Project not found: home:coolo:alp:workbench
Overview

File xsa375.patch of Package xen.23721

From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: x86/spec-ctrl: Protect against Speculative Code Store Bypass

Modern x86 processors have far-better-than-architecturally-guaranteed self
modifying code detection.  Typically, when a write hits an instruction in
flight, a Machine Clear occurs to flush stale content in the frontend and
backend.

For self modifying code, before a write which hits an instruction in flight
retires, the frontend can speculatively decode and execute the old instruction
stream.  Speculation of this form can suffer from type confusion in registers,
and potentially leak data.

Furthermore, updates are typically byte-wise, rather than atomic.  Depending
on timing, speculation can race ahead multiple times between individual
writes, and execute the transiently-malformed instruction stream.

Xen has stubs which are used in certain cases for emulation purposes.  Inhibit
speculation between updating the stub and executing it.

This is XSA-375 / CVE-2021-0089.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -2494,6 +2494,7 @@ static int emulate_privileged_op(struct
             goto fail;
         if ( admin_io_okay(port, op_bytes, currd) )
         {
+            asm volatile ( "lfence" ::: "memory" ); /* SCSB */
             io_emul(regs);            
         }
         else
@@ -2523,6 +2524,7 @@ static int emulate_privileged_op(struct
             goto fail;
         if ( admin_io_okay(port, op_bytes, currd) )
         {
+            asm volatile ( "lfence" ::: "memory" ); /* SCSB */
             io_emul(regs);            
             if ( (op_bytes == 1) && pv_post_outb_hook )
                 pv_post_outb_hook(port, regs->eax);
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -4314,6 +4314,7 @@ x86_emulate(
         if ( !rc )
         {
            copy_REX_VEX(buf, rex_prefix, vex);
+           asm volatile ( "lfence" ::: "memory" ); /* SCSB */
            asm volatile ( "INDIRECT_CALL %0" : : "r" (stub.func), "a" (mmvalp)
                                              : "memory" );
         }
@@ -4567,6 +4568,7 @@ x86_emulate(
         if ( !rc )
         {
            copy_REX_VEX(buf, rex_prefix, vex);
+           asm volatile ( "lfence" ::: "memory" ); /* SCSB */
            asm volatile ( "INDIRECT_CALL %0" : : "r" (stub.func), "a" (mmvalp)
                                              : "memory" );
         }
openSUSE Build Service is sponsored by
Places