[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.8] x86/emul: Correct the handling of eflags with SYSCALL

commit b996efb23864f7135db3578a3a2059fe2f3c1a98
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Sun Dec 18 15:42:59 2016 +0000
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Mon Dec 19 15:46:00 2016 +0000

    x86/emul: Correct the handling of eflags with SYSCALL
    
    A singlestep #DB is determined by the resulting eflags value from the
    execution of SYSCALL, not the original eflags value.
    
    By using the original eflags value, we negate the guest kernels attempt to
    protect itself from a privilege escalation by masking TF.
    
    Have the SYSCALL emulation recalculate tf after the instruction is complete.
    
    This is XSA-204
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
---
 xen/arch/x86/x86_emulate/x86_emulate.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c 
b/xen/arch/x86/x86_emulate/x86_emulate.c
index d82e85d..ff952a9 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -4561,6 +4561,23 @@ x86_emulate(
              (rc = ops->write_segment(x86_seg_ss, &sreg, ctxt)) )
             goto done;
 
+        /*
+         * SYSCALL (unlike most instructions) evaluates its singlestep action
+         * based on the resulting EFLG_TF, not the starting EFLG_TF.
+         *
+         * As the #DB is raised after the CPL change and before the OS can
+         * switch stack, it is a large risk for privilege escalation.
+         *
+         * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
+         * vulnerability.  Running the #DB handler on an IST stack is also a
+         * mitigation.
+         *
+         * 32bit kernels have no ability to mask EFLG_TF at all.  Their only
+         * mitigation is to use a task gate for handling #DB (or to not use
+         * enable EFER.SCE to start with).
+         */
+        tf = _regs.eflags & EFLG_TF;
+
         break;
     }
 
@@ -5412,7 +5429,7 @@ x86_emulate(
 
     *ctxt->regs = _regs;
 
-    /* Inject #DB if single-step tracing was enabled at instruction start. */
+    /* Should a singlestep #DB be raised? */
     if ( tf && (rc == X86EMUL_OKAY) && ops->inject_hw_exception )
         rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
 
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.8

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.