[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.6] x86: fix information leak on AMD CPUs
commit 5df279da341491dbe9966eb8716c015b71d16a8d Author: Jan Beulich <jbeulich@xxxxxxxx> AuthorDate: Tue Mar 29 15:15:58 2016 +0200 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Tue Mar 29 15:15:58 2016 +0200 x86: fix information leak on AMD CPUs The fix for XSA-52 was wrong, and so was the change synchronizing that new behavior to the FXRSTOR logic: AMD's manuals explictly state that writes to the ES bit are ignored, and it instead gets calculated from the exception and mask bits (it gets set whenever there is an unmasked exception, and cleared otherwise). Hence we need to follow that model in our workaround. This is CVE-2016-3158 / CVE-2016-3159 / XSA-172. [xen/arch/x86/xstate.c:xrstor: CVE-2016-3158] [xen/arch/x86/i387.c:fpu_fxrstor: CVE-2016-3159] Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> master commit: 7bd9dc3adfbb014c55f0928ebb3b20950ca9c019 master date: 2016-03-29 14:24:26 +0200 --- xen/arch/x86/i387.c | 2 +- xen/arch/x86/xstate.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/i387.c b/xen/arch/x86/i387.c index e2d614e..5584535 100644 --- a/xen/arch/x86/i387.c +++ b/xen/arch/x86/i387.c @@ -49,7 +49,7 @@ static inline void fpu_fxrstor(struct vcpu *v) * sometimes new user value. Both should be ok. Use the FPU saved * data block as a safe address because it should be in L1. */ - if ( !(fpu_ctxt->fsw & 0x0080) && + if ( !(fpu_ctxt->fsw & ~fpu_ctxt->fcw & 0x003f) && boot_cpu_data.x86_vendor == X86_VENDOR_AMD ) { asm volatile ( "fnclex\n\t" diff --git a/xen/arch/x86/xstate.c b/xen/arch/x86/xstate.c index 59644c6..4962f80 100644 --- a/xen/arch/x86/xstate.c +++ b/xen/arch/x86/xstate.c @@ -163,7 +163,7 @@ void xrstor(struct vcpu *v, uint64_t mask) * data block as a safe address because it should be in L1. */ if ( (mask & ptr->xsave_hdr.xstate_bv & XSTATE_FP) && - !(ptr->fpu_sse.fsw & 0x0080) && + !(ptr->fpu_sse.fsw & ~ptr->fpu_sse.fcw & 0x003f) && boot_cpu_data.x86_vendor == X86_VENDOR_AMD ) asm volatile ( "fnclex\n\t" /* clear exceptions */ "ffree %%st(7)\n\t" /* clear stack tag */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.6 _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |