess | DstReg),

	ID(0, &instr_dual_8d),

	I(ImplicitOps | SrcMem16 | ModRM, em_mov_sreg_rm),

	G(0, group1A),

	/* 0x90 - 0x97 */