References: bsc#988676 CVE-2016-6259 XSA-183 # Commit 9f1441487aa215193a7c00fd9cb80b335542465e # Date 2016-07-26 14:07:04 +0100 # Author Andrew Cooper # Committer Andrew Cooper x86/entry: Avoid SMAP violation in compat_create_bounce_frame() A 32bit guest kernel might be running on user mappings. compat_create_bounce_frame() must whitelist its guest accesses to avoid risking a SMAP violation. For both variants of create_bounce_frame(), re-blacklist user accesses if execution exits via an exception table redirection. This is XSA-183 / CVE-2016-6259 Signed-off-by: Andrew Cooper Reviewed-by: George Dunlap Reviewed-by: Jan Beulich --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -318,6 +318,7 @@ ENTRY(compat_int80_direct_trap) compat_create_bounce_frame: ASSERT_INTERRUPTS_ENABLED mov %fs,%edi + ASM_STAC testb $2,UREGS_cs+8(%rsp) jz 1f /* Push new frame at registered guest-OS stack base. */ @@ -364,6 +365,7 @@ compat_create_bounce_frame: movl TRAPBOUNCE_error_code(%rdx),%eax .Lft8: movl %eax,%fs:(%rsi) # ERROR CODE 1: + ASM_CLAC /* Rewrite our stack frame and return to guest-OS mode. */ /* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */ andl $~(X86_EFLAGS_VM|X86_EFLAGS_RF|\ @@ -403,6 +405,7 @@ compat_crash_page_fault_4: addl $4,%esi compat_crash_page_fault: .Lft14: mov %edi,%fs + ASM_CLAC movl %esi,%edi call show_page_walk jmp dom_crash_sync_extable --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -420,9 +420,11 @@ domain_crash_page_fault_16: domain_crash_page_fault_8: addq $8,%rsi domain_crash_page_fault: + ASM_CLAC movq %rsi,%rdi call show_page_walk ENTRY(dom_crash_sync_extable) + ASM_CLAC # Get out of the guest-save area of the stack. GET_STACK_END(ax) leaq STACK_CPUINFO_FIELD(guest_cpu_user_regs)(%rax),%rsp