diff options
| author | Mario Preksavec <mario@slackware.hr> | 2017-10-20 20:56:55 +0200 |
|---|---|---|
| committer | Willy Sudiarto Raharjo <willysr@slackbuilds.org> | 2017-10-21 07:08:14 +0700 |
| commit | 139c45ee8aed136d55ae25517e67cd103978c9c3 (patch) | |
| tree | 0c1f8b0bb7353039941d468a024722add35b2d17 /system/xen/xsa/xsa244.patch | |
| parent | d7ebd09fcd7f59ba2cb12f45eecff627aec49860 (diff) | |
system/xen: XSA 237-245 update.
Signed-off-by: Mario Preksavec <mario@slackware.hr>
Diffstat (limited to 'system/xen/xsa/xsa244.patch')
| -rw-r--r-- | system/xen/xsa/xsa244.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/system/xen/xsa/xsa244.patch b/system/xen/xsa/xsa244.patch new file mode 100644 index 0000000000..c35a80be32 --- /dev/null +++ b/system/xen/xsa/xsa244.patch @@ -0,0 +1,59 @@ +From: Andrew Cooper <andrew.cooper3@citrix.com> +Subject: [PATCH] x86/cpu: Fix IST handling during PCPU bringup + +Clear IST references in newly allocated IDTs. Nothing good will come of +having them set before the TSS is suitably constructed (although the chances +of the CPU surviving such an IST interrupt/exception is extremely slim). + +Uniformly set the IST references after the TSS is in place. This fixes an +issue on AMD hardware, where onlining a PCPU while PCPU0 is in HVM context +will cause IST_NONE to be copied into the new IDT, making that PCPU vulnerable +to privilege escalation from PV guests until it subsequently schedules an HVM +guest. + +This is XSA-244 + +Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> +Reviewed-by: Jan Beulich <jbeulich@suse.com> +--- + xen/arch/x86/cpu/common.c | 5 +++++ + xen/arch/x86/smpboot.c | 3 +++ + 2 files changed, 8 insertions(+) + +diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c +index 78f5667..6cf3628 100644 +--- a/xen/arch/x86/cpu/common.c ++++ b/xen/arch/x86/cpu/common.c +@@ -640,6 +640,7 @@ void __init early_cpu_init(void) + * - Sets up TSS with stack pointers, including ISTs + * - Inserts TSS selector into regular and compat GDTs + * - Loads GDT, IDT, TR then null LDT ++ * - Sets up IST references in the IDT + */ + void load_system_tables(void) + { +@@ -702,6 +703,10 @@ void load_system_tables(void) + asm volatile ("ltr %w0" : : "rm" (TSS_ENTRY << 3) ); + asm volatile ("lldt %w0" : : "rm" (0) ); + ++ set_ist(&idt_tables[cpu][TRAP_double_fault], IST_DF); ++ set_ist(&idt_tables[cpu][TRAP_nmi], IST_NMI); ++ set_ist(&idt_tables[cpu][TRAP_machine_check], IST_MCE); ++ + /* + * Bottom-of-stack must be 16-byte aligned! + * +diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c +index 3ca716c..1609b62 100644 +--- a/xen/arch/x86/smpboot.c ++++ b/xen/arch/x86/smpboot.c +@@ -724,6 +724,9 @@ static int cpu_smpboot_alloc(unsigned int cpu) + if ( idt_tables[cpu] == NULL ) + goto oom; + memcpy(idt_tables[cpu], idt_table, IDT_ENTRIES * sizeof(idt_entry_t)); ++ set_ist(&idt_tables[cpu][TRAP_double_fault], IST_NONE); ++ set_ist(&idt_tables[cpu][TRAP_nmi], IST_NONE); ++ set_ist(&idt_tables[cpu][TRAP_machine_check], IST_NONE); + + for ( stub_page = 0, i = cpu & ~(STUBS_PER_PAGE - 1); + i < nr_cpu_ids && i <= (cpu | (STUBS_PER_PAGE - 1)); ++i ) |