xcp-1.6-updates/xen-4.1.hg

changeset 23299:f08e61b9b33f

x86_64: Do not execute sysret with a non-canonical return address

Check for non-canonical guest RIP before attempting to execute sysret.
If sysret is executed with a non-canonical value in RCX, Intel CPUs
take the fault in ring0, but we will necessarily already have switched
to the the user's stack pointer.

This is a security vulnerability, XSA-7 / CVE-2012-0217.

Signed-off-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: Ian Campbell <Ian.Campbell@citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Keir Fraser <keir.xen@gmail.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

xen-unstable changeset: 25480:76eaf5966c05
xen-unstable date: Tue Jun 12 11:33:40 2012 +0100
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
author Jan Beulich <JBeulich@suse.com>
date Tue Jun 12 11:38:30 2012 +0100 (2012-06-12)
parents 435493696053
children 0fec1afa4638
files xen/arch/x86/x86_64/entry.S
line diff
     1.1 --- a/xen/arch/x86/x86_64/entry.S	Fri May 25 08:18:47 2012 +0100
     1.2 +++ b/xen/arch/x86/x86_64/entry.S	Tue Jun 12 11:38:30 2012 +0100
     1.3 @@ -40,6 +40,13 @@ restore_all_guest:
     1.4          testw $TRAP_syscall,4(%rsp)
     1.5          jz    iret_exit_to_guest
     1.6  
     1.7 +        /* Don't use SYSRET path if the return address is not canonical. */
     1.8 +        movq  8(%rsp),%rcx
     1.9 +        sarq  $47,%rcx
    1.10 +        incl  %ecx
    1.11 +        cmpl  $1,%ecx
    1.12 +        ja    .Lforce_iret
    1.13 +
    1.14          addq  $8,%rsp
    1.15          popq  %rcx                    # RIP
    1.16          popq  %r11                    # CS
    1.17 @@ -50,6 +57,10 @@ restore_all_guest:
    1.18          sysretq
    1.19  1:      sysretl
    1.20  
    1.21 +.Lforce_iret:
    1.22 +        /* Mimic SYSRET behavior. */
    1.23 +        movq  8(%rsp),%rcx            # RIP
    1.24 +        movq  24(%rsp),%r11           # RFLAGS
    1.25          ALIGN
    1.26  /* No special register assumptions. */
    1.27  iret_exit_to_guest: