hypervisor memory corruption due to x86 emulator flaw

Instructions with register operands ignore eventual segment overrides encoded for them. Due to an insufficiently conditional assignment such a bogus segment override can, however, corrupt a pointer used subsequently to store the result of the instruction.

insufficiently conditional assignment,在只有register operands的指令中不应该有segment override,否则可能会有一个伪造的segment override,造成pointer corruption, 产生一些unspecified vector造成一系列后果。

lack of check (insufficient condition)



x86emul: fully ignore segment override for register-only operations

For ModRM encoded instructions with register operands we must not overwrite ea.mem.seg (if a - bogus in that case - segment override was present) as it aliases with ea.reg.

--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -1757,7 +1757,7 @@ x86_emulate(
-    if ( override_seg != -1 )
+    if ( override_seg != -1 && ea.type == OP_MEM )
         ea.mem.seg = override_seg;

Patch就是完善了下conditional assignment,将只有register operands的情况剔除出去。


A malicious guest might be able to read sensitive data relating to other guests, or to cause denial of service on the host. Arbitrary code execution, and therefore privilege escalation, cannot be excluded.

information leak, DoS, code execution