[Xen-changelog] [xen master] x86: don't leak ST(n)/XMMn values to domains first using them

[patchbot@xxxxxxx]

commit 81818b3f277544535974204f8d840da86fa8a44f
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Thu Dec 17 14:22:13 2015 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Dec 17 14:22:13 2015 +0100

    x86: don't leak ST(n)/XMMn values to domains first using them
    
    FNINIT doesn't alter these registers, and hence using it is
    insufficient to initialize a guest's initial state.
    
    This is CVE-2015-8555 / XSA-165.
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 xen/arch/x86/domain.c |   11 +++++++++++
 xen/arch/x86/i387.c   |   23 +++++++++--------------
 2 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
index 2c3bb09..4ad5217 100644
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -918,6 +918,17 @@ int arch_set_info_guest(
                                                          
XSTATE_COMPACTION_ENABLED;
         }
     }
+    else if ( v->arch.xsave_area )
+        memset(&v->arch.xsave_area->xsave_hdr, 0,
+               sizeof(v->arch.xsave_area->xsave_hdr));
+    else
+    {
+        typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt;
+
+        memset(fpu_sse, 0, sizeof(*fpu_sse));
+        fpu_sse->fcw = FCW_DEFAULT;
+        fpu_sse->mxcsr = MXCSR_DEFAULT;
+    }
 
     if ( !compat )
     {
diff --git a/xen/arch/x86/i387.c b/xen/arch/x86/i387.c
index b661d39..9c29211 100644
--- a/xen/arch/x86/i387.c
+++ b/xen/arch/x86/i387.c
@@ -17,16 +17,6 @@
 #include <asm/xstate.h>
 #include <asm/asm_defns.h>
 
-static void fpu_init(void)
-{
-    uint32_t val = MXCSR_DEFAULT;
-
-    asm volatile ( "fninit" );
-
-    /* load default value into MXCSR control/status register */
-    asm volatile ( "ldmxcsr %0" : : "m" (val) );
-}
-
 /*******************************/
 /*     FPU Restore Functions   */
 /*******************************/
@@ -228,10 +218,8 @@ void vcpu_restore_fpu_lazy(struct vcpu *v)
 
     if ( cpu_has_xsave )
         fpu_xrstor(v, XSTATE_LAZY);
-    else if ( v->fpu_initialised )
-        fpu_fxrstor(v);
     else
-        fpu_init();
+        fpu_fxrstor(v);
 
     v->fpu_initialised = 1;
     v->fpu_dirtied = 1;
@@ -290,7 +278,14 @@ int vcpu_init_fpu(struct vcpu *v)
     else
     {
         v->arch.fpu_ctxt = _xzalloc(sizeof(v->arch.xsave_area->fpu_sse), 16);
-        if ( !v->arch.fpu_ctxt )
+        if ( v->arch.fpu_ctxt )
+        {
+            typeof(v->arch.xsave_area->fpu_sse) *fpu_sse = v->arch.fpu_ctxt;
+
+            fpu_sse->fcw = FCW_DEFAULT;
+            fpu_sse->mxcsr = MXCSR_DEFAULT;
+        }
+        else
             rc = -ENOMEM;
     }
 
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog