xenbits.xensource.com Git - xen.git/commit

author	Andrew Cooper <andrew.cooper3@citrix.com>
	Fri, 3 Nov 2017 16:39:42 +0000 (16:39 +0000)
committer	Andrew Cooper <andrew.cooper3@citrix.com>
	Fri, 26 Jan 2018 14:10:21 +0000 (14:10 +0000)
commit	e6c0128e9ab25bf66df11377a33ee5584d7f99e3
tree	d73653651d98664d0078c9c88c4fcbe09d43ce95	tree
parent	5e7962901131186d3514528ed57c7a9901a15a3e	commit \| diff

x86/entry: Organise the clobbering of the RSB/RAS on entry to Xen

ret instructions are speculated directly to values recorded in the Return
Stack Buffer/Return Address Stack, as there is no uncertainty in well-formed
code.  Guests can take advantage of this in two ways:

  1) If they can find a path in Xen which executes more ret instructions than
     call instructions.  (At least one in the waitqueue infrastructure,
     probably others.)

  2) Use the fact that the RSB/RAS in hardware is actually a circular stack
     without a concept of empty.  (When it logically empties, stale values
     will start being used.)

To mitigate, overwrite the RSB on entry to Xen with gadgets which will capture
and contain rogue speculation.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

xen/include/asm-x86/cpufeatures.h		diff \| blob \| blame \| history
xen/include/asm-x86/nops.h		diff \| blob \| blame \| history
xen/include/asm-x86/spec_ctrl_asm.h		diff \| blob \| blame \| history