[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] [XEN] Fix x86/64 bug where a guest application can crash the

# HG changeset patch
# User kfraser@xxxxxxxxxxxxxxxxxxxxx
# Node ID b9af81884b99def770685dc4a872ba6fee902b31
# Parent  130eee9e972876bba82c73a19e56d314859d8b77
[XEN] Fix x86/64 bug where a guest application can crash the
guest OS by setting AC flag in RFLAGS. This wasn't being
cleared on entry to the guest kernel, causing unwanted faults
because the kernel runs in ring 3 on Xen.
Signed-off-by: Keir Fraser <keir@xxxxxxxxxxxxx>
---
 xen/arch/x86/domain.c       |    3 ++-
 xen/arch/x86/x86_32/entry.S |    3 ++-
 xen/arch/x86/x86_64/entry.S |    4 +++-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff -r 130eee9e9728 -r b9af81884b99 xen/arch/x86/domain.c
--- a/xen/arch/x86/domain.c     Thu Aug 17 12:01:44 2006 +0100
+++ b/xen/arch/x86/domain.c     Thu Aug 17 12:08:26 2006 +0100
@@ -556,7 +556,8 @@ static void load_segments(struct vcpu *n
             n->vcpu_info->evtchn_upcall_mask = 1;
 
         regs->entry_vector  = TRAP_syscall;
-        regs->rflags       &= 0xFFFCBEFFUL;
+        regs->rflags       &= ~(X86_EFLAGS_AC|X86_EFLAGS_VM|X86_EFLAGS_RF|
+                                X86_EFLAGS_NT|X86_EFLAGS_TF);
         regs->ss            = __GUEST_SS;
         regs->rsp           = (unsigned long)(rsp-11);
         regs->cs            = __GUEST_CS;
diff -r 130eee9e9728 -r b9af81884b99 xen/arch/x86/x86_32/entry.S
--- a/xen/arch/x86/x86_32/entry.S       Thu Aug 17 12:01:44 2006 +0100
+++ b/xen/arch/x86/x86_32/entry.S       Thu Aug 17 12:08:26 2006 +0100
@@ -356,7 +356,8 @@ 2:      testl $X86_EFLAGS_VM,UREGS_eflag
         movl %eax,UREGS_gs+4(%esp)
 nvm86_3:/* Rewrite our stack frame and return to ring 1. */
         /* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */
-        andl $0xfffcbeff,UREGS_eflags+4(%esp)
+        andl $~(X86_EFLAGS_VM|X86_EFLAGS_RF|\
+                X86_EFLAGS_NT|X86_EFLAGS_TF),UREGS_eflags+4(%esp)
         mov  %gs,UREGS_ss+4(%esp)
         movl %esi,UREGS_esp+4(%esp)
         movzwl TRAPBOUNCE_cs(%edx),%eax
diff -r 130eee9e9728 -r b9af81884b99 xen/arch/x86/x86_64/entry.S
--- a/xen/arch/x86/x86_64/entry.S       Thu Aug 17 12:01:44 2006 +0100
+++ b/xen/arch/x86/x86_64/entry.S       Thu Aug 17 12:08:26 2006 +0100
@@ -294,8 +294,10 @@ FLT13:  movq  %rax,(%rsi)               
 FLT13:  movq  %rax,(%rsi)               # RCX
         /* Rewrite our stack frame and return to guest-OS mode. */
         /* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */
+        /* Also clear AC: alignment checks shouldn't trigger in kernel mode. */
         movl  $TRAP_syscall,UREGS_entry_vector+8(%rsp)
-        andl  $0xfffcbeff,UREGS_eflags+8(%rsp)
+        andl  $~(X86_EFLAGS_AC|X86_EFLAGS_VM|X86_EFLAGS_RF|\
+                 X86_EFLAGS_NT|X86_EFLAGS_TF),UREGS_eflags+8(%rsp)
         movq  $__GUEST_SS,UREGS_ss+8(%rsp)
         movq  %rsi,UREGS_rsp+8(%rsp)
         movq  $__GUEST_CS,UREGS_cs+8(%rsp)

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.