xen/57976078-x86-avoid-SMAP-violation-in-compat_create_bounce_frame.patch

References: bsc#988676 CVE-2016-6259 XSA-183

# Commit 9f1441487aa215193a7c00fd9cb80b335542465e
# Date 2016-07-26 14:07:04 +0100
# Author Andrew Cooper <andrew.cooper3@citrix.com>
# Committer Andrew Cooper <andrew.cooper3@citrix.com>
x86/entry: Avoid SMAP violation in compat_create_bounce_frame()

A 32bit guest kernel might be running on user mappings.
compat_create_bounce_frame() must whitelist its guest accesses to avoid
risking a SMAP violation.

For both variants of create_bounce_frame(), re-blacklist user accesses if
execution exits via an exception table redirection.

This is XSA-183 / CVE-2016-6259

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/arch/x86/x86_64/compat/entry.S
+++ b/xen/arch/x86/x86_64/compat/entry.S
@@ -318,6 +318,7 @@ ENTRY(compat_int80_direct_trap)
 compat_create_bounce_frame:
         ASSERT_INTERRUPTS_ENABLED
         mov   %fs,%edi
+        ASM_STAC
         testb $2,UREGS_cs+8(%rsp)
         jz    1f
         /* Push new frame at registered guest-OS stack base. */
@@ -364,6 +365,7 @@ compat_create_bounce_frame:
         movl  TRAPBOUNCE_error_code(%rdx),%eax
 .Lft8:  movl  %eax,%fs:(%rsi)           # ERROR CODE
 1:
+        ASM_CLAC
         /* Rewrite our stack frame and return to guest-OS mode. */
         /* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */
         andl  $~(X86_EFLAGS_VM|X86_EFLAGS_RF|\
@@ -403,6 +405,7 @@ compat_crash_page_fault_4:
         addl  $4,%esi
 compat_crash_page_fault:
 .Lft14: mov   %edi,%fs
+        ASM_CLAC
         movl  %esi,%edi
         call  show_page_walk
         jmp   dom_crash_sync_extable
--- a/xen/arch/x86/x86_64/entry.S
+++ b/xen/arch/x86/x86_64/entry.S
@@ -420,9 +420,11 @@ domain_crash_page_fault_16:
 domain_crash_page_fault_8:
         addq  $8,%rsi
 domain_crash_page_fault:
+        ASM_CLAC
         movq  %rsi,%rdi
         call  show_page_walk
 ENTRY(dom_crash_sync_extable)
+        ASM_CLAC
         # Get out of the guest-save area of the stack.
         GET_STACK_END(ax)
         leaq  STACK_CPUINFO_FIELD(guest_cpu_user_regs)(%rax),%rsp
- bsc#970135 - new virtualization project clock test randomly fails on Xen 576001df-x86-time-use-local-stamp-in-TSC-calibration-fast-path.patch 5769106e-x86-generate-assembler-equates-for-synthesized.patch 57a1e603-x86-time-adjust-local-system-time-initialization.patch 57a1e64c-x86-time-introduce-and-use-rdtsc_ordered.patch 57a2f6ac-x86-time-calibrate-TSC-against-platform-timer.patch - bsc#991934 - xen hypervisor crash in csched_acct 57973099-have-schedulers-revise-initial-placement.patch 579730e6-remove-buggy-initial-placement-algorithm.patch - bsc#988675 - VUL-0: CVE-2016-6258: xen: x86: Privilege escalation in PV guests (XSA-182) 57976073-x86-remove-unsafe-bits-from-mod_lN_entry-fastpath.patch - bsc#988676 - VUL-0: CVE-2016-6259: xen: x86: Missing SMAP whitelisting in 32-bit exception / event delivery (XSA-183) 57976078-x86-avoid-SMAP-violation-in-compat_create_bounce_frame.patch - Upstream patches from Jan 57a30261-x86-support-newer-Intel-CPU-models.patch - bsc#985503 - vif-route broken vif-route.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=445 2016-08-04 19:26:11 +00:00			`References: bsc#988676 CVE-2016-6259 XSA-183`

			`# Commit 9f1441487aa215193a7c00fd9cb80b335542465e`
			`# Date 2016-07-26 14:07:04 +0100`
			`# Author Andrew Cooper <andrew.cooper3@citrix.com>`
			`# Committer Andrew Cooper <andrew.cooper3@citrix.com>`
			`x86/entry: Avoid SMAP violation in compat_create_bounce_frame()`

			`A 32bit guest kernel might be running on user mappings.`
			`compat_create_bounce_frame() must whitelist its guest accesses to avoid`
			`risking a SMAP violation.`

			`For both variants of create_bounce_frame(), re-blacklist user accesses if`
			`execution exits via an exception table redirection.`

			`This is XSA-183 / CVE-2016-6259`

			`Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>`
			`Reviewed-by: George Dunlap <george.dunlap@citrix.com>`
			`Reviewed-by: Jan Beulich <jbeulich@suse.com>`

			`--- a/xen/arch/x86/x86_64/compat/entry.S`
			`+++ b/xen/arch/x86/x86_64/compat/entry.S`
			`@@ -318,6 +318,7 @@ ENTRY(compat_int80_direct_trap)`
			`compat_create_bounce_frame:`
			`ASSERT_INTERRUPTS_ENABLED`
			`mov %fs,%edi`
			`+ ASM_STAC`
			`testb $2,UREGS_cs+8(%rsp)`
			`jz 1f`
			`/* Push new frame at registered guest-OS stack base. */`
			`@@ -364,6 +365,7 @@ compat_create_bounce_frame:`
			`movl TRAPBOUNCE_error_code(%rdx),%eax`
			`.Lft8: movl %eax,%fs:(%rsi) # ERROR CODE`
			`1:`
			`+ ASM_CLAC`
			`/* Rewrite our stack frame and return to guest-OS mode. */`
			`/* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */`
			`andl $~(X86_EFLAGS_VM\|X86_EFLAGS_RF\|\`
			`@@ -403,6 +405,7 @@ compat_crash_page_fault_4:`
			`addl $4,%esi`
			`compat_crash_page_fault:`
			`.Lft14: mov %edi,%fs`
			`+ ASM_CLAC`
			`movl %esi,%edi`
			`call show_page_walk`
			`jmp dom_crash_sync_extable`
			`--- a/xen/arch/x86/x86_64/entry.S`
			`+++ b/xen/arch/x86/x86_64/entry.S`
			`@@ -420,9 +420,11 @@ domain_crash_page_fault_16:`
			`domain_crash_page_fault_8:`
			`addq $8,%rsi`
			`domain_crash_page_fault:`
			`+ ASM_CLAC`
			`movq %rsi,%rdi`
			`call show_page_walk`
			`ENTRY(dom_crash_sync_extable)`
			`+ ASM_CLAC`
			`# Get out of the guest-save area of the stack.`
			`GET_STACK_END(ax)`
			`leaq STACK_CPUINFO_FIELD(guest_cpu_user_regs)(%rax),%rsp`