From: Paolo Bonzini <pbonzini@redhat.com>
Date: Thu, 23 Oct 2014 12:54:14 +0000 (+0200)
Subject: KVM: emulate: avoid accessing NULL ctxt->memopp
X-Git-Tag: v3.17.3~197
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=56f2b2e46c25cf5321bfde3c05ce8505fc1e9e1a;p=thirdparty%2Fkernel%2Fstable.git

KVM: emulate: avoid accessing NULL ctxt->memopp

commit a430c9166312e1aa3d80bce32374233bdbfeba32 upstream.

A failure to decode the instruction can cause a NULL pointer access.
This is fixed simply by moving the "done" label as close as possible
to the return.

This fixes CVE-2014-8481.

Reported-by: Andy Lutomirski <luto@amacapital.net>
Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 41157106f548e..258b0d9349941 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -4481,10 +4481,10 @@ done_prefixes:
 	/* Decode and fetch the destination operand: register or memory. */
 	rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
 
-done:
 	if (ctxt->rip_relative)
 		ctxt->memopp->addr.mem.ea += ctxt->_eip;
 
+done:
 	return (rc != X86EMUL_CONTINUE) ? EMULATION_FAILED : EMULATION_OK;
 }