Commit 0b97134b2911d0e5d6789de70a3c70fab4dbde6e
1 parent
e8e880a7
target-i386: fix CVE-2007-1322
The icebp instruction can be abused to terminate the emulation, resulting in denial of service. Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5921 c046a42c-6fe2-441c-8c8c-71466251a162
Showing
1 changed file
with
2 additions
and
0 deletions
target-i386/translate.c
| @@ -6564,6 +6564,7 @@ static target_ulong disas_insn(DisasContext *s, target_ulong pc_start) | @@ -6564,6 +6564,7 @@ static target_ulong disas_insn(DisasContext *s, target_ulong pc_start) | ||
| 6564 | gen_jmp_im(pc_start - s->cs_base); | 6564 | gen_jmp_im(pc_start - s->cs_base); |
| 6565 | gen_helper_into(tcg_const_i32(s->pc - pc_start)); | 6565 | gen_helper_into(tcg_const_i32(s->pc - pc_start)); |
| 6566 | break; | 6566 | break; |
| 6567 | +#ifdef WANT_ICEBP | ||
| 6567 | case 0xf1: /* icebp (undocumented, exits to external debugger) */ | 6568 | case 0xf1: /* icebp (undocumented, exits to external debugger) */ |
| 6568 | gen_svm_check_intercept(s, pc_start, SVM_EXIT_ICEBP); | 6569 | gen_svm_check_intercept(s, pc_start, SVM_EXIT_ICEBP); |
| 6569 | #if 1 | 6570 | #if 1 |
| @@ -6574,6 +6575,7 @@ static target_ulong disas_insn(DisasContext *s, target_ulong pc_start) | @@ -6574,6 +6575,7 @@ static target_ulong disas_insn(DisasContext *s, target_ulong pc_start) | ||
| 6574 | cpu_set_log(CPU_LOG_INT | CPU_LOG_TB_IN_ASM); | 6575 | cpu_set_log(CPU_LOG_INT | CPU_LOG_TB_IN_ASM); |
| 6575 | #endif | 6576 | #endif |
| 6576 | break; | 6577 | break; |
| 6578 | +#endif | ||
| 6577 | case 0xfa: /* cli */ | 6579 | case 0xfa: /* cli */ |
| 6578 | if (!s->vm86) { | 6580 | if (!s->vm86) { |
| 6579 | if (s->cpl <= s->iopl) { | 6581 | if (s->cpl <= s->iopl) { |