Commit d9a72688 authored by Henrik Riomar's avatar Henrik Riomar Committed by Leonardo Arena
Browse files

main/xen: add fix for XSA-375

This is CVE-2021-0089
parent 221fb962
......@@ -217,6 +217,7 @@ options="!strip"
# 4.13.3-r1:
# - CVE-2021-28693 XSA-372
# - CVE-2021-28692 XSA-373
# - CVE-2021-0089 XSA-375
case "$CARCH" in
x86*)
......@@ -286,6 +287,8 @@ source="https://downloads.xenproject.org/release/$pkgname/$pkgver/$pkgname-$pkgv
xsa373-4.13-4.patch
xsa373-4.13-5.patch
xsa375-4.13.patch
hotplug-Linux-iscsi-block-handle-lun-1.patch
xenstored.initd
......@@ -548,6 +551,7 @@ e76816c6ad0e91dc5f81947f266da3429b20e6d976c3e8c41202c6179532eec878a3f0913921ef3a
bb04c86c57058b674237d6d81b8a5a600e39e6c2144ae72b7312ee7e72d4305c5fa4b8d5194a0aecd5631e66fcd2165208a821a1fb7034c0c413ae1b1a5525d4 xsa373-4.13-3.patch
1c93e62bfeb8ed0d5fe6db10baebc00cf54f7a6e2255f53e2770220db86c69fe46dd2fac17502d9da2109a60c93d8703b9bb618977cfe0e9919659f133f87c8d xsa373-4.13-4.patch
8fb77d16b60efa4307c0008c8773a9d5341f1b0577c6de46fe6e5630a7243c7b2eb55089a1ce778e4ed03ebf29fad69042746121b50cb953016e95a60549a728 xsa373-4.13-5.patch
9e354ab79cc182ca71c1d60be18b207c0254f35cf89f5020791d98a081bafc0a84ae7320ceb9c6215ccc4846e2daa258f72f577268bda84f5c7153e0bc03cabb xsa375-4.13.patch
8c9cfc6afca325df1d8026e21ed03fa8cd2c7e1a21a56cc1968301c5ab634bfe849951899e75d328951d7a41273d1e49a2448edbadec0029ed410c43c0549812 hotplug-Linux-iscsi-block-handle-lun-1.patch
52c43beb2596d645934d0f909f2d21f7587b6898ed5e5e7046799a8ed6d58f7a09c5809e1634fa26152f3fd4f3e7cfa07da7076f01b4a20cc8f5df8b9cb77e50 xenstored.initd
093f7fbd43faf0a16a226486a0776bade5dc1681d281c5946a3191c32d74f9699c6bf5d0ab8de9d1195a2461165d1660788e92a3156c9b3c7054d7b2d52d7ff0 xenstored.confd
......
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: x86/spec-ctrl: Protect against Speculative Code Store Bypass
Modern x86 processors have far-better-than-architecturally-guaranteed self
modifying code detection. Typically, when a write hits an instruction in
flight, a Machine Clear occurs to flush stale content in the frontend and
backend.
For self modifying code, before a write which hits an instruction in flight
retires, the frontend can speculatively decode and execute the old instruction
stream. Speculation of this form can suffer from type confusion in registers,
and potentially leak data.
Furthermore, updates are typically byte-wise, rather than atomic. Depending
on timing, speculation can race ahead multiple times between individual
writes, and execute the transiently-malformed instruction stream.
Xen has stubs which are used in certain cases for emulation purposes. Inhibit
speculation between updating the stub and executing it.
This is XSA-375 / CVE-2021-0089.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
diff --git a/xen/arch/x86/pv/emul-priv-op.c b/xen/arch/x86/pv/emul-priv-op.c
index 6dc4f92a84..59c15ca0e7 100644
--- a/xen/arch/x86/pv/emul-priv-op.c
+++ b/xen/arch/x86/pv/emul-priv-op.c
@@ -97,6 +97,8 @@ static io_emul_stub_t *io_emul_stub_setup(struct priv_op_ctxt *ctxt, u8 opcode,
BUILD_BUG_ON(STUB_BUF_SIZE / 2 < MAX(9, /* Default emul stub */
5 + IOEMUL_QUIRK_STUB_BYTES));
+ block_speculation(); /* SCSB */
+
/* Handy function-typed pointer to the stub. */
return (void *)stub_va;
}
diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
index bba6dd0187..cd123492a6 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -1172,6 +1172,7 @@ static inline int mkec(uint8_t e, int32_t ec, ...)
# define invoke_stub(pre, post, constraints...) do { \
stub_exn.info = (union stub_exception_token) { .raw = ~0 }; \
stub_exn.line = __LINE__; /* Utility outweighs livepatching cost */ \
+ block_speculation(); /* SCSB */ \
asm volatile ( pre "\n\tINDIRECT_CALL %[stub]\n\t" post "\n" \
".Lret%=:\n\t" \
".pushsection .fixup,\"ax\"\n" \
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment