main/xen: security fix for CVE-2016-7777

author: Natanael Copa <ncopa@alpinelinux.org> 2016-10-21 14:24:07 +0200
committer: Natanael Copa <ncopa@alpinelinux.org> 2016-10-21 14:24:07 +0200
commit: 7a1fa50fc838cd70f0faff3af1d1c258a13001ec (patch)
tree: ca010ba1a43f18a889807a34d965447c45ee6364
parent: b282e4fbccb2759d3d0306e35fae749419713410 (diff)
download: alpine_aports-7a1fa50fc838cd70f0faff3af1d1c258a13001ec.tar.bz2
alpine_aports-7a1fa50fc838cd70f0faff3af1d1c258a13001ec.tar.xz
alpine_aports-7a1fa50fc838cd70f0faff3af1d1c258a13001ec.zip
2 files changed, 170 insertions, 1 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index ad36b07a6c..2131d1dcd0 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.6.3
-pkgrel=3
+pkgrel=4
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86_64"
@@ -26,6 +26,8 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-hypervisor"
 #     - CVE-2016-7092 XSA-185
 #     - CVE-2016-7093 XSA-186
 #     - CVE-2016-7094 XSA-187
+#   4.6.3-r3:
+#     - CVE-2016-7777 XSA-190
 # grep _VERSION= stubdom/configure
 _ZLIB_VERSION="1.2.3"
@@ -61,6 +63,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
        xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
        xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
        xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
+        xsa190-4.6.patch
        xenstore_client_transaction_fix.patch
        qemu-coroutine-gthread.patch
@@ -266,6 +269,7 @@ cc0904605d03a9e4f6f21d16824e41c9  xsa184-qemuu-master.patch
 3d812cf9ccc8443874b36e061392d388  xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
 c426383254acdcbb9466bbec2d6f8d9b  xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
 a98c0fa2579965d72272f381f193195d  xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
+2c6f0d0ec618a832cc4f5316624fac5e  xsa190-4.6.patch
 b05500e9fdcec5a076ab8817fc313ac3  xenstore_client_transaction_fix.patch
 de1a3db370b87cfb0bddb51796b50315  qemu-coroutine-gthread.patch
 08bfdf8caff5d631f53660bf3fd4edaf  qemu-xen_paths.patch
@@ -307,6 +311,7 @@ f2082a36d968a47e477bb5082d0e0aaa58e6cb3dc20b26389f043a9b7b595fa6  xsa186-0001-x8
 7482a823c3443e26dee1111c4904162845eaa9f826aa7bf8348007406d91bddd  xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
 be9fe85d36c2c1fbca246c1f4d834c3ef11b6ab3d5467da0ac8c079aa5a68de9  xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
 b96731379ea77d49ffff31d969f4742dde985ef7a86af9422dcac8327c2a1916  xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
+dbfc4b36132c841959847dfbb85a188ee6489ad3b8d7ecec43c55a303a43df21  xsa190-4.6.patch
 c9691bd43a87a939d9a883279813c405eb5ac428a4f4f89e8eef01fbb4d2d6d1  xenstore_client_transaction_fix.patch
 3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe  qemu-coroutine-gthread.patch
 e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98  qemu-xen_paths.patch
@@ -348,6 +353,7 @@ bf899dde20cee730598b90e0a07941155b20e0ea17b9a3017a53bd0e1495fb6e5dc251934e01d029
 6583c843855d300b3d40321d909b64ab0df6b03da62b3400cb7e58a9249077112e5951e14449880cfc8d593dabd9afcffc15ff77555f745b478f7af939b3219e  xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
 d85bc3c56805ff5b3df6b85b2b34ff97d15fe254fc5a873b5c43c2c15564eea42753723a6296292a543e7b7dc83ad71f0fafe01fa6a6ebf82fa0a7268fc67486  xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
 63f30d4a6842fc516d33334b25806e10a89228fec32315df27c9c271303d02619be4a88e638e41920ad808215280c3fce697574d05c5fb3f184844069383a201  xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
+ba155f6ee81718ecaa2289998c8204e2f6ba9a6d70b042a3eaa9373d8dcd030091feca829b51914f0071d6672fad5a3f9c253da579780aa429b51c24c0bf228c  xsa190-4.6.patch
 69dfa60628ca838678862383528654ecbdf4269cbb5c9cfb6b84d976202a8dea85d711aa65a52fa1b477fb0b30604ca70cf1337192d6fb9388a08bbe7fe56077  xenstore_client_transaction_fix.patch
 c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562  qemu-coroutine-gthread.patch
 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3  qemu-xen_paths.patch
diff --git a/main/xen/xsa190-4.6.patch b/main/xen/xsa190-4.6.patch
new file mode 100644
index 0000000000..b950ae9506
--- /dev/null
+++ b/main/xen/xsa190-4.6.patch
@@ -0,0 +1,163 @@
+x86emul: honor guest CR0.TS and CR0.EM
+We must not emulate any instructions accessing respective registers
+when either of these flags is set in the guest view of the register, or
+else we may do so on data not belonging to the guest's current task.
+Being architecturally required behavior, the logic gets placed in the
+instruction emulator instead of hvmemul_get_fpu(). It should be noted,
+though, that hvmemul_get_fpu() being the only current handler for the
+get_fpu() callback, we don't have an active problem with CR4: Both
+CR4.OSFXSR and CR4.OSXSAVE get handled as necessary by that function.
+This is XSA-190.
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+--- a/tools/tests/x86_emulator/test_x86_emulator.c
+++ b/tools/tests/x86_emulator/test_x86_emulator.c
+@@ -129,6 +129,22 @@ static inline uint64_t xgetbv(uint32_t x
+     (ebx & (1U << 5)) != 0; \
+ })
+ 
+static int read_cr(
+    unsigned int reg,
+    unsigned long *val,
+    struct x86_emulate_ctxt *ctxt)
+{
+    /* Fake just enough state for the emulator's _get_fpu() to be happy. */
+    switch ( reg )
+    {
+    case 0:
+        *val = 0x00000001; /* PE */
+        return X86EMUL_OKAY;
+    }
+
+    return X86EMUL_UNHANDLEABLE;
+}
+
+ int get_fpu(
+     void (*exception_callback)(void *, struct cpu_user_regs *),
+     void *exception_callback_arg,
+@@ -160,6 +176,7 @@ static struct x86_emulate_ops emulops =
+     .write      = write,
+     .cmpxchg    = cmpxchg,
+     .cpuid      = cpuid,
+    .read_cr    = read_cr,
+     .get_fpu    = get_fpu,
+ };
+ 
+--- a/xen/arch/x86/hvm/emulate.c
+++ b/xen/arch/x86/hvm/emulate.c
+@@ -1557,6 +1557,7 @@ static int hvmemul_get_fpu(
+     switch ( type )
+     {
+     case X86EMUL_FPU_fpu:
+    case X86EMUL_FPU_wait:
+         break;
+     case X86EMUL_FPU_mmx:
+         if ( !cpu_has_mmx )
+@@ -1564,7 +1565,6 @@ static int hvmemul_get_fpu(
+         break;
+     case X86EMUL_FPU_xmm:
+         if ( !cpu_has_xmm ||
+-             (curr->arch.hvm_vcpu.guest_cr[0] & X86_CR0_EM) ||
+              !(curr->arch.hvm_vcpu.guest_cr[4] & X86_CR4_OSFXSR) )
+             return X86EMUL_UNHANDLEABLE;
+         break;
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -366,6 +366,9 @@ typedef union {
+ 
+ /* Control register flags. */
+ #define CR0_PE    (1<<0)
+#define CR0_MP    (1<<1)
+#define CR0_EM    (1<<2)
+#define CR0_TS    (1<<3)
+ #define CR4_TSD   (1<<2)
+ 
+ /* EFLAGS bit definitions. */
+@@ -393,6 +396,7 @@ typedef union {
+ #define EXC_OF  4
+ #define EXC_BR  5
+ #define EXC_UD  6
+#define EXC_NM  7
+ #define EXC_TS 10
+ #define EXC_NP 11
+ #define EXC_SS 12
+@@ -674,10 +678,45 @@ static void fpu_handle_exception(void *_
+     regs->eip += fic->insn_bytes;
+ }
+ 
+static int _get_fpu(
+    enum x86_emulate_fpu_type type,
+    struct fpu_insn_ctxt *fic,
+    struct x86_emulate_ctxt *ctxt,
+    const struct x86_emulate_ops *ops)
+{
+    int rc;
+
+    fic->exn_raised = 0;
+
+    fail_if(!ops->get_fpu);
+    rc = ops->get_fpu(fpu_handle_exception, fic, type, ctxt);
+
+    if ( rc == X86EMUL_OKAY )
+    {
+        unsigned long cr0;
+
+        fail_if(!ops->read_cr);
+        rc = ops->read_cr(0, &cr0, ctxt);
+        if ( rc != X86EMUL_OKAY )
+            return rc;
+        if ( cr0 & CR0_EM )
+        {
+            generate_exception_if(type == X86EMUL_FPU_fpu, EXC_NM, -1);
+            generate_exception_if(type == X86EMUL_FPU_mmx, EXC_UD, -1);
+            generate_exception_if(type == X86EMUL_FPU_xmm, EXC_UD, -1);
+        }
+        generate_exception_if((cr0 & CR0_TS) &&
+                              (type != X86EMUL_FPU_wait || (cr0 & CR0_MP)),
+                              EXC_NM, -1);
+    }
+
+ done:
+    return rc;
+}
+
+ #define get_fpu(_type, _fic)                                    \
+-do{ (_fic)->exn_raised = 0;                                     \
+-    fail_if(ops->get_fpu == NULL);                              \
+-    rc = ops->get_fpu(fpu_handle_exception, _fic, _type, ctxt); \
+do {                                                            \
+    rc = _get_fpu(_type, _fic, ctxt, ops);                      \
+     if ( rc ) goto done;                                        \
+ } while (0)
+ #define _put_fpu()                                              \
+@@ -2508,8 +2547,14 @@ x86_emulate(
+     }
+ 
+     case 0x9b:  /* wait/fwait */
+-        emulate_fpu_insn("fwait");
+    {
+        struct fpu_insn_ctxt fic = { .insn_bytes = 1 };
+
+        get_fpu(X86EMUL_FPU_wait, &fic);
+        asm volatile ( "fwait" ::: "memory" );
+        put_fpu(&fic);
+         break;
+    }
+ 
+     case 0x9c: /* pushf */
+         src.val = _regs.eflags;
+--- a/xen/arch/x86/x86_emulate/x86_emulate.h
+++ b/xen/arch/x86/x86_emulate/x86_emulate.h
+@@ -115,6 +115,7 @@ struct __packed segment_register {
+ /* FPU sub-types which may be requested via ->get_fpu(). */
+ enum x86_emulate_fpu_type {
+     X86EMUL_FPU_fpu, /* Standard FPU coprocessor instruction set */
+    X86EMUL_FPU_wait, /* WAIT/FWAIT instruction */
+     X86EMUL_FPU_mmx, /* MMX instruction set (%mm0-%mm7) */
+     X86EMUL_FPU_xmm, /* SSE instruction set (%xmm0-%xmm7/15) */
+     X86EMUL_FPU_ymm  /* AVX/XOP instruction set (%ymm0-%ymm7/15) */
author	Natanael Copa <ncopa@alpinelinux.org>	2016-10-21 14:24:07 +0200
committer	Natanael Copa <ncopa@alpinelinux.org>	2016-10-21 14:24:07 +0200
commit	7a1fa50fc838cd70f0faff3af1d1c258a13001ec (patch)
tree	ca010ba1a43f18a889807a34d965447c45ee6364
parent	b282e4fbccb2759d3d0306e35fae749419713410 (diff)
download	alpine_aports-7a1fa50fc838cd70f0faff3af1d1c258a13001ec.tar.bz2 alpine_aports-7a1fa50fc838cd70f0faff3af1d1c258a13001ec.tar.xz alpine_aports-7a1fa50fc838cd70f0faff3af1d1c258a13001ec.zip

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD index ad36b07a6c..2131d1dcd0 100644 --- a/main/xen/APKBUILD +++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
3	# Maintainer: William Pitcock <nenolod@dereferenced.org>	3	# Maintainer: William Pitcock <nenolod@dereferenced.org>
4	pkgname=xen	4	pkgname=xen
5	pkgver=4.6.3	5	pkgver=4.6.3
6	pkgrel=3	6	pkgrel=4
7	pkgdesc="Xen hypervisor"	7	pkgdesc="Xen hypervisor"
8	url="http://www.xen.org/"	8	url="http://www.xen.org/"
9	arch="x86_64"	9	arch="x86_64"
@@ -26,6 +26,8 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-hypervisor"
26	# - CVE-2016-7092 XSA-185	26	# - CVE-2016-7092 XSA-185
27	# - CVE-2016-7093 XSA-186	27	# - CVE-2016-7093 XSA-186
28	# - CVE-2016-7094 XSA-187	28	# - CVE-2016-7094 XSA-187
		29	# 4.6.3-r3:
		30	# - CVE-2016-7777 XSA-190
29		31
30	# grep _VERSION= stubdom/configure	32	# grep _VERSION= stubdom/configure
31	_ZLIB_VERSION="1.2.3"	33	_ZLIB_VERSION="1.2.3"
@@ -61,6 +63,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
61	xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch	63	xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
62	xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch	64	xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
63	xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch	65	xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
