xen/57d15679-x86-emulate-Correct-boundary-interactions-of-emulated-insns.patch

References: bsc#995789 CVE-2016-7093 XSA-186

# Commit e9575f980df81aeb0e5b6139f485fd6f7bb7f5b6
# Date 2016-09-08 14:15:53 +0200
# Author Andrew Cooper <andrew.cooper3@citrix.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86/emulate: Correct boundary interactions of emulated instructions

This reverts most of c/s 0640ffb6 "x86emul: fix rIP handling".

Experimentally, in long mode processors will execute an instruction stream
which crosses the 64bit -1 -> 0 virtual boundary, whether the instruction
boundary is aligned on the virtual boundary, or is misaligned.

In compatibility mode, Intel processors will execute an instruction stream
which crosses the 32bit -1 -> 0 virtual boundary, while AMD processors raise a
segmentation fault.  Xen's segmentation behaviour matches AMD.

For 16bit code, hardware does not ever truncated %ip.  %eip is always used and
behaves normally as a 32bit register, including in 16bit protected mode
segments, as well as in Real and Unreal mode.

This is XSA-186 / CVE-2016-7093.

Reported-by: Brian Marcotte <marcotte@panix.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -1538,10 +1538,6 @@ x86_emulate(
 #endif
     }
 
-    /* Truncate rIP to def_ad_bytes (2 or 4) if necessary. */
-    if ( def_ad_bytes < sizeof(_regs.eip) )
-        _regs.eip &= (1UL << (def_ad_bytes * 8)) - 1;
-
     /* Prefix bytes. */
     for ( ; ; )
     {
@@ -3843,21 +3839,11 @@ x86_emulate(
 
     /* Commit shadow register state. */
     _regs.eflags &= ~EFLG_RF;
-    switch ( __builtin_expect(def_ad_bytes, sizeof(_regs.eip)) )
-    {
-        uint16_t ip;
 
-    case 2:
-        ip = _regs.eip;
-        _regs.eip = ctxt->regs->eip;
-        *(uint16_t *)&_regs.eip = ip;
-        break;
-#ifdef __x86_64__
-    case 4:
-        _regs.rip = _regs._eip;
-        break;
-#endif
-    }
+    /* Zero the upper 32 bits of %rip if not in long mode. */
+    if ( def_ad_bytes < sizeof(_regs.eip) )
+        _regs.eip = (uint32_t)_regs.eip;
+
     *ctxt->regs = _regs;
 
  done:
- bsc#995785 - VUL-0: CVE-2016-7092: xen: x86: Disallow L3 recursive pagetable for 32-bit PV guests (XSA-185) 57d1563d-x86-32on64-don-t-allow-recursive-page-tables-from-L3.patch - bsc#995789 - VUL-0: CVE-2016-7093: xen: x86: Mishandling of instruction pointer truncation during emulation (XSA-186) 57d15679-x86-emulate-Correct-boundary-interactions-of-emulated-insns.patch 57d18642-hvm-fep-Allow-test-insns-crossing-1-0-boundary.patch - bsc#995792 - VUL-0: CVE-2016-7094: xen: x86 HVM: Overflow of sh_ctxt->seg_reg[] (XSA-187) 57d1569a-x86-shadow-Avoid-overflowing-sh_ctxt-seg_reg.patch 57d18642-x86-segment-Bounds-check-accesses-to-emulation-ctxt-seg_reg.patch - bsc#991934 - xen hypervisor crash in csched_acct 57c96df3-credit1-fix-a-race-when-picking-initial-pCPU.patch - Upstream patches from Jan 57c4412b-x86-HVM-add-guarding-logic-for-VMX-specific-code.patch 57c57f73-libxc-correct-max_pfn-calculation-for-saving-domain.patch 57c805bf-x86-levelling-restrict-non-architectural-OSXSAVE-handling.patch 57c805c1-x86-levelling-pass-vcpu-to-ctxt_switch_levelling.patch 57c805c3-x86-levelling-provide-architectural-OSXSAVE-handling.patch 57c82be2-x86-32on64-adjust-call-gate-emulation.patch 57c96e2c-x86-correct-PT_NOTE-file-position.patch 57cfed43-VMX-correct-feature-checks-for-MPX-and-XSAVES.patch - bsc#989679 - [pvusb feature] USB device not found when 'virsh detach-device guest usb.xml' 57c93e52-fix-error-in-libxl_device_usbdev_list.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=450 2016-09-12 20:08:38 +02:00			`References: bsc#995789 CVE-2016-7093 XSA-186`

			`# Commit e9575f980df81aeb0e5b6139f485fd6f7bb7f5b6`
			`# Date 2016-09-08 14:15:53 +0200`
			`# Author Andrew Cooper <andrew.cooper3@citrix.com>`
			`# Committer Jan Beulich <jbeulich@suse.com>`
			`x86/emulate: Correct boundary interactions of emulated instructions`

			`This reverts most of c/s 0640ffb6 "x86emul: fix rIP handling".`

			`Experimentally, in long mode processors will execute an instruction stream`
			`which crosses the 64bit -1 -> 0 virtual boundary, whether the instruction`
			`boundary is aligned on the virtual boundary, or is misaligned.`

			`In compatibility mode, Intel processors will execute an instruction stream`
			`which crosses the 32bit -1 -> 0 virtual boundary, while AMD processors raise a`
			`segmentation fault. Xen's segmentation behaviour matches AMD.`

			`For 16bit code, hardware does not ever truncated %ip. %eip is always used and`
			`behaves normally as a 32bit register, including in 16bit protected mode`
			`segments, as well as in Real and Unreal mode.`

			`This is XSA-186 / CVE-2016-7093.`

			`Reported-by: Brian Marcotte <marcotte@panix.com>`
			`Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>`
			`Reviewed-by: Jan Beulich <jbeulich@suse.com>`

			`--- a/xen/arch/x86/x86_emulate/x86_emulate.c`
			`+++ b/xen/arch/x86/x86_emulate/x86_emulate.c`
			`@@ -1538,10 +1538,6 @@ x86_emulate(`
			`#endif`
			`}`

			`- /* Truncate rIP to def_ad_bytes (2 or 4) if necessary. */`
			`- if ( def_ad_bytes < sizeof(_regs.eip) )`
			`- _regs.eip &= (1UL << (def_ad_bytes * 8)) - 1;`
			`-`
			`/* Prefix bytes. */`
			`for ( ; ; )`
			`{`
			`@@ -3843,21 +3839,11 @@ x86_emulate(`

			`/* Commit shadow register state. */`
			`_regs.eflags &= ~EFLG_RF;`
			`- switch ( __builtin_expect(def_ad_bytes, sizeof(_regs.eip)) )`
			`- {`
			`- uint16_t ip;`

			`- case 2:`
			`- ip = _regs.eip;`
			`- _regs.eip = ctxt->regs->eip;`
			`- (uint16_t )&_regs.eip = ip;`
			`- break;`
			`-#ifdef __x86_64__`
			`- case 4:`
			`- _regs.rip = _regs._eip;`
			`- break;`
			`-#endif`
			`- }`
			`+ /* Zero the upper 32 bits of %rip if not in long mode. */`
			`+ if ( def_ad_bytes < sizeof(_regs.eip) )`
			`+ _regs.eip = (uint32_t)_regs.eip;`
			`+`
			`*ctxt->regs = _regs;`

			`done:`