[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging-4.12] x86/pv: Avoid double exception injection

commit 3e039e12ecfdefbf3ecbc5a63052620a1fe51ad5
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Tue Sep 22 17:07:38 2020 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Sep 22 17:07:38 2020 +0200

    x86/pv: Avoid double exception injection
    There is at least one path (SYSENTER with NT set, Xen converts to #GP) which
    ends up injecting the #GP fault twice, first in compat_sysenter(), and then 
    second time in compat_test_all_events(), due to the stale TBF_EXCEPTION left
    in TRAPBOUNCE_flags.
    The guest kernel sees the second fault first, which is a kernel level #GP
    pointing at the head of the #GP handler, and is therefore a userspace
    trigger-able DoS.
    This particular bug has bitten us several times before, so rearrange
    {compat_,}create_bounce_frame() to clobber TRAPBOUNCE on success, rather 
    leaving this task to one area of code which isn't used uniformly.
    Other scenarios which might result in a double injection (e.g. two calls
    directly to compat_create_bounce_frame) will now crash the guest, which is 
    more obvious than letting the kernel run with corrupt state.
    This is XSA-339
    Fixes: fdac9515607b ("x86: clear EFLAGS.NT in SYSENTER entry path")
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
 xen/arch/x86/x86_64/compat/entry.S | 7 ++++++-
 xen/arch/x86/x86_64/entry.S        | 6 +++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/x86_64/compat/entry.S 
index 175c2fe451..16c5a46e75 100644
--- a/xen/arch/x86/x86_64/compat/entry.S
+++ b/xen/arch/x86/x86_64/compat/entry.S
@@ -81,7 +81,6 @@ compat_process_softirqs:
         call  compat_create_bounce_frame
-        movb  $0, TRAPBOUNCE_flags(%rdx)
         jmp   compat_test_all_events
@@ -352,7 +351,13 @@ __UNLIKELY_END(compat_bounce_null_selector)
         movl  %eax,UREGS_cs+8(%rsp)
         movl  TRAPBOUNCE_eip(%rdx),%eax
         movl  %eax,UREGS_rip+8(%rsp)
+        /* Trapbounce complete.  Clobber state to avoid an erroneous second 
injection. */
+        xor   %eax, %eax
+        mov   %ax,  TRAPBOUNCE_cs(%rdx)
+        mov   %al,  TRAPBOUNCE_flags(%rdx)
 .section .fixup,"ax"
         xorl  %edi,%edi
diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
index f9d64cca84..65229a1a68 100644
--- a/xen/arch/x86/x86_64/entry.S
+++ b/xen/arch/x86/x86_64/entry.S
@@ -93,7 +93,6 @@ process_softirqs:
         call  create_bounce_frame
-        movb  $0, TRAPBOUNCE_flags(%rdx)
         jmp   test_all_events
@@ -498,6 +497,11 @@ UNLIKELY_START(z, create_bounce_frame_bad_bounce_ip)
         jmp   asm_domain_crash_synchronous  /* Does not return */
         movq  %rax,UREGS_rip+8(%rsp)
+        /* Trapbounce complete.  Clobber state to avoid an erroneous second 
injection. */
+        xor   %eax, %eax
+        mov   %rax, TRAPBOUNCE_eip(%rdx)
+        mov   %al,  TRAPBOUNCE_flags(%rdx)
         .pushsection .fixup, "ax", @progbits
generated by git-patchbot for /home/xen/git/xen.git#staging-4.12



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.