xen/57c82be2-x86-32on64-adjust-call-gate-emulation.patch

# Commit ee1cc4bfdca84d526805c4c72302c026f5e9cd94
# Date 2016-09-01 15:23:46 +0200
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/32on64: misc adjustments to call gate emulation

- There's no 32-bit displacement in 16-bit addressing mode.
- It is wrong to ASSERT() anything on parts of an instruction fetched
  from guest memory.
- The two scaling bits of a SIB byte don't affect whether there is a
  scaled index register or not.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -3176,7 +3176,7 @@ static void emulate_gate_op(struct cpu_u
                             sib = insn_fetch(u8, base, eip, limit);
 
                             modrm = (modrm & ~7) | (sib & 7);
-                            if ( (sib >>= 3) != 4 )
+                            if ( ((sib >>= 3) & 7) != 4 )
                                 opnd_off = *(unsigned long *)
                                     decode_register(sib & 7, regs, 0);
                             opnd_off <<= sib >> 3;
@@ -3236,7 +3236,10 @@ static void emulate_gate_op(struct cpu_u
                         opnd_off += insn_fetch(s8, base, eip, limit);
                         break;
                     case 0x80:
-                        opnd_off += insn_fetch(s32, base, eip, limit);
+                        if ( ad_bytes > 2 )
+                            opnd_off += insn_fetch(s32, base, eip, limit);
+                        else
+                            opnd_off += insn_fetch(s16, base, eip, limit);
                         break;
                     }
                     if ( ad_bytes == 4 )
@@ -3273,8 +3276,7 @@ static void emulate_gate_op(struct cpu_u
 #define ad_default ad_bytes
     opnd_sel = insn_fetch(u16, base, opnd_off, limit);
 #undef ad_default
-    ASSERT((opnd_sel & ~3) == regs->error_code);
-    if ( dpl < (opnd_sel & 3) )
+    if ( (opnd_sel & ~3) != regs->error_code || dpl < (opnd_sel & 3) )
     {
         do_guest_trap(TRAP_gp_fault, regs, 1);
         return;
- bsc#995785 - VUL-0: CVE-2016-7092: xen: x86: Disallow L3 recursive pagetable for 32-bit PV guests (XSA-185) 57d1563d-x86-32on64-don-t-allow-recursive-page-tables-from-L3.patch - bsc#995789 - VUL-0: CVE-2016-7093: xen: x86: Mishandling of instruction pointer truncation during emulation (XSA-186) 57d15679-x86-emulate-Correct-boundary-interactions-of-emulated-insns.patch 57d18642-hvm-fep-Allow-test-insns-crossing-1-0-boundary.patch - bsc#995792 - VUL-0: CVE-2016-7094: xen: x86 HVM: Overflow of sh_ctxt->seg_reg[] (XSA-187) 57d1569a-x86-shadow-Avoid-overflowing-sh_ctxt-seg_reg.patch 57d18642-x86-segment-Bounds-check-accesses-to-emulation-ctxt-seg_reg.patch - bsc#991934 - xen hypervisor crash in csched_acct 57c96df3-credit1-fix-a-race-when-picking-initial-pCPU.patch - Upstream patches from Jan 57c4412b-x86-HVM-add-guarding-logic-for-VMX-specific-code.patch 57c57f73-libxc-correct-max_pfn-calculation-for-saving-domain.patch 57c805bf-x86-levelling-restrict-non-architectural-OSXSAVE-handling.patch 57c805c1-x86-levelling-pass-vcpu-to-ctxt_switch_levelling.patch 57c805c3-x86-levelling-provide-architectural-OSXSAVE-handling.patch 57c82be2-x86-32on64-adjust-call-gate-emulation.patch 57c96e2c-x86-correct-PT_NOTE-file-position.patch 57cfed43-VMX-correct-feature-checks-for-MPX-and-XSAVES.patch - bsc#989679 - [pvusb feature] USB device not found when 'virsh detach-device guest usb.xml' 57c93e52-fix-error-in-libxl_device_usbdev_list.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=450 2016-09-12 20:08:38 +02:00			`# Commit ee1cc4bfdca84d526805c4c72302c026f5e9cd94`
			`# Date 2016-09-01 15:23:46 +0200`
			`# Author Jan Beulich <jbeulich@suse.com>`
			`# Committer Jan Beulich <jbeulich@suse.com>`
			`x86/32on64: misc adjustments to call gate emulation`

			`- There's no 32-bit displacement in 16-bit addressing mode.`
			`- It is wrong to ASSERT() anything on parts of an instruction fetched`
			`from guest memory.`
			`- The two scaling bits of a SIB byte don't affect whether there is a`
			`scaled index register or not.`

			`Signed-off-by: Jan Beulich <jbeulich@suse.com>`
			`Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>`

			`--- a/xen/arch/x86/traps.c`
			`+++ b/xen/arch/x86/traps.c`
			`@@ -3176,7 +3176,7 @@ static void emulate_gate_op(struct cpu_u`
			`sib = insn_fetch(u8, base, eip, limit);`

			`modrm = (modrm & ~7) \| (sib & 7);`
			`- if ( (sib >>= 3) != 4 )`
			`+ if ( ((sib >>= 3) & 7) != 4 )`
			`opnd_off = (unsigned long )`
			`decode_register(sib & 7, regs, 0);`
			`opnd_off <<= sib >> 3;`
			`@@ -3236,7 +3236,10 @@ static void emulate_gate_op(struct cpu_u`
			`opnd_off += insn_fetch(s8, base, eip, limit);`
			`break;`
			`case 0x80:`
			`- opnd_off += insn_fetch(s32, base, eip, limit);`
			`+ if ( ad_bytes > 2 )`
			`+ opnd_off += insn_fetch(s32, base, eip, limit);`
			`+ else`
			`+ opnd_off += insn_fetch(s16, base, eip, limit);`
			`break;`
			`}`
			`if ( ad_bytes == 4 )`
			`@@ -3273,8 +3276,7 @@ static void emulate_gate_op(struct cpu_u`
			`#define ad_default ad_bytes`
			`opnd_sel = insn_fetch(u16, base, opnd_off, limit);`
			`#undef ad_default`
			`- ASSERT((opnd_sel & ~3) == regs->error_code);`
			`- if ( dpl < (opnd_sel & 3) )`
			`+ if ( (opnd_sel & ~3) != regs->error_code \|\| dpl < (opnd_sel & 3) )`
			`{`
			`do_guest_trap(TRAP_gp_fault, regs, 1);`
			`return;`