xenbits.xensource.com Git - xen.git/commit

author	Andrew Cooper <andrew.cooper3@citrix.com>
	Fri, 22 Jul 2016 16:02:54 +0000 (16:02 +0000)
committer	Jan Beulich <jbeulich@suse.com>
	Thu, 8 Sep 2016 12:15:53 +0000 (14:15 +0200)
commit	e9575f980df81aeb0e5b6139f485fd6f7bb7f5b6
tree	bc59ebeb5431e4c3cef0ca78f646310406bfff92	tree
parent	c844d637d92a75854ea5c8d4e5ca34302a9f623c	commit \| diff

x86/emulate: Correct boundary interactions of emulated instructions

This reverts most of c/s 0640ffb6 "x86emul: fix rIP handling".

Experimentally, in long mode processors will execute an instruction stream
which crosses the 64bit -1 -> 0 virtual boundary, whether the instruction
boundary is aligned on the virtual boundary, or is misaligned.

In compatibility mode, Intel processors will execute an instruction stream
which crosses the 32bit -1 -> 0 virtual boundary, while AMD processors raise a
segmentation fault. Xen's segmentation behaviour matches AMD.

For 16bit code, hardware does not ever truncated %ip. %eip is always used and
behaves normally as a 32bit register, including in 16bit protected mode
segments, as well as in Real and Unreal mode.

This is XSA-186 / CVE-2016-7093.

Reported-by: Brian Marcotte <marcotte@panix.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>