[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen stable-4.14] x86/spec-ctrl: Defer CR4_PV32_RESTORE on the cstar_enter path
commit e49571868d67944b9f4a546ade130e0b6e506b65 Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> AuthorDate: Fri Feb 10 21:11:14 2023 +0000 Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> CommitDate: Tue Mar 21 12:07:44 2023 +0000 x86/spec-ctrl: Defer CR4_PV32_RESTORE on the cstar_enter path As stated (correctly) by the comment next to SPEC_CTRL_ENTRY_FROM_PV, between the two hunks visible in the patch, RET's are not safe prior to this point. CR4_PV32_RESTORE hides a CALL/RET pair in certain configurations (PV32 compiled in, SMEP or SMAP active), and the RET can be attacked with one of several known speculative issues. Furthermore, CR4_PV32_RESTORE also hides a reference to the cr4_pv32_mask global variable, which is not safe when XPTI is active before restoring Xen's full pagetables. This crash has gone unnoticed because it is only AMD CPUs which permit the SYSCALL instruction in compatibility mode, and these are not vulnerable to Meltdown so don't activate XPTI by default. This is XSA-429 / CVE-2022-42331 Fixes: 5e7962901131 ("x86/entry: Organise the use of MSR_SPEC_CTRL at each entry/exit point") Fixes: 5784de3e2067 ("x86: Meltdown band-aid against malicious 64-bit PV guests") Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> (cherry picked from commit df5b055b12116d9e63ced59ae5389e69a2a3de48) --- xen/arch/x86/x86_64/compat/entry.S | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index 302530e65e..84a8c97b77 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -202,7 +202,6 @@ ENTRY(cstar_enter) ALTERNATIVE "", "setssbsy", X86_FEATURE_XEN_SHSTK #endif push %rax /* Guest %rsp */ - CR4_PV32_RESTORE movq 8(%rsp), %rax /* Restore guest %rax. */ movq $FLAT_USER_SS32, 8(%rsp) /* Assume a 64bit domain. Compat handled lower. */ pushq %r11 @@ -226,6 +225,8 @@ ENTRY(cstar_enter) .Lcstar_cr3_okay: sti + CR4_PV32_RESTORE + movq STACK_CPUINFO_FIELD(current_vcpu)(%rbx), %rbx movq VCPU_domain(%rbx),%rcx cmpb $0,DOMAIN_is_32bit_pv(%rcx) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.14
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |