a89d75605e
on Xen 576001df-x86-time-use-local-stamp-in-TSC-calibration-fast-path.patch 5769106e-x86-generate-assembler-equates-for-synthesized.patch 57a1e603-x86-time-adjust-local-system-time-initialization.patch 57a1e64c-x86-time-introduce-and-use-rdtsc_ordered.patch 57a2f6ac-x86-time-calibrate-TSC-against-platform-timer.patch - bsc#991934 - xen hypervisor crash in csched_acct 57973099-have-schedulers-revise-initial-placement.patch 579730e6-remove-buggy-initial-placement-algorithm.patch - bsc#988675 - VUL-0: CVE-2016-6258: xen: x86: Privilege escalation in PV guests (XSA-182) 57976073-x86-remove-unsafe-bits-from-mod_lN_entry-fastpath.patch - bsc#988676 - VUL-0: CVE-2016-6259: xen: x86: Missing SMAP whitelisting in 32-bit exception / event delivery (XSA-183) 57976078-x86-avoid-SMAP-violation-in-compat_create_bounce_frame.patch - Upstream patches from Jan 57a30261-x86-support-newer-Intel-CPU-models.patch - bsc#985503 - vif-route broken vif-route.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=445
62 lines
2.1 KiB
Diff
62 lines
2.1 KiB
Diff
References: bsc#988676 CVE-2016-6259 XSA-183
|
|
|
|
# Commit 9f1441487aa215193a7c00fd9cb80b335542465e
|
|
# Date 2016-07-26 14:07:04 +0100
|
|
# Author Andrew Cooper <andrew.cooper3@citrix.com>
|
|
# Committer Andrew Cooper <andrew.cooper3@citrix.com>
|
|
x86/entry: Avoid SMAP violation in compat_create_bounce_frame()
|
|
|
|
A 32bit guest kernel might be running on user mappings.
|
|
compat_create_bounce_frame() must whitelist its guest accesses to avoid
|
|
risking a SMAP violation.
|
|
|
|
For both variants of create_bounce_frame(), re-blacklist user accesses if
|
|
execution exits via an exception table redirection.
|
|
|
|
This is XSA-183 / CVE-2016-6259
|
|
|
|
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
Reviewed-by: George Dunlap <george.dunlap@citrix.com>
|
|
Reviewed-by: Jan Beulich <jbeulich@suse.com>
|
|
|
|
--- a/xen/arch/x86/x86_64/compat/entry.S
|
|
+++ b/xen/arch/x86/x86_64/compat/entry.S
|
|
@@ -318,6 +318,7 @@ ENTRY(compat_int80_direct_trap)
|
|
compat_create_bounce_frame:
|
|
ASSERT_INTERRUPTS_ENABLED
|
|
mov %fs,%edi
|
|
+ ASM_STAC
|
|
testb $2,UREGS_cs+8(%rsp)
|
|
jz 1f
|
|
/* Push new frame at registered guest-OS stack base. */
|
|
@@ -364,6 +365,7 @@ compat_create_bounce_frame:
|
|
movl TRAPBOUNCE_error_code(%rdx),%eax
|
|
.Lft8: movl %eax,%fs:(%rsi) # ERROR CODE
|
|
1:
|
|
+ ASM_CLAC
|
|
/* Rewrite our stack frame and return to guest-OS mode. */
|
|
/* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */
|
|
andl $~(X86_EFLAGS_VM|X86_EFLAGS_RF|\
|
|
@@ -403,6 +405,7 @@ compat_crash_page_fault_4:
|
|
addl $4,%esi
|
|
compat_crash_page_fault:
|
|
.Lft14: mov %edi,%fs
|
|
+ ASM_CLAC
|
|
movl %esi,%edi
|
|
call show_page_walk
|
|
jmp dom_crash_sync_extable
|
|
--- a/xen/arch/x86/x86_64/entry.S
|
|
+++ b/xen/arch/x86/x86_64/entry.S
|
|
@@ -420,9 +420,11 @@ domain_crash_page_fault_16:
|
|
domain_crash_page_fault_8:
|
|
addq $8,%rsi
|
|
domain_crash_page_fault:
|
|
+ ASM_CLAC
|
|
movq %rsi,%rdi
|
|
call show_page_walk
|
|
ENTRY(dom_crash_sync_extable)
|
|
+ ASM_CLAC
|
|
# Get out of the guest-save area of the stack.
|
|
GET_STACK_END(ax)
|
|
leaq STACK_CPUINFO_FIELD(guest_cpu_user_regs)(%rax),%rsp
|