[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 2/7] x86/traps: Poison unused stack pointers in the TSS



This is for additional defence-in-depth following LDT/GDT/IDT corruption.

It causes attempted control transfers to ring 1 or 2 (via a call gate), or
attempts to use IST 3 through 7 to yield #SS[0], rather than executing with a
stack starting at the top of virtual address space.

Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
CC: Jan Beulich <JBeulich@xxxxxxxx>
---
 xen/arch/x86/cpu/common.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c
index 6c27008..8796568 100644
--- a/xen/arch/x86/cpu/common.c
+++ b/xen/arch/x86/cpu/common.c
@@ -645,6 +645,14 @@ void load_system_tables(void)
        tss->ist[IST_DF  - 1] = stack_top + IST_DF  * PAGE_SIZE;
        tss->ist[IST_NMI - 1] = stack_top + IST_NMI * PAGE_SIZE;
 
+       /* Poision all other stack pointers to prevent their accidental use. */
+       tss->rsp1   = 0x8600111111111111ul;
+       tss->rsp2   = 0x8600222222222222ul;
+       tss->ist[3] = 0x8600444444444444ul;
+       tss->ist[4] = 0x8600555555555555ul;
+       tss->ist[5] = 0x8600666666666666ul;
+       tss->ist[6] = 0x8600777777777777ul;
+
        _set_tssldt_desc(
                gdt + TSS_ENTRY,
                (unsigned long)tss,
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.