File xsa435-0-32.patch of Package xen.32200
From 56e2c8e5860090a35d5f0cafe168223a2a7c0e62 Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Wed, 10 May 2023 19:58:43 +0100
Subject: x86/cpuid: Calculate FEATURESET_NR_ENTRIES more helpfully
When adding new featureset words, it is convenient to split the work into
several patches. However, GCC 12 spotted that the way we prefer to split the
work results in a real (transient) breakage whereby the policy <-> featureset
helpers perform out-of-bounds accesses on the featureset array.
Fix this by having gen-cpuid.py calculate FEATURESET_NR_ENTRIES from the
comments describing the word blocks, rather than from the XEN_CPUFEATURE()
with the greatest value.
For simplicty, require that the word blocks appear in order. This can be
revisted if we find a good reason to have blocks out of order.
No functional change.
Reported-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/tools/gen-cpuid.py
+++ b/xen/tools/gen-cpuid.py
@@ -47,13 +47,37 @@ def parse_definitions(state):
"\s+([\s\d]+\*[\s\d]+\+[\s\d]+)\)"
"\s+/\*([\w!]*) .*$")
+ word_regex = re.compile(
+ r"^/\* .* word (\d*) \*/$")
+ last_word = -1
+
this = sys.modules[__name__]
for l in state.input.readlines():
- # Short circuit the regex...
- if not l.startswith("XEN_CPUFEATURE("):
+
+ # Short circuit the regexes...
+ if not (l.startswith("XEN_CPUFEATURE(") or
+ l.startswith("/* ")):
continue
+ # Handle /* ... word $N */ lines
+ if l.startswith("/* "):
+
+ res = word_regex.match(l)
+ if res is None:
+ continue # Some other comment
+
+ word = int(res.groups()[0])
+
+ if word != last_word + 1:
+ raise Fail("Featureset word %u out of order (last word %u)"
+ % (word, last_word))
+
+ last_word = word
+ state.nr_entries = word + 1
+ continue
+
+ # Handle XEN_CPUFEATURE( lines
res = feat_regex.match(l)
if res is None:
@@ -91,6 +115,15 @@ def parse_definitions(state):
if len(state.names) == 0:
raise Fail("No features found")
+ if state.nr_entries == 0:
+ raise Fail("No featureset word info found")
+
+ max_val = max(state.names.keys())
+ if (max_val >> 5) >= state.nr_entries:
+ max_name = state.names[max_val]
+ raise Fail("Feature %s (%d*32+%d) exceeds FEATURESET_NR_ENTRIES (%d)"
+ % (max_name, max_val >> 5, max_val & 31, state.nr_entries))
+
def featureset_to_uint32s(fs, nr):
""" Represent a featureset as a list of C-compatible uint32_t's """
@@ -119,9 +152,6 @@ def format_uint32s(state, featureset, in
def crunch_numbers(state):
- # Size of bitmaps
- state.nr_entries = nr_entries = (max(state.names.keys()) >> 5) + 1
-
# Features common between 1d and e1d.
common_1d = (FPU, VME, DE, PSE, TSC, MSR, PAE, MCE, CX8, APIC,
MTRR, PGE, MCA, CMOV, PAT, PSE36, MMX, FXSR)
@@ -303,7 +333,7 @@ def crunch_numbers(state):
state.nr_deep_deps = len(state.deep_deps.keys())
# Calculate the bitfield name declarations
- for word in xrange(nr_entries):
+ for word in xrange(state.nr_entries):
names = []
for bit in xrange(32):
