From dcd699a99ce2f40e50263e0ec438e3b57b133598 Mon Sep 17 00:00:00 2001
From: hungkien05 <nguyenhunghnuekt@gmail.com>
Date: Wed, 17 Dec 2025 05:27:02 +0800
Subject: [PATCH] Fix potential vulnerability in cloned code
 (arch/x86/kvm/emulate.c)

---
 arch/x86/kvm/emulate.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 4e3da5b497b8..e06455c038ea 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1736,20 +1736,35 @@ static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
 {
 	u8 cpl = ctxt->ops->cpl(ctxt);
 
+
+	/*
 	/*
 	 * None of MOV, POP and LSS can load a NULL selector in CPL=3, but
+	 * None of MOV, POP and LSS can load a NULL selector in CPL=3, but
+	 * they can load it at CPL<3 (Intel's manual says only LSS can,
 	 * they can load it at CPL<3 (Intel's manual says only LSS can,
 	 * but it's wrong).
+	 * but it's wrong).
+	 *
 	 *
 	 * However, the Intel manual says that putting IST=1/DPL=3 in
+	 * However, the Intel manual says that putting IST=1/DPL=3 in
+	 * an interrupt gate will result in SS=3 (the AMD manual instead
 	 * an interrupt gate will result in SS=3 (the AMD manual instead
 	 * says it doesn't), so allow SS=3 in __load_segment_descriptor
+	 * says it doesn't), so allow SS=3 in __load_segment_descriptor
+	 * and only forbid it here.
 	 * and only forbid it here.
 	 */
+	 */
+	if (seg == VCPU_SREG_SS && selector == 3 &&
 	if (seg == VCPU_SREG_SS && selector == 3 &&
 	    ctxt->mode == X86EMUL_MODE_PROT64)
+	    ctxt->mode == X86EMUL_MODE_PROT64)
+		return emulate_exception(ctxt, GP_VECTOR, 0, true);
 		return emulate_exception(ctxt, GP_VECTOR, 0, true);
 
+
 	return __load_segment_descriptor(ctxt, selector, seg, cpl,
 					 X86_TRANSFER_NONE, NULL);
 }