[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.7] x86/emulate: Correct boundary interactions of emulated instructions
commit cb3397acff56d0cd69c27f1ca2282657b7811a90 Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> AuthorDate: Thu Sep 8 14:22:35 2016 +0200 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Thu Sep 8 14:22:35 2016 +0200 x86/emulate: Correct boundary interactions of emulated instructions This reverts most of c/s 0640ffb6 "x86emul: fix rIP handling". Experimentally, in long mode processors will execute an instruction stream which crosses the 64bit -1 -> 0 virtual boundary, whether the instruction boundary is aligned on the virtual boundary, or is misaligned. In compatibility mode, Intel processors will execute an instruction stream which crosses the 32bit -1 -> 0 virtual boundary, while AMD processors raise a segmentation fault. Xen's segmentation behaviour matches AMD. For 16bit code, hardware does not ever truncated %ip. %eip is always used and behaves normally as a 32bit register, including in 16bit protected mode segments, as well as in Real and Unreal mode. This is XSA-186 / CVE-2016-7093. Reported-by: Brian Marcotte <marcotte@xxxxxxxxx> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> master commit: e9575f980df81aeb0e5b6139f485fd6f7bb7f5b6 master date: 2016-09-08 14:15:53 +0200 --- xen/arch/x86/x86_emulate/x86_emulate.c | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c index d7c6d90..7636639 100644 --- a/xen/arch/x86/x86_emulate/x86_emulate.c +++ b/xen/arch/x86/x86_emulate/x86_emulate.c @@ -1538,10 +1538,6 @@ x86_emulate( #endif } - /* Truncate rIP to def_ad_bytes (2 or 4) if necessary. */ - if ( def_ad_bytes < sizeof(_regs.eip) ) - _regs.eip &= (1UL << (def_ad_bytes * 8)) - 1; - /* Prefix bytes. */ for ( ; ; ) { @@ -3843,21 +3839,11 @@ x86_emulate( /* Commit shadow register state. */ _regs.eflags &= ~EFLG_RF; - switch ( __builtin_expect(def_ad_bytes, sizeof(_regs.eip)) ) - { - uint16_t ip; - case 2: - ip = _regs.eip; - _regs.eip = ctxt->regs->eip; - *(uint16_t *)&_regs.eip = ip; - break; -#ifdef __x86_64__ - case 4: - _regs.rip = _regs._eip; - break; -#endif - } + /* Zero the upper 32 bits of %rip if not in long mode. */ + if ( def_ad_bytes < sizeof(_regs.eip) ) + _regs.eip = (uint32_t)_regs.eip; + *ctxt->regs = _regs; done: -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.7 _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx https://lists.xenproject.org/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |