x86: fix information leak on AMD CPUs

The fix for XSA-52 was wrong, and so was the change synchronizing that
new behavior to the FXRSTOR logic: AMD's manuals explictly state that
writes to the ES bit are ignored, and it instead gets calculated from
the exception and mask bits (it gets set whenever there is an unmasked
exception, and cleared otherwise). Hence we need to follow that model
in our workaround.

This is CVE-2016-3158 / XSA-172.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
master commit: 7bd9dc3adfbb014c55f0928ebb3b20950ca9c019
master date: 2016-03-29 14:24:26 +0200

diff --git a/xen/arch/x86/xstate.c b/xen/arch/x86/xstate.c
index 8a2a51d7fad175c3137540948ee1c90c59c57f3f..a2917552fe825a0248a6c14e8a66b05f88d87fd4 100644 (file)
--- a/xen/arch/x86/xstate.c
+++ b/xen/arch/x86/xstate.c
@@ -158,7 +158,7 @@ void xrstor(struct vcpu *v, uint64_t mask)
      * data block as a safe address because it should be in L1.
      */
     if ( (mask & ptr->xsave_hdr.xstate_bv & XSTATE_FP) &&
-         !(ptr->fpu_sse.fsw & 0x0080) &&
+         !(ptr->fpu_sse.fsw & ~ptr->fpu_sse.fcw & 0x003f) &&
          boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
         asm volatile ( "fnclex\n\t"        /* clear exceptions */
                        "ffree %%st(7)\n\t" /* clear stack tag */