[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.17] x86/emul: Fix extable registration in invoke_stub()

To: xen-changelog@xxxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Tue, 01 Jul 2025 13:55:12 +0000
Delivery-date: Tue, 01 Jul 2025 13:55:13 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xenproject.org>

commit 90b79a5f7b8abe87b0a79898424697eab318d26d
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Thu May 15 19:01:33 2025 +0100
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Jul 1 12:58:35 2025 +0100

    x86/emul: Fix extable registration in invoke_stub()
    
    For exception recovery in the stubs, the registered address for fixup is the
    return address of the CALL entering the stub.
    
    In invoke_stub(), the '.Lret%=:' label is the wrong side of the 'post'
    parameter.  The 'post' parameter is non-empty in cases where the arithmetic
    flags of the operation need recovering.
    
    Split the line to separate 'pre' and 'post', making it more obvious that the
    return address label was in the wrong position.
    
    However, in the case that an exception did occur, we want to skip 'post' as
    it's logically part of the operation which had already failed.  Therefore, 
add
    a new skip label and use that for the exception recovery path.
    
    This is XSA-470 / CVE-2025-27465
    
    Fixes: 79903e50dba9 ("x86emul: catch exceptions occurring in stubs")
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    (cherry picked from commit b9f83119750ffa0e2e925d74e6e5f38925094883)
---
 xen/arch/x86/x86_emulate/x86_emulate.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c 
b/xen/arch/x86/x86_emulate/x86_emulate.c
index b5eca13410..5a61ba6136 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -1258,12 +1258,15 @@ static inline int mkec(uint8_t e, int32_t ec, ...)
     stub_exn.info = (union stub_exception_token) { .raw = ~0 };         \
     stub_exn.line = __LINE__; /* Utility outweighs livepatching cost */ \
     block_speculation(); /* SCSB */                                     \
-    asm volatile ( pre "\n\tINDIRECT_CALL %[stub]\n\t" post "\n"        \
+    asm volatile ( pre "\n\t"                                           \
+                   "INDIRECT_CALL %[stub]\n"                            \
                    ".Lret%=:\n\t"                                       \
+                   post "\n\t"                                          \
+                   ".Lskip%=:\n\t"                                      \
                    ".pushsection .fixup,\"ax\"\n"                       \
                    ".Lfix%=:\n\t"                                       \
                    "pop %[exn]\n\t"                                     \
-                   "jmp .Lret%=\n\t"                                    \
+                   "jmp .Lskip%=\n\t"                                   \
                    ".popsection\n\t"                                    \
                    _ASM_EXTABLE(.Lret%=, .Lfix%=)                       \
                    : [exn] "+g" (stub_exn.info) ASM_CALL_CONSTRAINT,    \
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.17

Prev by Date: [xen stable-4.20] x86/emul: Fix extable registration in invoke_stub()
Next by Date: [xen stable-4.19] x86/emul: Fix extable registration in invoke_stub()
Previous by thread: [xen stable-4.20] x86/emul: Fix extable registration in invoke_stub()
Next by thread: [xen stable-4.19] x86/emul: Fix extable registration in invoke_stub()
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.