KVM: x86: pop sreg accesses only 2 bytes

Although pop sreg updates RSP according to the operand size, only 2 bytes are read. The current behavior may result in incorrect #GP or #PF exceptions. Signed-off-by: Nadav Amit <namit@cs.technion.ac.il> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
author: Nadav Amit <namit@cs.technion.ac.il> 2014-12-25 02:52:17 +0200
committer: Paolo Bonzini <pbonzini@redhat.com> 2015-01-08 22:48:04 +0100
commit: 3313bc4ee83c4e2870d8e83800c6064b0d215679 (patch)
tree: eda0f8afbeadc3fbb84290dc92949c9d678c137a
parent: fa4a2c080e37d362ae603f4ea157fe779bd85cb5 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index feaba468cce6..abe95d2e6848 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1828,12 +1828,14 @@ static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
 	unsigned long selector;
 	int rc;
 
-	rc = emulate_pop(ctxt, &selector, ctxt->op_bytes);
+	rc = emulate_pop(ctxt, &selector, 2);
 	if (rc != X86EMUL_CONTINUE)
 		return rc;
 
 	if (ctxt->modrm_reg == VCPU_SREG_SS)
 		ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
+	if (ctxt->op_bytes > 2)
+		rsp_increment(ctxt, ctxt->op_bytes - 2);
 
 	rc = load_segment_descriptor(ctxt, (u16)selector, seg);
 	return rc;
author	Nadav Amit <namit@cs.technion.ac.il>	2014-12-25 02:52:17 +0200
committer	Paolo Bonzini <pbonzini@redhat.com>	2015-01-08 22:48:04 +0100
commit	3313bc4ee83c4e2870d8e83800c6064b0d215679 (patch)
tree	eda0f8afbeadc3fbb84290dc92949c9d678c137a
parent	fa4a2c080e37d362ae603f4ea157fe779bd85cb5 (diff)