Xen project Mailing List

Re: [PATCH v2 2/3] x86/traps: use entry_ssp in fixup_exception_return()

To: Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Wed, 8 Apr 2026 18:34:48 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=n/5++fakmtAqPuvXEf/y5YLO0oNpqBA5ait8Co9rnzg=; b=FBAP7N3rZD81sIzQrRGUtP5ahFqJQM52cIqQUjCvFJHIas/bzBcsoTArH+fSMDM1zxQatpE5EWh0jFMaRtoK6iiDdoccsmT/f9o5Gnudq7/VotkszuDm7su8XH/toMgipUAzGEVWnxVXG+ebF9KVRJBWluKqfBblbL9tyoOuAYW2yci+r9qIBkVsaP5a7HkrTQJ61/9QKMqwT90DY7/dWnW/wjSB4623xyOcUWKxHzFteGP2nUTwiyj6omQ0vb6niN8XLsS943zava5JPUbmbufId8BlF63jXB7gcHFl6pmm8psnqWOyVleeIPGNpk+mrfg+slLsjGDpVNh/XU6Tiw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ZXuO7gq2ZiEUpwDOWe4P640XjCyuFNE07m+hX8sI8E/q7CXwzeAlPoAz3bJqosC2kVNQgC3bb5mXbYK+iF+W9Fw1kN4q9TNrwFAPYcKAbkepaC8VFhQJLS1uldZrrR6CrvLxNIoyxMC2Aw7Js28rPfKNOUUNxBwXJ+sTY58tAWo4WI1FQnBHhBH7kgdsKFWqGd0XD+ZuapI5Q6DKkNzxaSmGQHFq+A7uYw5ob23+6eC3TGErOenuD9SI4WCMz/fqB+CkFW3grOqxws+n/6gSAHM2SnA+d/7ue5BKnlzSdG8M59xrApSsQgqB5Eq9sEKI4uFZMqKttb4tXWkFi9YMHA==

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=citrix.com header.i="@citrix.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Teddy Astie <teddy.astie@xxxxxxxxxx>

Delivery-date: Wed, 08 Apr 2026 17:35:03 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 08/04/2026 1:23 pm, Jan Beulich wrote: > With the value recorded on entry there's no need anymore to go hunt for > the respective exception frame on the shadow stack. By deriving "ptr" > from that field (without any offset), it then ends up pointin one slot pointing > --- a/xen/arch/x86/traps.c > +++ b/xen/arch/x86/traps.c > @@ -1187,26 +1174,28 @@ void asmlinkage noreturn do_unhandled_tr > static void fixup_exception_return(struct cpu_user_regs *regs, > unsigned long fixup, unsigned long > stub_ra) > { > - if ( IS_ENABLED(CONFIG_XEN_SHSTK) ) > +#ifdef CONFIG_XEN_SHSTK > { > - unsigned long ssp, *ptr, *base; > + unsigned long ssp = rdssp(); > > - if ( (ssp = rdssp()) == SSP_NO_SHSTK ) > - goto shstk_done; > + if ( ssp != SSP_NO_SHSTK ) > + { > + unsigned long *ptr = _p(regs->entry_ssp); > + unsigned long primary_shstk = > + (ssp & ~(STACK_SIZE - 1)) + > + (PRIMARY_SHSTK_SLOT + 1) * PAGE_SIZE - 8; > > - ptr = _p(ssp); > - base = _p(get_shstk_bottom(ssp)); > + BUG_ON((regs->entry_ssp ^ primary_shstk) >> PAGE_SHIFT); This BUG() isn't correct. We can be in a fixup while in an IST handler, at which point SSP does not point to the primary shstk. e.g. wrmsr_safe() in #MC. If you're looking to at least roughly bound it, check that it's any where in the stack range. The WRSS below will #PF if SSP isn't referring to a shadow stack. Alternatively, add an is_shstk_page() predicate which checks for get_stack_page() == 5,0 which are the two shstk frames in the block of 8. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.