81501c15a5
23686-pygrub-solaris.patch 23697-pygrub-grub2.patch 23944-pygrub-debug.patch 23998-pygrub-GPT.patch 23999-pygrub-grub2.patch 24064-pygrub-HybridISO.patch 24401-pygrub-scrolling.patch 24402-pygrub-edit-fix.patch 24460-pygrub-extlinux.patch 24706-pygrub-extlinux.patch - Revised version of security patch and an additional patch for bnc#764077 x86_64-AMD-erratum-121.patch x86_64-allow-unsafe-adjust.patch - bnc#764077 - VUL-0: EMBARGOED: xen: XSA-9: denial of service on older AMD systems x86_64-AMD-erratum-121.patch - Revised version of security patch for bnc#757537 x86_64-sysret-canonical.patch - bnc#757537 - VUL-0: xen: CVE-2012-0217 PV guest escalation x86_64-sysret-canonical.patch - bnc#757970 - VUL-1: xen: guest denial of service on syscall GPF generation x86_64-trap-bounce-flags.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=190
30 lines
828 B
Diff
30 lines
828 B
Diff
References: CVE-2012-0217, bnc#757537
|
|
|
|
--- a/xen/arch/x86/x86_64/entry.S
|
|
+++ b/xen/arch/x86/x86_64/entry.S
|
|
@@ -40,6 +40,13 @@ restore_all_guest:
|
|
testw $TRAP_syscall,4(%rsp)
|
|
jz iret_exit_to_guest
|
|
|
|
+ /* Don't use SYSRET path if the return address is not canonical. */
|
|
+ movq 8(%rsp),%rcx
|
|
+ sarq $47,%rcx
|
|
+ incl %ecx
|
|
+ cmpl $1,%ecx
|
|
+ ja .Lforce_iret
|
|
+
|
|
addq $8,%rsp
|
|
popq %rcx # RIP
|
|
popq %r11 # CS
|
|
@@ -50,6 +57,10 @@ restore_all_guest:
|
|
sysretq
|
|
1: sysretl
|
|
|
|
+.Lforce_iret:
|
|
+ /* Mimic SYSRET behavior. */
|
|
+ movq 8(%rsp),%rcx # RIP
|
|
+ movq 24(%rsp),%r11 # RFLAGS
|
|
ALIGN
|
|
/* No special register assumptions. */
|
|
iret_exit_to_guest:
|