summaryrefslogtreecommitdiff
path: root/system/xen/xsa/xsa183-4.6.patch
diff options
context:
space:
mode:
Diffstat (limited to 'system/xen/xsa/xsa183-4.6.patch')
-rw-r--r--system/xen/xsa/xsa183-4.6.patch75
1 files changed, 75 insertions, 0 deletions
diff --git a/system/xen/xsa/xsa183-4.6.patch b/system/xen/xsa/xsa183-4.6.patch
new file mode 100644
index 0000000000..84d70077c8
--- /dev/null
+++ b/system/xen/xsa/xsa183-4.6.patch
@@ -0,0 +1,75 @@
+From 777ebe30e81ab284f9b78392875fe884a593df35 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Wed, 15 Jun 2016 18:32:14 +0100
+Subject: [PATCH] x86/entry: Avoid SMAP violation in
+ compat_create_bounce_frame()
+
+A 32bit guest kernel might be running on user mappings.
+compat_create_bounce_frame() must whitelist its guest accesses to avoid
+risking a SMAP violation.
+
+For both variants of create_bounce_frame(), re-blacklist user accesses if
+execution exits via an exception table redirection.
+
+This is XSA-183 / CVE-2016-6259
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: George Dunlap <george.dunlap@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+---
+v2:
+ * Include CLAC on the exit paths from compat_create_bounce_frame which occur
+ from faults attempting to load %fs
+ * Reposition ASM_STAC to avoid breaking the macro-op fusion of test/jz
+---
+ xen/arch/x86/x86_64/compat/entry.S | 3 +++
+ xen/arch/x86/x86_64/entry.S | 2 ++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
+index 0e3db7c..1eaf4bb 100644
+--- a/xen/arch/x86/x86_64/compat/entry.S
++++ b/xen/arch/x86/x86_64/compat/entry.S
+@@ -350,6 +350,7 @@ ENTRY(compat_int80_direct_trap)
+ compat_create_bounce_frame:
+ ASSERT_INTERRUPTS_ENABLED
+ mov %fs,%edi
++ ASM_STAC
+ testb $2,UREGS_cs+8(%rsp)
+ jz 1f
+ /* Push new frame at registered guest-OS stack base. */
+@@ -403,6 +404,7 @@ UNLIKELY_START(nz, compat_bounce_failsafe)
+ movl %ds,%eax
+ .Lft12: movl %eax,%fs:0*4(%rsi) # DS
+ UNLIKELY_END(compat_bounce_failsafe)
++ ASM_CLAC
+ /* Rewrite our stack frame and return to guest-OS mode. */
+ /* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */
+ andl $~(X86_EFLAGS_VM|X86_EFLAGS_RF|\
+@@ -448,6 +450,7 @@ compat_crash_page_fault_4:
+ addl $4,%esi
+ compat_crash_page_fault:
+ .Lft14: mov %edi,%fs
++ ASM_CLAC
+ movl %esi,%edi
+ call show_page_walk
+ jmp dom_crash_sync_extable
+diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
+index 6e27508..0c2e63a 100644
+--- a/xen/arch/x86/x86_64/entry.S
++++ b/xen/arch/x86/x86_64/entry.S
+@@ -462,9 +462,11 @@ domain_crash_page_fault_16:
+ domain_crash_page_fault_8:
+ addq $8,%rsi
+ domain_crash_page_fault:
++ ASM_CLAC
+ movq %rsi,%rdi
+ call show_page_walk
+ ENTRY(dom_crash_sync_extable)
++ ASM_CLAC
+ # Get out of the guest-save area of the stack.
+ GET_STACK_BASE(%rax)
+ leaq STACK_CPUINFO_FIELD(guest_cpu_user_regs)(%rax),%rsp
+--
+2.1.4
+