xen/57d18642-hvm-fep-Allow-test-insns-crossing-1-0-boundary.patch

References: bsc#995789

# Commit 7b5cee79dad24e7006059667b02bd7de685d8ee5
# Date 2016-09-08 16:39:46 +0100
# Author Andrew Cooper <andrew.cooper3@citrix.com>
# Committer Andrew Cooper <andrew.cooper3@citrix.com>
hvm/fep: Allow testing of instructions crossing the -1 -> 0 virtual boundary

The Force Emulation Prefix is named to follow its PV counterpart for cpuid or
rdtsc, but isn't really an instruction prefix.  It behaves as a break-out into
Xen, with the purpose of emulating the next instruction in the current state.

It is important to be able to test legal situations which occur in real
hardware, including instruction which cross certain boundaries, and
instructions starting at 0.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3905,6 +3905,10 @@ void hvm_ud_intercept(struct cpu_user_re
         {
             regs->eip += sizeof(sig);
             regs->eflags &= ~X86_EFLAGS_RF;
+
+            /* Zero the upper 32 bits of %rip if not in long mode. */
+            if ( !(hvm_long_mode_enabled(cur) && cs.attr.fields.l) )
+                regs->eip = regs->_eip;
         }
     }
- bsc#995785 - VUL-0: CVE-2016-7092: xen: x86: Disallow L3 recursive pagetable for 32-bit PV guests (XSA-185) 57d1563d-x86-32on64-don-t-allow-recursive-page-tables-from-L3.patch - bsc#995789 - VUL-0: CVE-2016-7093: xen: x86: Mishandling of instruction pointer truncation during emulation (XSA-186) 57d15679-x86-emulate-Correct-boundary-interactions-of-emulated-insns.patch 57d18642-hvm-fep-Allow-test-insns-crossing-1-0-boundary.patch - bsc#995792 - VUL-0: CVE-2016-7094: xen: x86 HVM: Overflow of sh_ctxt->seg_reg[] (XSA-187) 57d1569a-x86-shadow-Avoid-overflowing-sh_ctxt-seg_reg.patch 57d18642-x86-segment-Bounds-check-accesses-to-emulation-ctxt-seg_reg.patch - bsc#991934 - xen hypervisor crash in csched_acct 57c96df3-credit1-fix-a-race-when-picking-initial-pCPU.patch - Upstream patches from Jan 57c4412b-x86-HVM-add-guarding-logic-for-VMX-specific-code.patch 57c57f73-libxc-correct-max_pfn-calculation-for-saving-domain.patch 57c805bf-x86-levelling-restrict-non-architectural-OSXSAVE-handling.patch 57c805c1-x86-levelling-pass-vcpu-to-ctxt_switch_levelling.patch 57c805c3-x86-levelling-provide-architectural-OSXSAVE-handling.patch 57c82be2-x86-32on64-adjust-call-gate-emulation.patch 57c96e2c-x86-correct-PT_NOTE-file-position.patch 57cfed43-VMX-correct-feature-checks-for-MPX-and-XSAVES.patch - bsc#989679 - [pvusb feature] USB device not found when 'virsh detach-device guest usb.xml' 57c93e52-fix-error-in-libxl_device_usbdev_list.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=450 2016-09-12 20:08:38 +02:00			`References: bsc#995789`

			`# Commit 7b5cee79dad24e7006059667b02bd7de685d8ee5`
			`# Date 2016-09-08 16:39:46 +0100`
			`# Author Andrew Cooper <andrew.cooper3@citrix.com>`
			`# Committer Andrew Cooper <andrew.cooper3@citrix.com>`
			`hvm/fep: Allow testing of instructions crossing the -1 -> 0 virtual boundary`

			`The Force Emulation Prefix is named to follow its PV counterpart for cpuid or`
			`rdtsc, but isn't really an instruction prefix. It behaves as a break-out into`
			`Xen, with the purpose of emulating the next instruction in the current state.`

			`It is important to be able to test legal situations which occur in real`
			`hardware, including instruction which cross certain boundaries, and`
			`instructions starting at 0.`

			`Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>`
			`Reviewed-by: Jan Beulich <jbeulich@suse.com>`

			`--- a/xen/arch/x86/hvm/hvm.c`
			`+++ b/xen/arch/x86/hvm/hvm.c`
			`@@ -3905,6 +3905,10 @@ void hvm_ud_intercept(struct cpu_user_re`
			`{`
			`regs->eip += sizeof(sig);`
			`regs->eflags &= ~X86_EFLAGS_RF;`
			`+`
			`+ /* Zero the upper 32 bits of %rip if not in long mode. */`
			`+ if ( !(hvm_long_mode_enabled(cur) && cs.attr.fields.l) )`
			`+ regs->eip = regs->_eip;`
			`}`
			`}`