$NetBSD: patch-CVE-2015-2151,v 1.1 2015/03/10 19:50:16 spz Exp $

xsa123-4.3-4.2.patch from upstream:

x86emul: fully ignore segment override for register-only operations

For ModRM encoded instructions with register operands we must not
overwrite ea.mem.seg (if a - bogus in that case - segment override was
present) as it aliases with ea.reg.

This is CVE-2015-2151 / XSA-123.

--- xen/arch/x86/x86_emulate/x86_emulate.c.orig	2015-03-10 19:18:09.000000000 +0000
+++ xen/arch/x86/x86_emulate/x86_emulate.c
@@ -1640,7 +1640,7 @@ x86_emulate(
         }
     }
 
-    if ( override_seg != -1 )
+    if ( override_seg != -1 && ea.type == OP_MEM )
         ea.mem.seg = override_seg;
 
     /* Decode and fetch the source operand: register, memory or immediate. */