[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.4] x86: fix information leak on AMD CPUs



commit c2f8ab34391e1a25e6cf30783aec5d18a7706765
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Mar 29 15:20:58 2016 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Mar 29 15:20:58 2016 +0200

    x86: fix information leak on AMD CPUs
    
    The fix for XSA-52 was wrong, and so was the change synchronizing that
    new behavior to the FXRSTOR logic: AMD's manuals explictly state that
    writes to the ES bit are ignored, and it instead gets calculated from
    the exception and mask bits (it gets set whenever there is an unmasked
    exception, and cleared otherwise). Hence we need to follow that model
    in our workaround.
    
    This is CVE-2016-3158 / CVE-2016-3159 / XSA-172.
    [xen/arch/x86/xstate.c:xrstor: CVE-2016-3158]
    [xen/arch/x86/i387.c:fpu_fxrstor: CVE-2016-3159]
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    master commit: 7bd9dc3adfbb014c55f0928ebb3b20950ca9c019
    master date: 2016-03-29 14:24:26 +0200
---
 xen/arch/x86/i387.c   | 2 +-
 xen/arch/x86/xstate.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/i387.c b/xen/arch/x86/i387.c
index 58fb7b7..6567e80 100644
--- a/xen/arch/x86/i387.c
+++ b/xen/arch/x86/i387.c
@@ -49,7 +49,7 @@ static inline void fpu_fxrstor(struct vcpu *v)
      * sometimes new user value. Both should be ok. Use the FPU saved
      * data block as a safe address because it should be in L1.
      */
-    if ( !(fpu_ctxt->fsw & 0x0080) &&
+    if ( !(fpu_ctxt->fsw & ~fpu_ctxt->fcw & 0x003f) &&
          boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
     {
         asm volatile ( "fnclex\n\t"
diff --git a/xen/arch/x86/xstate.c b/xen/arch/x86/xstate.c
index 421e351..2f20880 100644
--- a/xen/arch/x86/xstate.c
+++ b/xen/arch/x86/xstate.c
@@ -158,7 +158,7 @@ void xrstor(struct vcpu *v, uint64_t mask)
      * data block as a safe address because it should be in L1.
      */
     if ( (mask & ptr->xsave_hdr.xstate_bv & XSTATE_FP) &&
-         !(ptr->fpu_sse.fsw & 0x0080) &&
+         !(ptr->fpu_sse.fsw & ~ptr->fpu_sse.fcw & 0x003f) &&
          boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
         asm volatile ( "fnclex\n\t"        /* clear exceptions */
                        "ffree %%st(7)\n\t" /* clear stack tag */
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.4

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.