a4d1d9fe03
bnc#828623 - bnc#839596 - VUL-0: CVE-2013-1442: XSA-62: xen: Information leak on AVX and/or LWP capable CPUs 5242a1b5-x86-xsave-initialize-extended-register-state-when-guests-enable-it.patch - bnc#840592 - VUL-0: CVE-2013-4355: XSA-63: xen: Information leaks through I/O instruction emulation CVE-2013-4355-xsa63.patch - bnc#840593 - VUL-0: CVE-2013-4356: XSA-64: xen: Memory accessible by 64-bit PV guests under live migration CVE-2013-4356-xsa64.patch - bnc#841766 - VUL-1: CVE-2013-4361: XSA-66: xen: Information leak through fbld instruction emulation CVE-2013-4361-xsa66.patch - bnc#833796 - L3: Xen: migration broken from xsave-capable to xsave-incapable host 52205e27-x86-xsave-initialization-improvements.patch 522dc0e6-x86-xsave-fix-migration-from-xsave-capable-to-xsave-incapable-host.patch - bnc#839600 - [HP BCS SLES11 Bug]: In HP’s UEFI x86_64 platform and sles11sp3 with xen environment, xen hypervisor will panic on multiple blades nPar. 523172d5-x86-fix-memory-cut-off-when-using-PFN-compression.patch - bnc#833251 - [HP BCS SLES11 Bug]: In HP’s UEFI x86_64 platform and with xen environment, in booting stage ,xen hypervisor will panic. 522d896b-x86-EFI-properly-handle-run-time-memory-regions-outside-the-1-1-map.patch - bnc#834751 - [HP BCS SLES11 Bug]: In xen, “shutdown –y 0 –h” cannot power off system 522d896b-x86-EFI-properly-handle-run-time-memory-regions-outside-the-1-1-map.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=274
53 lines
1.5 KiB
Diff
53 lines
1.5 KiB
Diff
References: bnc#839596 CVE-2013-1442 XSA-62
|
|
|
|
# Commit 63a75ba0de817d6f384f96d25427a05c313e2179
|
|
# Date 2013-09-25 10:41:25 +0200
|
|
# Author Jan Beulich <jbeulich@suse.com>
|
|
# Committer Jan Beulich <jbeulich@suse.com>
|
|
x86/xsave: initialize extended register state when guests enable it
|
|
|
|
Till now, when setting previously unset bits in XCR0 we wouldn't touch
|
|
the active register state, thus leaving in the newly enabled registers
|
|
whatever a prior user of it left there, i.e. potentially leaking
|
|
information between guests.
|
|
|
|
This is CVE-2013-1442 / XSA-62.
|
|
|
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
|
|
--- a/xen/arch/x86/xstate.c
|
|
+++ b/xen/arch/x86/xstate.c
|
|
@@ -342,6 +342,7 @@ int validate_xstate(u64 xcr0, u64 xcr0_a
|
|
int handle_xsetbv(u32 index, u64 new_bv)
|
|
{
|
|
struct vcpu *curr = current;
|
|
+ u64 mask;
|
|
|
|
if ( index != XCR_XFEATURE_ENABLED_MASK )
|
|
return -EOPNOTSUPP;
|
|
@@ -355,9 +356,23 @@ int handle_xsetbv(u32 index, u64 new_bv)
|
|
if ( !set_xcr0(new_bv) )
|
|
return -EFAULT;
|
|
|
|
+ mask = new_bv & ~curr->arch.xcr0_accum;
|
|
curr->arch.xcr0 = new_bv;
|
|
curr->arch.xcr0_accum |= new_bv;
|
|
|
|
+ mask &= curr->fpu_dirtied ? ~XSTATE_FP_SSE : XSTATE_NONLAZY;
|
|
+ if ( mask )
|
|
+ {
|
|
+ unsigned long cr0 = read_cr0();
|
|
+
|
|
+ clts();
|
|
+ if ( curr->fpu_dirtied )
|
|
+ asm ( "stmxcsr %0" : "=m" (curr->arch.xsave_area->fpu_sse.mxcsr) );
|
|
+ xrstor(curr, mask);
|
|
+ if ( cr0 & X86_CR0_TS )
|
|
+ write_cr0(cr0);
|
|
+ }
|
|
+
|
|
return 0;
|
|
}
|
|
|