mirror of
https://git.freebsd.org/ports.git
synced 2025-06-06 05:10:29 -04:00
0e78990b85
Apply XSA-213, XSA-214 and XSA-215. MFH: 2017Q2 Approved by: bapt Sponsored by: Citrix Systems R&D
37 lines
1.7 KiB
Diff
37 lines
1.7 KiB
Diff
From: Jan Beulich <jbeulich@suse.com>
|
|
Subject: x86: correct create_bounce_frame
|
|
|
|
We may push up to 96 bytes on the guest (kernel) stack, so we should
|
|
also cover as much in the early range check. Note that this is the
|
|
simplest possible patch, which has the theoretical potential of
|
|
breaking a guest: We only really push 96 bytes when invoking the
|
|
failsafe callback, ordinary exceptions only have 56 or 64 bytes pushed
|
|
(without / with error code respectively). There is, however, no PV OS
|
|
known to place a kernel stack there.
|
|
|
|
This is XSA-215.
|
|
|
|
Reported-by: Jann Horn <jannh@google.com>
|
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
|
|
--- a/xen/arch/x86/x86_64/entry.S
|
|
+++ b/xen/arch/x86/x86_64/entry.S
|
|
@@ -347,7 +347,7 @@ int80_slow_path:
|
|
jmp handle_exception_saved
|
|
|
|
/* CREATE A BASIC EXCEPTION FRAME ON GUEST OS STACK: */
|
|
-/* { RCX, R11, [DS-GS,] [CR2,] [ERRCODE,] RIP, CS, RFLAGS, RSP, SS } */
|
|
+/* { RCX, R11, [DS-GS,] [ERRCODE,] RIP, CS, RFLAGS, RSP, SS } */
|
|
/* %rdx: trap_bounce, %rbx: struct vcpu */
|
|
/* On return only %rbx and %rdx are guaranteed non-clobbered. */
|
|
create_bounce_frame:
|
|
@@ -367,7 +367,7 @@ create_bounce_frame:
|
|
2: andq $~0xf,%rsi # Stack frames are 16-byte aligned.
|
|
movq $HYPERVISOR_VIRT_START,%rax
|
|
cmpq %rax,%rsi
|
|
- movq $HYPERVISOR_VIRT_END+60,%rax
|
|
+ movq $HYPERVISOR_VIRT_END+12*8,%rax
|
|
sbb %ecx,%ecx # In +ve address space? Then okay.
|
|
cmpq %rax,%rsi
|
|
adc %ecx,%ecx # Above Xen private area? Then okay.
|