|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-4.1-testing] x86_64: Do not execute sysret with a non-canonical return address
# HG changeset patch
# User Jan Beulich <JBeulich@xxxxxxxx>
# Date 1339497510 -3600
# Node ID f08e61b9b33f553b21870d58e7c4f95f2c9ac513
# Parent 435493696053a079ec17d6e1a63e5f2be3a2c9d0
x86_64: Do not execute sysret with a non-canonical return address
Check for non-canonical guest RIP before attempting to execute sysret.
If sysret is executed with a non-canonical value in RCX, Intel CPUs
take the fault in ring0, but we will necessarily already have switched
to the the user's stack pointer.
This is a security vulnerability, XSA-7 / CVE-2012-0217.
Signed-off-by: Jan Beulich <JBeulich@xxxxxxxx>
Signed-off-by: Ian Campbell <Ian.Campbell@xxxxxxxxxx>
Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
Acked-by: Keir Fraser <keir.xen@xxxxxxxxx>
Committed-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
xen-unstable changeset: 25480:76eaf5966c05
xen-unstable date: Tue Jun 12 11:33:40 2012 +0100
Committed-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
---
diff -r 435493696053 -r f08e61b9b33f xen/arch/x86/x86_64/entry.S
--- a/xen/arch/x86/x86_64/entry.S Fri May 25 08:18:47 2012 +0100
+++ b/xen/arch/x86/x86_64/entry.S Tue Jun 12 11:38:30 2012 +0100
@@ -40,6 +40,13 @@ restore_all_guest:
testw $TRAP_syscall,4(%rsp)
jz iret_exit_to_guest
+ /* Don't use SYSRET path if the return address is not canonical. */
+ movq 8(%rsp),%rcx
+ sarq $47,%rcx
+ incl %ecx
+ cmpl $1,%ecx
+ ja .Lforce_iret
+
addq $8,%rsp
popq %rcx # RIP
popq %r11 # CS
@@ -50,6 +57,10 @@ restore_all_guest:
sysretq
1: sysretl
+.Lforce_iret:
+ /* Mimic SYSRET behavior. */
+ movq 8(%rsp),%rcx # RIP
+ movq 24(%rsp),%r11 # RFLAGS
ALIGN
/* No special register assumptions. */
iret_exit_to_guest:
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |