[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.14] x86/spec-ctrl: Defer CR4_PV32_RESTORE on the cstar_enter path



commit e49571868d67944b9f4a546ade130e0b6e506b65
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Fri Feb 10 21:11:14 2023 +0000
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Mar 21 12:07:44 2023 +0000

    x86/spec-ctrl: Defer CR4_PV32_RESTORE on the cstar_enter path
    
    As stated (correctly) by the comment next to SPEC_CTRL_ENTRY_FROM_PV, 
between
    the two hunks visible in the patch, RET's are not safe prior to this point.
    
    CR4_PV32_RESTORE hides a CALL/RET pair in certain configurations (PV32
    compiled in, SMEP or SMAP active), and the RET can be attacked with one of
    several known speculative issues.
    
    Furthermore, CR4_PV32_RESTORE also hides a reference to the cr4_pv32_mask
    global variable, which is not safe when XPTI is active before restoring 
Xen's
    full pagetables.
    
    This crash has gone unnoticed because it is only AMD CPUs which permit the
    SYSCALL instruction in compatibility mode, and these are not vulnerable to
    Meltdown so don't activate XPTI by default.
    
    This is XSA-429 / CVE-2022-42331
    
    Fixes: 5e7962901131 ("x86/entry: Organise the use of MSR_SPEC_CTRL at each 
entry/exit point")
    Fixes: 5784de3e2067 ("x86: Meltdown band-aid against malicious 64-bit PV 
guests")
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    (cherry picked from commit df5b055b12116d9e63ced59ae5389e69a2a3de48)
---
 xen/arch/x86/x86_64/compat/entry.S | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/x86_64/compat/entry.S 
b/xen/arch/x86/x86_64/compat/entry.S
index 302530e65e..84a8c97b77 100644
--- a/xen/arch/x86/x86_64/compat/entry.S
+++ b/xen/arch/x86/x86_64/compat/entry.S
@@ -202,7 +202,6 @@ ENTRY(cstar_enter)
         ALTERNATIVE "", "setssbsy", X86_FEATURE_XEN_SHSTK
 #endif
         push  %rax          /* Guest %rsp */
-        CR4_PV32_RESTORE
         movq  8(%rsp), %rax /* Restore guest %rax. */
         movq  $FLAT_USER_SS32, 8(%rsp) /* Assume a 64bit domain.  Compat 
handled lower. */
         pushq %r11
@@ -226,6 +225,8 @@ ENTRY(cstar_enter)
 .Lcstar_cr3_okay:
         sti
 
+        CR4_PV32_RESTORE
+
         movq  STACK_CPUINFO_FIELD(current_vcpu)(%rbx), %rbx
         movq  VCPU_domain(%rbx),%rcx
         cmpb  $0,DOMAIN_is_32bit_pv(%rcx)
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.14



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.