[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen master] x86/spec-ctrl: Protect against Speculative Code Store Bypass

commit 45f59ed8865318bb0356954bad067f329677ce9e
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Thu Mar 11 14:39:11 2021 +0000
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Jun 8 17:43:06 2021 +0100

    x86/spec-ctrl: Protect against Speculative Code Store Bypass
    Modern x86 processors have far-better-than-architecturally-guaranteed self
    modifying code detection.  Typically, when a write hits an instruction in
    flight, a Machine Clear occurs to flush stale content in the frontend and
    For self modifying code, before a write which hits an instruction in flight
    retires, the frontend can speculatively decode and execute the old 
    stream.  Speculation of this form can suffer from type confusion in 
    and potentially leak data.
    Furthermore, updates are typically byte-wise, rather than atomic.  Depending
    on timing, speculation can race ahead multiple times between individual
    writes, and execute the transiently-malformed instruction stream.
    Xen has stubs which are used in certain cases for emulation purposes.  
    speculation between updating the stub and executing it.
    This is XSA-375 / CVE-2021-0089.
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
 xen/arch/x86/pv/emul-priv-op.c         | 2 ++
 xen/arch/x86/x86_emulate/x86_emulate.c | 1 +
 2 files changed, 3 insertions(+)

diff --git a/xen/arch/x86/pv/emul-priv-op.c b/xen/arch/x86/pv/emul-priv-op.c
index 8889509d2a..11467a1e3a 100644
--- a/xen/arch/x86/pv/emul-priv-op.c
+++ b/xen/arch/x86/pv/emul-priv-op.c
@@ -138,6 +138,8 @@ static io_emul_stub_t *io_emul_stub_setup(struct 
priv_op_ctxt *ctxt, u8 opcode,
     /* Runtime confirmation that we haven't clobbered an adjacent stub. */
     BUG_ON(STUB_BUF_SIZE / 2 < (p - ctxt->io_emul_stub));
+    block_speculation(); /* SCSB */
     /* Handy function-typed pointer to the stub. */
     return (void *)stub_va;
diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c 
index 31fdec030c..45828b726b 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -1257,6 +1257,7 @@ static inline int mkec(uint8_t e, int32_t ec, ...)
 # define invoke_stub(pre, post, constraints...) do {                    \
     stub_exn.info = (union stub_exception_token) { .raw = ~0 };         \
     stub_exn.line = __LINE__; /* Utility outweighs livepatching cost */ \
+    block_speculation(); /* SCSB */                                     \
     asm volatile ( pre "\n\tINDIRECT_CALL %[stub]\n\t" post "\n"        \
                    ".Lret%=:\n\t"                                       \
                    ".pushsection .fixup,\"ax\"\n"                       \
generated by git-patchbot for /home/xen/git/xen.git#master



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.