|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.1] x86/xsave: properly check guest input to XSETBV
commit 13e00caf1a01a4eb99f2269be6ce12a3a4703178
Author: Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Jun 4 09:41:41 2013 +0200
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Jun 4 09:41:41 2013 +0200
x86/xsave: properly check guest input to XSETBV
Other than the HVM emulation path, the PV case so far failed to check
that YMM state requires SSE state to be enabled, allowing for a #GP to
occur upon passing the inputs to XSETBV inside the hypervisor.
This is CVE-2013-2078 / XSA-54.
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
master commit: 365c95f7de789e1dca03f119eab7dc61fe0f77c9
master date: 2013-06-04 09:29:07 +0200
---
xen/arch/x86/traps.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index 7e4e6b6..f69ca0b 100644
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -2192,6 +2192,11 @@ static int emulate_privileged_op(struct cpu_user_regs
*regs)
if ( !(new_xfeature & XSTATE_FP) || (new_xfeature &
~xfeature_mask) )
goto fail;
+ /* YMM state takes SSE state as prerequisite. */
+ if ( (xfeature_mask & new_xfeature & XSTATE_YMM) &&
+ !(new_xfeature & XSTATE_SSE) )
+ goto fail;
+
v->arch.xcr0 = new_xfeature;
v->arch.xcr0_accum |= new_xfeature;
set_xcr0(new_xfeature);
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.1
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |