[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-4.0-testing] x86_64: Do not execute sysret with a non-canonical return address
# HG changeset patch # User Jan Beulich <JBeulich@xxxxxxxx> # Date 1339497511 -3600 # Node ID dd367837e08919f10a57b7fa482e68a91e0779dc # Parent c6eb61ed6f04b4079525c3944b5a55268e1db4f1 x86_64: Do not execute sysret with a non-canonical return address Check for non-canonical guest RIP before attempting to execute sysret. If sysret is executed with a non-canonical value in RCX, Intel CPUs take the fault in ring0, but we will necessarily already have switched to the the user's stack pointer. This is a security vulnerability, XSA-7 / CVE-2012-0217. Signed-off-by: Jan Beulich <JBeulich@xxxxxxxx> Signed-off-by: Ian Campbell <Ian.Campbell@xxxxxxxxxx> Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> Acked-by: Keir Fraser <keir.xen@xxxxxxxxx> Committed-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> xen-unstable changeset: 25480:76eaf5966c05 xen-unstable date: Tue Jun 12 11:33:40 2012 +0100 Committed-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> --- diff -r c6eb61ed6f04 -r dd367837e089 xen/arch/x86/x86_64/entry.S --- a/xen/arch/x86/x86_64/entry.S Mon May 14 17:02:16 2012 +0100 +++ b/xen/arch/x86/x86_64/entry.S Tue Jun 12 11:38:31 2012 +0100 @@ -51,6 +51,13 @@ restore_all_guest: testw $TRAP_syscall,4(%rsp) jz iret_exit_to_guest + /* Don't use SYSRET path if the return address is not canonical. */ + movq 8(%rsp),%rcx + sarq $47,%rcx + incl %ecx + cmpl $1,%ecx + ja .Lforce_iret + addq $8,%rsp popq %rcx # RIP popq %r11 # CS @@ -61,6 +68,10 @@ restore_all_guest: sysretq 1: sysretl +.Lforce_iret: + /* Mimic SYSRET behavior. */ + movq 8(%rsp),%rcx # RIP + movq 24(%rsp),%r11 # RFLAGS ALIGN /* No special register assumptions. */ iret_exit_to_guest: _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |