[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.5] x86/emulate: Correct boundary interactions of emulated instructions



commit bc9f72bb933aac7cd51419b1f5482094a1325518
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Thu Sep 8 14:28:11 2016 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Sep 8 14:28:11 2016 +0200

    x86/emulate: Correct boundary interactions of emulated instructions
    
    This reverts most of c/s 0640ffb6 "x86emul: fix rIP handling".
    
    Experimentally, in long mode processors will execute an instruction stream
    which crosses the 64bit -1 -> 0 virtual boundary, whether the instruction
    boundary is aligned on the virtual boundary, or is misaligned.
    
    In compatibility mode, Intel processors will execute an instruction stream
    which crosses the 32bit -1 -> 0 virtual boundary, while AMD processors 
raise a
    segmentation fault.  Xen's segmentation behaviour matches AMD.
    
    For 16bit code, hardware does not ever truncated %ip.  %eip is always used 
and
    behaves normally as a 32bit register, including in 16bit protected mode
    segments, as well as in Real and Unreal mode.
    
    This is XSA-186 / CVE-2016-7093.
    
    Reported-by: Brian Marcotte <marcotte@xxxxxxxxx>
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    master commit: e9575f980df81aeb0e5b6139f485fd6f7bb7f5b6
    master date: 2016-09-08 14:15:53 +0200
---
 xen/arch/x86/x86_emulate/x86_emulate.c | 22 ++++------------------
 1 file changed, 4 insertions(+), 18 deletions(-)

diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c 
b/xen/arch/x86/x86_emulate/x86_emulate.c
index a73913d..2ff5e88 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -1510,10 +1510,6 @@ x86_emulate(
 #endif
     }
 
-    /* Truncate rIP to def_ad_bytes (2 or 4) if necessary. */
-    if ( def_ad_bytes < sizeof(_regs.eip) )
-        _regs.eip &= (1UL << (def_ad_bytes * 8)) - 1;
-
     /* Prefix bytes. */
     for ( ; ; )
     {
@@ -3829,21 +3825,11 @@ x86_emulate(
 
     /* Commit shadow register state. */
     _regs.eflags &= ~EFLG_RF;
-    switch ( __builtin_expect(def_ad_bytes, sizeof(_regs.eip)) )
-    {
-        uint16_t ip;
 
-    case 2:
-        ip = _regs.eip;
-        _regs.eip = ctxt->regs->eip;
-        *(uint16_t *)&_regs.eip = ip;
-        break;
-#ifdef __x86_64__
-    case 4:
-        _regs.rip = _regs._eip;
-        break;
-#endif
-    }
+    /* Zero the upper 32 bits of %rip if not in long mode. */
+    if ( def_ad_bytes < sizeof(_regs.eip) )
+        _regs.eip = (uint32_t)_regs.eip;
+
     *ctxt->regs = _regs;
 
  done:
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.5

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.