KVM: x86: emulator: Fix illegal LEA handling

The emulator mishandles LEA with register source operand. Even though such
LEA is illegal, it can be encoded and fed to CPU. In which case real
hardware throws #UD. The emulator, instead, returns address of
x86_emulate_ctxt._regs. This info leak hurts host's kASLR.

Tell the decoder that illegal LEA is not to be emulated.

Signed-off-by: Michal Luczaj <mhal@rbox.co>
Message-Id: <20220729134801.1120-1-mhal@rbox.co>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 047c583596bb86ad8d9b950cd70baa1a2ca10d52..b4eeb7c75dfad641173618698d34174b3e1ca3de 100644 (file)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -4578,6 +4578,10 @@ static const struct mode_dual mode_dual_63 = {
        N, I(DstReg | SrcMem32 | ModRM | Mov, em_movsxd)
 };
 
+static const struct instr_dual instr_dual_8d = {
+       D(DstReg | SrcMem | ModRM | NoAccess), N
+};
+
 static const struct opcode opcode_table[256] = {
        /* 0x00 - 0x07 */
        F6ALU(Lock, em_add),
@@ -4634,7 +4638,7 @@ static const struct opcode opcode_table[256] = {
        I2bv(DstMem | SrcReg | ModRM | Mov | PageTable, em_mov),
        I2bv(DstReg | SrcMem | ModRM | Mov, em_mov),
        I(DstMem | SrcNone | ModRM | Mov | PageTable, em_mov_rm_sreg),
-       D(ModRM | SrcMem | NoAccess | DstReg),
+       ID(0, &instr_dual_8d),
        I(ImplicitOps | SrcMem16 | ModRM, em_mov_sreg_rm),
        G(0, group1A),
        /* 0x90 - 0x97 */