CVE-2010-0730 xen: emulator instruction decoding inconsistency

[Eugene Teo <eugene () redhat com>]

Assigned with CVE-2010-0730. It does not affect upstream. For more info, 
please see https://bugzilla.redhat.com/CVE-2010-0730.

Due to a mismatch between the opcode decoding table and the 
implementation of the operand decoder in platform.c, the ARPL 
instruction would cause the guest to crash if executed on a MMIO area. 
While this is difficult to exploit from non-root, it is theoretically 
possible to do so.

This fix changes the failure path to inject #UD instead of crashing the 
domain. The guest kernel will transform the #UD into a SIGILL.
---
 arch/x86/hvm/platform.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/arch/x86/hvm/platform.c b/arch/x86/hvm/platform.c
index 3d69e9c..86c478d 100644
--- a/arch/x86/hvm/platform.c
+++ b/arch/x86/hvm/platform.c
@@ -1057,7 +1057,9 @@ void handle_mmio(unsigned long gpa)
         for ( i = 0; i < inst_len; i++ )
             printk(" %02x", inst[i] & 0xFF);
         printk("\n");
-        domain_crash_synchronous();
+
+       hvm_inject_exception(TRAP_invalid_op, -1, 0);
+       return;
     }

     regs->eip += inst_len; /* advance %eip */
--
1.6.6.1

--
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }