[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] x86/traps: Poison unused stack pointers in the TSS
commit 040e1457c109185a5420e24203cad8e92f3caaca Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> AuthorDate: Tue Apr 11 15:39:08 2017 +0100 Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> CommitDate: Fri May 5 09:54:28 2017 +0100 x86/traps: Poison unused stack pointers in the TSS This is for additional defence-in-depth following LDT/GDT/IDT corruption. It causes attempted control transfers to ring 1 or 2 (via a call gate), or attempts to use IST 3 through 7 to yield #SS, rather than executing with a stack starting at the top of virtual address space. Express the TSS setup in terms of structure assignment, which should be less fragile if the IST indexes need to change, and has the useful side effect of zeroing the reserved fields. Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> Release-acked-by: Julien Grall <julien.grall@xxxxxxx> --- xen/arch/x86/cpu/common.c | 31 +++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c index 6c27008..2fdc2f9 100644 --- a/xen/arch/x86/cpu/common.c +++ b/xen/arch/x86/cpu/common.c @@ -636,14 +636,29 @@ void load_system_tables(void) .limit = (IDT_ENTRIES * sizeof(idt_entry_t)) - 1, }; - /* Main stack for interrupts/exceptions. */ - tss->rsp0 = stack_bottom; - tss->bitmap = IOBMP_INVALID_OFFSET; - - /* MCE, NMI and Double Fault handlers get their own stacks. */ - tss->ist[IST_MCE - 1] = stack_top + IST_MCE * PAGE_SIZE; - tss->ist[IST_DF - 1] = stack_top + IST_DF * PAGE_SIZE; - tss->ist[IST_NMI - 1] = stack_top + IST_NMI * PAGE_SIZE; + *tss = (struct tss_struct){ + /* Main stack for interrupts/exceptions. */ + .rsp0 = stack_bottom, + + /* Ring 1 and 2 stacks poisoned. */ + .rsp1 = 0x8600111111111111ul, + .rsp2 = 0x8600111111111111ul, + + /* + * MCE, NMI and Double Fault handlers get their own stacks. + * All others poisoned. + */ + .ist = { + [IST_MCE - 1] = stack_top + IST_MCE * PAGE_SIZE, + [IST_DF - 1] = stack_top + IST_DF * PAGE_SIZE, + [IST_NMI - 1] = stack_top + IST_NMI * PAGE_SIZE, + + [IST_MAX ... ARRAY_SIZE(tss->ist) - 1] = + 0x8600111111111111ul, + }, + + .bitmap = IOBMP_INVALID_OFFSET, + }; _set_tssldt_desc( gdt + TSS_ENTRY, -- generated by git-patchbot for /home/xen/git/xen.git#master _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx https://lists.xenproject.org/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |