[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-4.0-testing] x86-64: fix #GP generation in assembly code

  • To: xen-changelog@xxxxxxxxxxxxxxxxxxx
  • From: Xen patchbot-4.0-testing <patchbot@xxxxxxx>
  • Date: Fri, 15 Jun 2012 22:55:11 +0000
  • Delivery-date: Fri, 15 Jun 2012 22:55:24 +0000
  • List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>
# HG changeset patch
# User Jan Beulich <JBeulich@xxxxxxxx>
# Date 1339497574 -3600
# Node ID adb943a387c8397709d411c191234de8d97dddbb
# Parent  dd367837e08919f10a57b7fa482e68a91e0779dc
x86-64: fix #GP generation in assembly code

When guest use of sysenter (64-bit PV guest) or syscall (32-bit PV
guest) gets converted into a GP fault (due to no callback having got
registered), we must
- honor the GP fault handler's request the keep enabled or mask event
  delivery
- not allow TBF_EXCEPTION to remain set past the generation of the
  (guest) exception in the vCPU's trap_bounce.flags, as that would
  otherwise allow for the next exception occurring in guest mode,
  should it happen to get handled in Xen itself, to nevertheless get
  bounced to the guest kernel.

Also, just like compat mode syscall handling already did, native mode
sysenter handling should, when converting to #GP, subtract 2 from the
RIP present in the frame so that the guest's GP fault handler would
see the fault pointing to the offending instruction instead of past it.

Finally, since those exception generating code blocks needed to be
modified anyway, convert them to make use of UNLIKELY_{START,END}().

[ This bug is security vulnerability, XSA-8 / CVE-2012-0218. ]

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Acked-by: Keir Fraser <keir@xxxxxxx>
Committed-by: Jan Beulich <jbeulich@xxxxxxxx>

xen-unstable changeset:   25200:80f4113be500 25204:569d6f05e1ef
Committed-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
---


diff -r dd367837e089 -r adb943a387c8 xen/arch/x86/x86_64/asm-offsets.c
--- a/xen/arch/x86/x86_64/asm-offsets.c Tue Jun 12 11:38:31 2012 +0100
+++ b/xen/arch/x86/x86_64/asm-offsets.c Tue Jun 12 11:39:34 2012 +0100
@@ -89,6 +89,8 @@ void __dummy__(void)
            arch.guest_context.trap_ctxt[TRAP_gp_fault].address);
     OFFSET(VCPU_gp_fault_sel, struct vcpu,
            arch.guest_context.trap_ctxt[TRAP_gp_fault].cs);
+    OFFSET(VCPU_gp_fault_flags, struct vcpu,
+           arch.guest_context.trap_ctxt[TRAP_gp_fault].flags);
     OFFSET(VCPU_kernel_sp, struct vcpu, arch.guest_context.kernel_sp);
     OFFSET(VCPU_kernel_ss, struct vcpu, arch.guest_context.kernel_ss);
     OFFSET(VCPU_guest_context_flags, struct vcpu, arch.guest_context.flags);
diff -r dd367837e089 -r adb943a387c8 xen/arch/x86/x86_64/compat/entry.S
--- a/xen/arch/x86/x86_64/compat/entry.S        Tue Jun 12 11:38:31 2012 +0100
+++ b/xen/arch/x86/x86_64/compat/entry.S        Tue Jun 12 11:39:34 2012 +0100
@@ -227,6 +227,7 @@ 1:      call  compat_create_bounce_frame
 ENTRY(compat_post_handle_exception)
         testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx)
         jz    compat_test_all_events
+.Lcompat_bounce_exception:
         call  compat_create_bounce_frame
         movb  $0,TRAPBOUNCE_flags(%rdx)
         jmp   compat_test_all_events
@@ -243,14 +244,15 @@ ENTRY(compat_syscall)
 1:      movq  %rax,TRAPBOUNCE_eip(%rdx)
         movw  %si,TRAPBOUNCE_cs(%rdx)
         movb  %cl,TRAPBOUNCE_flags(%rdx)
-        call  compat_create_bounce_frame
-        jmp   compat_test_all_events
+        jmp   .Lcompat_bounce_exception
 2:      movl  $TRAP_gp_fault,UREGS_entry_vector(%rsp)
         subl  $2,UREGS_rip(%rsp)
         movq  VCPU_gp_fault_addr(%rbx),%rax
         movzwl VCPU_gp_fault_sel(%rbx),%esi
-        movb  $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl
         movl  $0,TRAPBOUNCE_error_code(%rdx)
+        testb $4,VCPU_gp_fault_flags(%rbx)
+        setnz %cl
+        leal  TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx
         jmp   1b
 
 ENTRY(compat_sysenter)
diff -r dd367837e089 -r adb943a387c8 xen/arch/x86/x86_64/entry.S
--- a/xen/arch/x86/x86_64/entry.S       Tue Jun 12 11:38:31 2012 +0100
+++ b/xen/arch/x86/x86_64/entry.S       Tue Jun 12 11:39:34 2012 +0100
@@ -309,12 +309,14 @@ 1:      movq  VCPU_domain(%rbx),%rdi
         movb  %cl,TRAPBOUNCE_flags(%rdx)
         testb $1,DOMAIN_is_32bit_pv(%rdi)
         jnz   compat_sysenter
-        call  create_bounce_frame
-        jmp   test_all_events
+        jmp   .Lbounce_exception
 2:      movl  %eax,TRAPBOUNCE_error_code(%rdx)
         movq  VCPU_gp_fault_addr(%rbx),%rax
-        movb  $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl
         movl  $TRAP_gp_fault,UREGS_entry_vector(%rsp)
+        subq  $2,UREGS_rip(%rsp)
+        testb $4,VCPU_gp_fault_flags(%rbx)
+        setnz %cl
+        leal  TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx
         jmp   1b
 
 ENTRY(int80_direct_trap)
@@ -501,6 +503,7 @@ 1:      movq  %rsp,%rdi
         jnz   compat_post_handle_exception
         testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx)
         jz    test_all_events
+.Lbounce_exception:
         call  create_bounce_frame
         movb  $0,TRAPBOUNCE_flags(%rdx)
         jmp   test_all_events

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.