diff options
Diffstat (limited to 'main/xen/xsa106.patch')
-rw-r--r-- | main/xen/xsa106.patch | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/main/xen/xsa106.patch b/main/xen/xsa106.patch new file mode 100644 index 0000000000..436724dbc1 --- /dev/null +++ b/main/xen/xsa106.patch @@ -0,0 +1,23 @@ +x86emul: only emulate software interrupt injection for real mode + +Protected mode emulation currently lacks proper privilege checking of +the referenced IDT entry, and there's currently no legitimate way for +any of the respective instructions to reach the emulator when the guest +is in protected mode. + +This is XSA-106. + +Reported-by: Andrei LUTAS <vlutas@bitdefender.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Keir Fraser <keir@xen.org> + +--- a/xen/arch/x86/x86_emulate/x86_emulate.c ++++ b/xen/arch/x86/x86_emulate/x86_emulate.c +@@ -2634,6 +2634,7 @@ x86_emulate( + case 0xcd: /* int imm8 */ + src.val = insn_fetch_type(uint8_t); + swint: ++ fail_if(!in_realmode(ctxt, ops)); /* XSA-106 */ + fail_if(ops->inject_sw_interrupt == NULL); + rc = ops->inject_sw_interrupt(src.val, _regs.eip - ctxt->regs->eip, + ctxt) ? : X86EMUL_EXCEPTION; |