71 lines
2.8 KiB
Text
71 lines
2.8 KiB
Text
$NetBSD: patch-XSA-204,v 1.1 2016/12/20 10:22:28 bouyer Exp $
|
|
|
|
From: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
Date: Sun, 18 Dec 2016 15:42:59 +0000
|
|
Subject: [PATCH] x86/emul: Correct the handling of eflags with SYSCALL
|
|
|
|
A singlestep #DB is determined by the resulting eflags value from the
|
|
execution of SYSCALL, not the original eflags value.
|
|
|
|
By using the original eflags value, we negate the guest kernels attempt to
|
|
protect itself from a privilege escalation by masking TF.
|
|
|
|
Introduce a tf boolean and have the SYSCALL emulation recalculate it
|
|
after the instruction is complete.
|
|
|
|
This is XSA-204
|
|
|
|
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
Reviewed-by: Jan Beulich <jbeulich@suse.com>
|
|
---
|
|
xen/arch/x86/x86_emulate/x86_emulate.c | 23 ++++++++++++++++++++---
|
|
1 file changed, 20 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
|
|
index 0c43fe1..f675dc9 100644
|
|
--- xen/arch/x86/x86_emulate/x86_emulate.c.orig 2016-12-19 23:22:20.000000000 +0100
|
|
+++ xen/arch/x86/x86_emulate/x86_emulate.c 2016-12-19 23:22:38.000000000 +0100
|
|
@@ -1348,6 +1348,7 @@
|
|
union vex vex = {};
|
|
unsigned int op_bytes, def_op_bytes, ad_bytes, def_ad_bytes;
|
|
bool_t lock_prefix = 0;
|
|
+ bool_t tf = !!(ctxt->regs->eflags & EFLG_TF);
|
|
int override_seg = -1, rc = X86EMUL_OKAY;
|
|
struct operand src, dst;
|
|
DECLARE_ALIGNED(mmval_t, mmval);
|
|
@@ -3679,9 +3680,8 @@
|
|
break;
|
|
}
|
|
|
|
- /* Inject #DB if single-step tracing was enabled at instruction start. */
|
|
- if ( (ctxt->regs->eflags & EFLG_TF) && (rc == X86EMUL_OKAY) &&
|
|
- (ops->inject_hw_exception != NULL) )
|
|
+ /* Should a singlestep #DB be raised? */
|
|
+ if ( tf && (rc == X86EMUL_OKAY) && (ops->inject_hw_exception != NULL) )
|
|
rc = ops->inject_hw_exception(EXC_DB, -1, ctxt) ? : X86EMUL_EXCEPTION;
|
|
|
|
/* Commit shadow register state. */
|
|
@@ -3866,6 +3866,23 @@
|
|
(rc = ops->write_segment(x86_seg_ss, &ss, ctxt)) )
|
|
goto done;
|
|
|
|
+ /*
|
|
+ * SYSCALL (unlike most instructions) evaluates its singlestep action
|
|
+ * based on the resulting EFLG_TF, not the starting EFLG_TF.
|
|
+ *
|
|
+ * As the #DB is raised after the CPL change and before the OS can
|
|
+ * switch stack, it is a large risk for privilege escalation.
|
|
+ *
|
|
+ * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
|
|
+ * vulnerability. Running the #DB handler on an IST stack is also a
|
|
+ * mitigation.
|
|
+ *
|
|
+ * 32bit kernels have no ability to mask EFLG_TF at all. Their only
|
|
+ * mitigation is to use a task gate for handling #DB (or to not use
|
|
+ * enable EFER.SCE to start with).
|
|
+ */
|
|
+ tf = !!(_regs.eflags & EFLG_TF);
|
|
+
|
|
break;
|
|
}
|
|
|