x86/xsave: properly check guest input to XSETBV

Other than the HVM emulation path, the PV case so far failed to check
that YMM state requires SSE state to be enabled, allowing for a #GP to
occur upon passing the inputs to XSETBV inside the hypervisor.

This is CVE-2013-2078 / XSA-54.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
master commit: 365c95f7de789e1dca03f119eab7dc61fe0f77c9
master date: 2013-06-04 09:29:07 +0200

diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index 7e4e6b69ea283c8312a65a6806c6b33c43d7e1dc..f69ca0b5494814164e5224335a63ce229d15f2f1 100644 (file)
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -2192,6 +2192,11 @@ static int emulate_privileged_op(struct cpu_user_regs *regs)
                     if ( !(new_xfeature & XSTATE_FP) || (new_xfeature & ~xfeature_mask) )
                         goto fail;
 
+                    /* YMM state takes SSE state as prerequisite. */
+                    if ( (xfeature_mask & new_xfeature & XSTATE_YMM) &&
+                         !(new_xfeature & XSTATE_SSE) )
+                        goto fail;
+
                     v->arch.xcr0 = new_xfeature;
                     v->arch.xcr0_accum |= new_xfeature;
                     set_xcr0(new_xfeature);