[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v2 2/2] x86/xpti: Don't leak TSS-adjacent percpu data via Meltdown
On Fri, Jul 26, 2019 at 09:32:22PM +0100, Andrew Cooper wrote: > The XPTI work restricted the visibility of most of memory, but missed a few > aspects when it came to the TSS. > > Given that the TSS is just an object in percpu data, the 4k mapping for it > created in setup_cpu_root_pgt() maps adjacent percpu data, making it all > leakable via Meltdown, even when XPTI is in use. > > Furthermore, no care is taken to check that the TSS doesn't cross a page > boundary. As it turns out, struct tss_struct is aligned on its size which > does prevent it straddling a page boundary, but this will cease to be true > once CET and Shadow Stack support is added to Xen. > > Move the TSS into the page aligned percpu area, so no adjacent data can be > leaked. Move the definition from setup.c to traps.c, which is a more > appropriate place for it to live. > > Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> Thanks, Roger. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |