A 32bit guest kernel might be running on user mappings.
compat_create_bounce_frame() must whitelist its guest accesses to avoid
risking a SMAP violation.
For both variants of create_bounce_frame(), re-blacklist user accesses if
execution exits via an exception table redirection.
This is XSA-183 / CVE-2016-6259
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
compat_create_bounce_frame:
ASSERT_INTERRUPTS_ENABLED
mov %fs,%edi
+ ASM_STAC
testb $2,UREGS_cs+8(%rsp)
jz 1f
/* Push new frame at registered guest-OS stack base. */
movl %ds,%eax
.Lft12: movl %eax,%fs:0*4(%rsi) # DS
UNLIKELY_END(compat_bounce_failsafe)
+ ASM_CLAC
/* Rewrite our stack frame and return to guest-OS mode. */
/* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */
andl $~(X86_EFLAGS_VM|X86_EFLAGS_RF|\
addl $4,%esi
compat_crash_page_fault:
.Lft14: mov %edi,%fs
+ ASM_CLAC
movl %esi,%edi
call show_page_walk
jmp dom_crash_sync_extable
domain_crash_page_fault_8:
addq $8,%rsi
domain_crash_page_fault:
+ ASM_CLAC
movq %rsi,%rdi
call show_page_walk
ENTRY(dom_crash_sync_extable)
+ ASM_CLAC
# Get out of the guest-save area of the stack.
GET_STACK_BASE(%rax)
leaq STACK_CPUINFO_FIELD(guest_cpu_user_regs)(%rax),%rsp
projects / xen.git / commitdiff