		66	xsa190-4.6.patch
64		67
65	xenstore_client_transaction_fix.patch	68	xenstore_client_transaction_fix.patch
66	qemu-coroutine-gthread.patch	69	qemu-coroutine-gthread.patch
@@ -266,6 +269,7 @@ cc0904605d03a9e4f6f21d16824e41c9 xsa184-qemuu-master.patch
266	3d812cf9ccc8443874b36e061392d388 xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch	269	3d812cf9ccc8443874b36e061392d388 xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
267	c426383254acdcbb9466bbec2d6f8d9b xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch	270	c426383254acdcbb9466bbec2d6f8d9b xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
268	a98c0fa2579965d72272f381f193195d xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch	271	a98c0fa2579965d72272f381f193195d xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
		272	2c6f0d0ec618a832cc4f5316624fac5e xsa190-4.6.patch
269	b05500e9fdcec5a076ab8817fc313ac3 xenstore_client_transaction_fix.patch	273	b05500e9fdcec5a076ab8817fc313ac3 xenstore_client_transaction_fix.patch
270	de1a3db370b87cfb0bddb51796b50315 qemu-coroutine-gthread.patch	274	de1a3db370b87cfb0bddb51796b50315 qemu-coroutine-gthread.patch
271	08bfdf8caff5d631f53660bf3fd4edaf qemu-xen_paths.patch	275	08bfdf8caff5d631f53660bf3fd4edaf qemu-xen_paths.patch
@@ -307,6 +311,7 @@ f2082a36d968a47e477bb5082d0e0aaa58e6cb3dc20b26389f043a9b7b595fa6 xsa186-0001-x8
307	7482a823c3443e26dee1111c4904162845eaa9f826aa7bf8348007406d91bddd xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch	311	7482a823c3443e26dee1111c4904162845eaa9f826aa7bf8348007406d91bddd xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
308	be9fe85d36c2c1fbca246c1f4d834c3ef11b6ab3d5467da0ac8c079aa5a68de9 xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch	312	be9fe85d36c2c1fbca246c1f4d834c3ef11b6ab3d5467da0ac8c079aa5a68de9 xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
309	b96731379ea77d49ffff31d969f4742dde985ef7a86af9422dcac8327c2a1916 xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch	313	b96731379ea77d49ffff31d969f4742dde985ef7a86af9422dcac8327c2a1916 xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
		314	dbfc4b36132c841959847dfbb85a188ee6489ad3b8d7ecec43c55a303a43df21 xsa190-4.6.patch
310	c9691bd43a87a939d9a883279813c405eb5ac428a4f4f89e8eef01fbb4d2d6d1 xenstore_client_transaction_fix.patch	315	c9691bd43a87a939d9a883279813c405eb5ac428a4f4f89e8eef01fbb4d2d6d1 xenstore_client_transaction_fix.patch
311	3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe qemu-coroutine-gthread.patch	316	3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe qemu-coroutine-gthread.patch
312	e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98 qemu-xen_paths.patch	317	e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98 qemu-xen_paths.patch
@@ -348,6 +353,7 @@ bf899dde20cee730598b90e0a07941155b20e0ea17b9a3017a53bd0e1495fb6e5dc251934e01d029
348	6583c843855d300b3d40321d909b64ab0df6b03da62b3400cb7e58a9249077112e5951e14449880cfc8d593dabd9afcffc15ff77555f745b478f7af939b3219e xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch	353	6583c843855d300b3d40321d909b64ab0df6b03da62b3400cb7e58a9249077112e5951e14449880cfc8d593dabd9afcffc15ff77555f745b478f7af939b3219e xsa186-4.6-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
349	d85bc3c56805ff5b3df6b85b2b34ff97d15fe254fc5a873b5c43c2c15564eea42753723a6296292a543e7b7dc83ad71f0fafe01fa6a6ebf82fa0a7268fc67486 xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch	354	d85bc3c56805ff5b3df6b85b2b34ff97d15fe254fc5a873b5c43c2c15564eea42753723a6296292a543e7b7dc83ad71f0fafe01fa6a6ebf82fa0a7268fc67486 xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
350	63f30d4a6842fc516d33334b25806e10a89228fec32315df27c9c271303d02619be4a88e638e41920ad808215280c3fce697574d05c5fb3f184844069383a201 xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch	355	63f30d4a6842fc516d33334b25806e10a89228fec32315df27c9c271303d02619be4a88e638e41920ad808215280c3fce697574d05c5fb3f184844069383a201 xsa187-4.6-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
		356	ba155f6ee81718ecaa2289998c8204e2f6ba9a6d70b042a3eaa9373d8dcd030091feca829b51914f0071d6672fad5a3f9c253da579780aa429b51c24c0bf228c xsa190-4.6.patch
351	69dfa60628ca838678862383528654ecbdf4269cbb5c9cfb6b84d976202a8dea85d711aa65a52fa1b477fb0b30604ca70cf1337192d6fb9388a08bbe7fe56077 xenstore_client_transaction_fix.patch	357	69dfa60628ca838678862383528654ecbdf4269cbb5c9cfb6b84d976202a8dea85d711aa65a52fa1b477fb0b30604ca70cf1337192d6fb9388a08bbe7fe56077 xenstore_client_transaction_fix.patch
352	c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562 qemu-coroutine-gthread.patch	358	c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562 qemu-coroutine-gthread.patch
353	1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch	359	1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch


diff --git a/main/xen/xsa190-4.6.patch b/main/xen/xsa190-4.6.patch new file mode 100644 index 0000000000..b950ae9506 --- /dev/null +++ b/main/xen/xsa190-4.6.patch
@@ -0,0 +1,163 @@
		1	x86emul: honor guest CR0.TS and CR0.EM
		2
		3	We must not emulate any instructions accessing respective registers
		4	when either of these flags is set in the guest view of the register, or
		5	else we may do so on data not belonging to the guest's current task.
		6
		7	Being architecturally required behavior, the logic gets placed in the
		8	instruction emulator instead of hvmemul_get_fpu(). It should be noted,
		9	though, that hvmemul_get_fpu() being the only current handler for the
		10	get_fpu() callback, we don't have an active problem with CR4: Both
		11	CR4.OSFXSR and CR4.OSXSAVE get handled as necessary by that function.
		12
		13	This is XSA-190.
		14
		15	Signed-off-by: Jan Beulich <jbeulich@suse.com>
		16	Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
		17
		18	--- a/tools/tests/x86_emulator/test_x86_emulator.c
		19	+++ b/tools/tests/x86_emulator/test_x86_emulator.c
		20	@@ -129,6 +129,22 @@ static inline uint64_t xgetbv(uint32_t x
		21	(ebx & (1U << 5)) != 0; \
		22	})
		23
		24	+static int read_cr(
		25	+ unsigned int reg,
		26	+ unsigned long *val,
		27	+ struct x86_emulate_ctxt *ctxt)
		28	+{
		29	+ /* Fake just enough state for the emulator's _get_fpu() to be happy. */
		30	+ switch ( reg )
		31	+ {
		32	+ case 0:
		33	+ val = 0x00000001; / PE */
		34	+ return X86EMUL_OKAY;
		35	+ }
		36	+
		37	+ return X86EMUL_UNHANDLEABLE;
		38	+}
		39	+
		40	int get_fpu(
		41	void (exception_callback)(void , struct cpu_user_regs *),
		42	void *exception_callback_arg,
		43	@@ -160,6 +176,7 @@ static struct x86_emulate_ops emulops =
		44	.write = write,
		45	.cmpxchg = cmpxchg,
		46	.cpuid = cpuid,
		47	+ .read_cr = read_cr,
		48	.get_fpu = get_fpu,
		49	};
		50
		51	--- a/xen/arch/x86/hvm/emulate.c
		52	+++ b/xen/arch/x86/hvm/emulate.c
		53	@@ -1557,6 +1557,7 @@ static int hvmemul_get_fpu(
		54	switch ( type )
