Overview

File xsa183.patch of Package xen.2959

References: bsc#988676 CVE-2016-6259 XSA-183

From 114e31ccf4ab4e787340032f3630638ea36b0b71 Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Wed, 15 Jun 2016 18:32:14 +0100
Subject: [PATCH] x86/entry: Avoid SMAP violation in
 compat_create_bounce_frame()

A 32bit guest kernel might be running on user mappings.
compat_create_bounce_frame() must whitelist its guest accesses to avoid
risking a SMAP violation.

For both variants of create_bounce_frame(), re-blacklist user accesses if
execution exits via an exception table redirection.

This is XSA-183

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>
---
 xen/arch/x86/x86_64/compat/entry.S | 3 +++
 xen/arch/x86/x86_64/entry.S        | 1 +
 2 files changed, 4 insertions(+)

Index: xen-4.5.3-testing/xen/arch/x86/x86_64/compat/entry.S
===================================================================
--- xen-4.5.3-testing.orig/xen/arch/x86/x86_64/compat/entry.S
+++ xen-4.5.3-testing/xen/arch/x86/x86_64/compat/entry.S
@@ -337,6 +337,7 @@ compat_create_bounce_frame:
         ASSERT_INTERRUPTS_ENABLED
         mov   %fs,%edi
         testb $2,UREGS_cs+8(%rsp)
+        ASM_STAC
         jz    1f
         /* Push new frame at registered guest-OS stack base. */
         movl  VCPU_kernel_sp(%rbx),%esi
@@ -389,6 +390,7 @@ UNLIKELY_START(nz, compat_bounce_failsaf
         movl  %ds,%eax
 .Lft12: movl  %eax,%fs:0*4(%rsi)        # DS
 UNLIKELY_END(compat_bounce_failsafe)
+        ASM_CLAC
         /* Rewrite our stack frame and return to guest-OS mode. */
         /* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */
         andl  $~(X86_EFLAGS_VM|X86_EFLAGS_RF|\
@@ -434,6 +436,7 @@ compat_crash_page_fault_4:
         addl  $4,%esi
 compat_crash_page_fault:
 .Lft14: mov   %edi,%fs
+        ASM_CLAC
         movl  %esi,%edi
         call  show_page_walk
         jmp   dom_crash_sync_extable
Index: xen-4.5.3-testing/xen/arch/x86/x86_64/entry.S
===================================================================
--- xen-4.5.3-testing.orig/xen/arch/x86/x86_64/entry.S
+++ xen-4.5.3-testing/xen/arch/x86/x86_64/entry.S
@@ -464,9 +464,11 @@ domain_crash_page_fault_16:
 domain_crash_page_fault_8:
         addq  $8,%rsi
 domain_crash_page_fault:
+        ASM_CLAC
         movq  %rsi,%rdi
         call  show_page_walk
 ENTRY(dom_crash_sync_extable)
+        ASM_CLAC
         # Get out of the guest-save area of the stack.
         GET_STACK_BASE(%rax)
         leaq  STACK_CPUINFO_FIELD(guest_cpu_user_regs)(%rax),%rsp
openSUSE Build Service is sponsored by
Places