kvm: x86: Check memopp before dereference (CVE-2016-8630) Commit 41061cdb98 ("KVM: emulate: do not initialize memopp") removes a check for non-NULL under incorrect assumptions. An undefined instruction with a ModR/M byte with Mod=0 and R/M-5 (e.g. 0xc7 0x15) will attempt to dereference a null pointer here. Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5 Message-Id: <1477592752-126650-2-git-send-email-osh@google.com> Signed-off-by: Owen Hofmann <osh@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

commit: d9092f52d7e61dd1557f2db2400ddb430e85937e [log] [tgz]
author: Owen Hofmann <osh@google.com> Thu Oct 27 11:25:52 2016 -0700
committer: Paolo Bonzini <pbonzini@redhat.com> Wed Nov 02 21:31:53 2016 +0100
tree: 500459709e876c59ff397a7692b93f1e8854c162
parent: 355f4fb1405ec29d0fac49b4d41fcd78cbd455d5 [diff] [blame]
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 4e95d3e..cbd7b92 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c

@@ -5045,7 +5045,7 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
 	/* Decode and fetch the destination operand: register or memory. */
 	rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
 
-	if (ctxt->rip_relative)
+	if (ctxt->rip_relative && likely(ctxt->memopp))
 		ctxt->memopp->addr.mem.ea = address_mask(ctxt,
 					ctxt->memopp->addr.mem.ea + ctxt->_eip);
commit	d9092f52d7e61dd1557f2db2400ddb430e85937e	[log] [tgz]
author	Owen Hofmann <osh@google.com>	Thu Oct 27 11:25:52 2016 -0700
committer	Paolo Bonzini <pbonzini@redhat.com>	Wed Nov 02 21:31:53 2016 +0100
tree	500459709e876c59ff397a7692b93f1e8854c162
parent	355f4fb1405ec29d0fac49b4d41fcd78cbd455d5 [diff] [blame]