File 5a4fd894-3-x86-erase-guest-GPRs-on-entry-to-Xen.patch of Package xen.8005

# Commit 03bd8c3a70d101fc2f8f36f1e171b7594462a4cd
# Date 2018-01-05 19:57:08 +0000
# Author Andrew Cooper <andrew.cooper3@citrix.com>
# Committer Andrew Cooper <andrew.cooper3@citrix.com>
x86/entry: Erase guest GPR state on entry to Xen

This reduces the number of code gadgets which can be attacked with arbitrary
guest-controlled GPR values.

This is part of XSA-254.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>

--- a/xen/arch/x86/x86_64/compat/entry.S
+++ b/xen/arch/x86/x86_64/compat/entry.S
@@ -21,9 +21,9 @@ ENTRY(compat_hypercall)
 UNLIKELY_START(ne, msi_check)
         movl  $HYPERCALL_VECTOR,%edi
         call  check_for_unexpected_msi
-        LOAD_C_CLOBBERED
 UNLIKELY_END(msi_check)
 
+        LOAD_C_CLOBBERED compat=1
         GET_CURRENT(%rbx)
 
         cmpl  $NR_hypercalls,%eax
@@ -52,7 +52,7 @@ UNLIKELY_END(msi_check)
         xchgl %ecx,%esi              /* Arg 2, Arg 4 */
         movl  %edx,%edx              /* Arg 3        */
         movl  %edi,%r8d              /* Arg 5        */
-        movl  %ebp,%r9d              /* Arg 6        */
+        movl  UREGS_rbp(%rsp),%r9d   /* Arg 6        */
         movl  UREGS_rbx(%rsp),%edi   /* Arg 1        */
 #define SHADOW_BYTES 0  /* No on-stack shadow state */
 #endif
--- a/xen/arch/x86/x86_64/entry.S
+++ b/xen/arch/x86/x86_64/entry.S
@@ -136,7 +136,7 @@ ENTRY(syscall_enter)
         jz    switch_to_kernel
 
 /*hypercall:*/
-        movq  %r10,%rcx
+        LOAD_C_CLOBBERED cx=0
         cmpq  $NR_hypercalls,%rax
         jae   bad_hypercall
 #ifndef NDEBUG
--- a/xen/include/asm-x86/x86_64/asm_defns.h
+++ b/xen/include/asm-x86/x86_64/asm_defns.h
@@ -19,26 +19,38 @@
 
 #ifdef __ASSEMBLY__
 
-.macro SAVE_ALL compat=0
+.macro SAVE_ALL compat=0, clrargs=1
         addq  $-(UREGS_error_code-UREGS_r15), %rsp
         cld
         movq  %rdi,UREGS_rdi(%rsp)
+        xor   %edi, %edi
         movq  %rsi,UREGS_rsi(%rsp)
+        xor   %esi, %esi
         movq  %rdx,UREGS_rdx(%rsp)
+        xor   %edx, %edx
         movq  %rcx,UREGS_rcx(%rsp)
+        xor   %ecx, %ecx
         movq  %rax,UREGS_rax(%rsp)
+        xor   %eax, %eax
 .if !\compat
         movq  %r8,UREGS_r8(%rsp)
         movq  %r9,UREGS_r9(%rsp)
         movq  %r10,UREGS_r10(%rsp)
         movq  %r11,UREGS_r11(%rsp)
 .endif
+        xor   %r8, %r8
+        xor   %r9, %r9
+        xor   %r10, %r10
+        xor   %r11, %r11
         movq  %rbx,UREGS_rbx(%rsp)
+        xor   %ebx, %ebx
         movq  %rbp,UREGS_rbp(%rsp)
 #ifdef CONFIG_FRAME_POINTER
 /* Indicate special exception stack frame by inverting the frame pointer. */
         leaq  UREGS_rbp(%rsp), %rbp
         notq  %rbp
+#else
+        xor   %ebp, %ebp
 #endif
 .if !\compat
         movq  %r12,UREGS_r12(%rsp)
@@ -46,6 +58,10 @@
         movq  %r14,UREGS_r14(%rsp)
         movq  %r15,UREGS_r15(%rsp)
 .endif
+        xor   %r12, %r12
+        xor   %r13, %r13
+        xor   %r14, %r14
+        xor   %r15, %r15
 .endm
 
 /*
@@ -55,15 +71,21 @@
  *
  * For the way it is used in RESTORE_ALL, this macro must preserve EFLAGS.ZF.
  */
-.macro LOAD_C_CLOBBERED compat=0
+.macro LOAD_C_CLOBBERED compat=0 cx=1
 .if !\compat
         movq  UREGS_r11(%rsp),%r11
+.if \cx
         movq  UREGS_r10(%rsp),%r10
+.else
+        movq  UREGS_r10(%rsp),%rcx
+.endif
         movq  UREGS_r9(%rsp),%r9
         movq  UREGS_r8(%rsp),%r8
 .endif
         movq  UREGS_rax(%rsp),%rax
+.if \cx
         movq  UREGS_rcx(%rsp),%rcx
+.endif
         movq  UREGS_rdx(%rsp),%rdx
         movq  UREGS_rsi(%rsp),%rsi
         movq  UREGS_rdi(%rsp),%rdi