diff options
author | Jan Beulich <JBeulich@suse.com> | 2012-06-12 11:38:30 +0100 |
---|---|---|
committer | Jan Beulich <JBeulich@suse.com> | 2012-06-12 11:38:30 +0100 |
commit | a5edee59689d6b4a0ca2ece6eb242ed7fd33bbe8 (patch) | |
tree | 1d61c2ca7362d039c02094846ef0d1f2ca95faeb | |
parent | 2581d1fb42995d973f9fcebf96dafbd05d6d13f7 (diff) | |
download | xen-a5edee59689d6b4a0ca2ece6eb242ed7fd33bbe8.tar.gz xen-a5edee59689d6b4a0ca2ece6eb242ed7fd33bbe8.tar.bz2 xen-a5edee59689d6b4a0ca2ece6eb242ed7fd33bbe8.zip |
x86_64: Do not execute sysret with a non-canonical return address
Check for non-canonical guest RIP before attempting to execute sysret.
If sysret is executed with a non-canonical value in RCX, Intel CPUs
take the fault in ring0, but we will necessarily already have switched
to the the user's stack pointer.
This is a security vulnerability, XSA-7 / CVE-2012-0217.
Signed-off-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: Ian Campbell <Ian.Campbell@citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Keir Fraser <keir.xen@gmail.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
xen-unstable changeset: 25480:76eaf5966c05
xen-unstable date: Tue Jun 12 11:33:40 2012 +0100
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
-rw-r--r-- | xen/arch/x86/x86_64/entry.S | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index 61938f8f49..c8db00cb38 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -40,6 +40,13 @@ restore_all_guest: testw $TRAP_syscall,4(%rsp) jz iret_exit_to_guest + /* Don't use SYSRET path if the return address is not canonical. */ + movq 8(%rsp),%rcx + sarq $47,%rcx + incl %ecx + cmpl $1,%ecx + ja .Lforce_iret + addq $8,%rsp popq %rcx # RIP popq %r11 # CS @@ -50,6 +57,10 @@ restore_all_guest: sysretq 1: sysretl +.Lforce_iret: + /* Mimic SYSRET behavior. */ + movq 8(%rsp),%rcx # RIP + movq 24(%rsp),%r11 # RFLAGS ALIGN /* No special register assumptions. */ iret_exit_to_guest: |