		55	{
		56	case X86EMUL_FPU_fpu:
		57	+ case X86EMUL_FPU_wait:
		58	break;
		59	case X86EMUL_FPU_mmx:
		60	if ( !cpu_has_mmx )
		61	@@ -1564,7 +1565,6 @@ static int hvmemul_get_fpu(
		62	break;
		63	case X86EMUL_FPU_xmm:
		64	if ( !cpu_has_xmm \|\|
		65	- (curr->arch.hvm_vcpu.guest_cr[0] & X86_CR0_EM) \|\|
		66	!(curr->arch.hvm_vcpu.guest_cr[4] & X86_CR4_OSFXSR) )
		67	return X86EMUL_UNHANDLEABLE;
		68	break;
		69	--- a/xen/arch/x86/x86_emulate/x86_emulate.c
		70	+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
		71	@@ -366,6 +366,9 @@ typedef union {
		72
		73	/* Control register flags. */
		74	#define CR0_PE (1<<0)
		75	+#define CR0_MP (1<<1)
		76	+#define CR0_EM (1<<2)
		77	+#define CR0_TS (1<<3)
		78	#define CR4_TSD (1<<2)
		79
		80	/* EFLAGS bit definitions. */
		81	@@ -393,6 +396,7 @@ typedef union {
		82	#define EXC_OF 4
		83	#define EXC_BR 5
		84	#define EXC_UD 6
		85	+#define EXC_NM 7
		86	#define EXC_TS 10
		87	#define EXC_NP 11
		88	#define EXC_SS 12
		89	@@ -674,10 +678,45 @@ static void fpu_handle_exception(void *_
		90	regs->eip += fic->insn_bytes;
		91	}
		92
		93	+static int _get_fpu(
		94	+ enum x86_emulate_fpu_type type,
		95	+ struct fpu_insn_ctxt *fic,
		96	+ struct x86_emulate_ctxt *ctxt,
		97	+ const struct x86_emulate_ops *ops)
		98	+{
		99	+ int rc;
		100	+
		101	+ fic->exn_raised = 0;
		102	+
		103	+ fail_if(!ops->get_fpu);
		104	+ rc = ops->get_fpu(fpu_handle_exception, fic, type, ctxt);
		105	+
		106	+ if ( rc == X86EMUL_OKAY )
		107	+ {
		108	+ unsigned long cr0;
		109	+
		110	+ fail_if(!ops->read_cr);
		111	+ rc = ops->read_cr(0, &cr0, ctxt);
		112	+ if ( rc != X86EMUL_OKAY )
		113	+ return rc;
		114	+ if ( cr0 & CR0_EM )
		115	+ {
		116	+ generate_exception_if(type == X86EMUL_FPU_fpu, EXC_NM, -1);
		117	+ generate_exception_if(type == X86EMUL_FPU_mmx, EXC_UD, -1);
		118	+ generate_exception_if(type == X86EMUL_FPU_xmm, EXC_UD, -1);
		119	+ }
		120	+ generate_exception_if((cr0 & CR0_TS) &&
		121	+ (type != X86EMUL_FPU_wait \|\| (cr0 & CR0_MP)),
		122	+ EXC_NM, -1);
		123	+ }
		124	+
		125	+ done:
		126	+ return rc;
		127	+}
		128	+
		129	#define get_fpu(_type, _fic) \
		130	-do{ (_fic)->exn_raised = 0; \
		131	- fail_if(ops->get_fpu == NULL); \
		132	- rc = ops->get_fpu(fpu_handle_exception, _fic, _type, ctxt); \
		133	+do { \
		134	+ rc = _get_fpu(_type, _fic, ctxt, ops); \
		135	if ( rc ) goto done; \
		136	} while (0)
		137	#define _put_fpu() \
		138	@@ -2508,8 +2547,14 @@ x86_emulate(
		139	}
		140
		141	case 0x9b: /* wait/fwait */
		142	- emulate_fpu_insn("fwait");
		143	+ {
		144	+ struct fpu_insn_ctxt fic = { .insn_bytes = 1 };
		145	+
		146	+ get_fpu(X86EMUL_FPU_wait, &fic);
		147	+ asm volatile ( "fwait" ::: "memory" );
		148	+ put_fpu(&fic);
		149	break;
		150	+ }
		151
		152	case 0x9c: /* pushf */
		153	src.val = _regs.eflags;
		154	--- a/xen/arch/x86/x86_emulate/x86_emulate.h
		155	+++ b/xen/arch/x86/x86_emulate/x86_emulate.h
		156	@@ -115,6 +115,7 @@ struct __packed segment_register {
		157	/* FPU sub-types which may be requested via ->get_fpu(). */
		158	enum x86_emulate_fpu_type {
		159	X86EMUL_FPU_fpu, /* Standard FPU coprocessor instruction set */
		160	+ X86EMUL_FPU_wait, /* WAIT/FWAIT instruction */
		161	X86EMUL_FPU_mmx, /* MMX instruction set (%mm0-%mm7) */
		162	X86EMUL_FPU_xmm, /* SSE instruction set (%xmm0-%xmm7/15) */
		163	X86EMUL_FPU_ymm /* AVX/XOP instruction set (%ymm0-%ymm7/15) */