da53445dea
recursive pagetable for 32-bit PV guests (XSA-185) 57d1563d-x86-32on64-don-t-allow-recursive-page-tables-from-L3.patch - bsc#995789 - VUL-0: CVE-2016-7093: xen: x86: Mishandling of instruction pointer truncation during emulation (XSA-186) 57d15679-x86-emulate-Correct-boundary-interactions-of-emulated-insns.patch 57d18642-hvm-fep-Allow-test-insns-crossing-1-0-boundary.patch - bsc#995792 - VUL-0: CVE-2016-7094: xen: x86 HVM: Overflow of sh_ctxt->seg_reg[] (XSA-187) 57d1569a-x86-shadow-Avoid-overflowing-sh_ctxt-seg_reg.patch 57d18642-x86-segment-Bounds-check-accesses-to-emulation-ctxt-seg_reg.patch - bsc#991934 - xen hypervisor crash in csched_acct 57c96df3-credit1-fix-a-race-when-picking-initial-pCPU.patch - Upstream patches from Jan 57c4412b-x86-HVM-add-guarding-logic-for-VMX-specific-code.patch 57c57f73-libxc-correct-max_pfn-calculation-for-saving-domain.patch 57c805bf-x86-levelling-restrict-non-architectural-OSXSAVE-handling.patch 57c805c1-x86-levelling-pass-vcpu-to-ctxt_switch_levelling.patch 57c805c3-x86-levelling-provide-architectural-OSXSAVE-handling.patch 57c82be2-x86-32on64-adjust-call-gate-emulation.patch 57c96e2c-x86-correct-PT_NOTE-file-position.patch 57cfed43-VMX-correct-feature-checks-for-MPX-and-XSAVES.patch - bsc#989679 - [pvusb feature] USB device not found when 'virsh detach-device guest usb.xml' 57c93e52-fix-error-in-libxl_device_usbdev_list.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=450
52 lines
2.4 KiB
Diff
52 lines
2.4 KiB
Diff
# Commit 3b7cac5232012e167b284aba738fef1eceda33f8
|
|
# Date 2016-09-01 11:41:03 +0100
|
|
# Author Andrew Cooper <andrew.cooper3@citrix.com>
|
|
# Committer Andrew Cooper <andrew.cooper3@citrix.com>
|
|
x86/levelling: Restrict non-architectural OSXSAVE handling to emulated CPUID
|
|
|
|
There is no need to extend the workaround to the faulted CPUID view, as
|
|
Linux's dependence on the workaround is stricly via the emulated view.
|
|
|
|
This causes a guest kernel faulted CPUID to observe architectural behaviour
|
|
with respect to its CR4.OSXSAVE setting.
|
|
|
|
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
Reviewed-by: Jan Beulich <jbeulich@suse.com>
|
|
|
|
--- a/xen/arch/x86/traps.c
|
|
+++ b/xen/arch/x86/traps.c
|
|
@@ -972,6 +972,8 @@ void pv_cpuid(struct cpu_user_regs *regs
|
|
*
|
|
* Therefore, the leaking of Xen's OSXSAVE setting has become a
|
|
* defacto part of the PV ABI and can't reasonably be corrected.
|
|
+ * It can however be restricted to only the enlightened CPUID
|
|
+ * view, as seen by the guest kernel.
|
|
*
|
|
* The following situations and logic now applies:
|
|
*
|
|
@@ -985,14 +987,18 @@ void pv_cpuid(struct cpu_user_regs *regs
|
|
*
|
|
* - Enlightened CPUID or CPUID faulting available:
|
|
* Xen can fully control what is seen here. Guest kernels need
|
|
- * to see the leaked OSXSAVE, but guest userspace is given
|
|
- * architectural behaviour, to reflect the guest kernels
|
|
- * intentions.
|
|
+ * to see the leaked OSXSAVE via the enlightened path, but
|
|
+ * guest userspace and the native is given architectural
|
|
+ * behaviour.
|
|
+ *
|
|
+ * Emulated vs Faulted CPUID is distinguised based on whether a
|
|
+ * #UD or #GP is currently being serviced.
|
|
*/
|
|
/* OSXSAVE cleared by pv_featureset. Fast-forward CR4 back in. */
|
|
- if ( (guest_kernel_mode(curr, regs) &&
|
|
- (read_cr4() & X86_CR4_OSXSAVE)) ||
|
|
- (curr->arch.pv_vcpu.ctrlreg[4] & X86_CR4_OSXSAVE) )
|
|
+ if ( (curr->arch.pv_vcpu.ctrlreg[4] & X86_CR4_OSXSAVE) ||
|
|
+ (regs->entry_vector == TRAP_invalid_op &&
|
|
+ guest_kernel_mode(curr, regs) &&
|
|
+ (read_cr4() & X86_CR4_OSXSAVE)) )
|
|
c |= cpufeat_mask(X86_FEATURE_OSXSAVE);
|
|
|
|
/*
|