[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.5] x86: correct create_bounce_frame
commit 8825df16e631e96038d8532b1b4079a2b9e6cb8a Author: Jan Beulich <jbeulich@xxxxxxxx> AuthorDate: Tue May 2 15:08:11 2017 +0200 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Tue May 2 15:08:11 2017 +0200 x86: correct create_bounce_frame We may push up to 96 bytes on the guest (kernel) stack, so we should also cover as much in the early range check. Note that this is the simplest possible patch, which has the theoretical potential of breaking a guest: We only really push 96 bytes when invoking the failsafe callback, ordinary exceptions only have 56 or 64 bytes pushed (without / with error code respectively). There is, however, no PV OS known to place a kernel stack there. This is XSA-215. Reported-by: Jann Horn <jannh@xxxxxxxxxx> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> --- xen/arch/x86/x86_64/entry.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index d2c8e84..c6f2d96 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -349,7 +349,7 @@ int80_slow_path: jmp handle_exception_saved /* CREATE A BASIC EXCEPTION FRAME ON GUEST OS STACK: */ -/* { RCX, R11, [DS-GS,] [CR2,] [ERRCODE,] RIP, CS, RFLAGS, RSP, SS } */ +/* { RCX, R11, [DS-GS,] [ERRCODE,] RIP, CS, RFLAGS, RSP, SS } */ /* %rdx: trap_bounce, %rbx: struct vcpu */ /* On return only %rbx and %rdx are guaranteed non-clobbered. */ create_bounce_frame: @@ -369,7 +369,7 @@ create_bounce_frame: 2: andq $~0xf,%rsi # Stack frames are 16-byte aligned. movq $HYPERVISOR_VIRT_START,%rax cmpq %rax,%rsi - movq $HYPERVISOR_VIRT_END+60,%rax + movq $HYPERVISOR_VIRT_END+12*8,%rax sbb %ecx,%ecx # In +ve address space? Then okay. cmpq %rax,%rsi adc %ecx,%ecx # Above Xen private area? Then okay. -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.5 _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx https://lists.xenproject.org/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |