Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP5:GA
xen.31135
xsa429.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xsa429.patch of Package xen.31135
From: Andrew Cooper <andrew.cooper3@citrix.com> Subject: x86/spec-ctrl: Defer CR4_PV32_RESTORE on the cstar_enter path As stated (correctly) by the comment next to SPEC_CTRL_ENTRY_FROM_PV, between the two hunks visible in the patch, RET's are not safe prior to this point. CR4_PV32_RESTORE hides a CALL/RET pair in certain configurations (PV32 compiled in, SMEP or SMAP active), and the RET can be attacked with one of several known speculative issues. Furthermore, CR4_PV32_RESTORE also hides a reference to the cr4_pv32_mask global variable, which is not safe when XPTI is active before restoring Xen's full pagetables. This crash has gone unnoticed because it is only AMD CPUs which permit the SYSCALL instruction in compatibility mode, and these are not vulnerable to Meltdown so don't activate XPTI by default. This is XSA-429 / CVE-2022-42331 Fixes: 5e7962901131 ("x86/entry: Organise the use of MSR_SPEC_CTRL at each entry/exit point") Fixes: 5784de3e2067 ("x86: Meltdown band-aid against malicious 64-bit PV guests") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -198,7 +198,6 @@ ENTRY(cr4_pv32_restore) /* See lstar_enter for entry register state. */ ENTRY(cstar_enter) /* sti could live here when we don't switch page tables below. */ - CR4_PV32_RESTORE movq 8(%rsp),%rax /* Restore %rax. */ movq $FLAT_USER_SS32, 8(%rsp) /* Assume a 64bit domain. Compat handled lower. */ pushq %r11 @@ -222,6 +221,8 @@ ENTRY(cstar_enter) .Lcstar_cr3_okay: sti + CR4_PV32_RESTORE + movq STACK_CPUINFO_FIELD(current_vcpu)(%rbx), %rbx movq VCPU_domain(%rbx),%rcx cmpb $0,DOMAIN_is_32bit_pv(%rcx)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor