WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] More do_iret() fixes. We need to take care in restoring

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] More do_iret() fixes. We need to take care in restoring
From: Xen patchbot -unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 11 Jan 2006 21:36:14 +0000
Delivery-date: Wed, 11 Jan 2006 21:43:59 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User kaf24@xxxxxxxxxxxxxxxxxxxx
# Node ID 1e1107e3d894f0d5b844639bfc5edc145b81df6b
# Parent  1c186b28289bc03060e971e863719cbda62ab481
More do_iret() fixes. We need to take care in restoring
EFLAGS that we do not pull in non-zero IOPL, then crash
the domain, and then bug out when dom0 gets vcpu context.
This could otherwise be triggered by a malicious guest.

Signed-off-by: Keir Fraser <keir@xxxxxxxxxxxxx>

diff -r 1c186b28289b -r 1e1107e3d894 xen/arch/x86/x86_32/traps.c
--- a/xen/arch/x86/x86_32/traps.c       Wed Jan 11 19:03:53 2006
+++ b/xen/arch/x86/x86_32/traps.c       Wed Jan 11 19:14:27 2006
@@ -160,7 +160,7 @@
 static inline void pop_from_guest_stack(
     void *dst, struct cpu_user_regs *regs, unsigned int bytes)
 {
-    if ( unlikely(copy_from_user(dst, (void __user *)regs->esp, bytes)) )
+    if ( unlikely(__copy_from_user(dst, (void __user *)regs->esp, bytes)) )
         domain_crash_synchronous();
     regs->esp += bytes;
 }
@@ -168,19 +168,31 @@
 asmlinkage unsigned long do_iret(void)
 {
     struct cpu_user_regs *regs = guest_cpu_user_regs();
+    u32 eflags;
+
+    /* Check worst-case stack frame for overlap with Xen protected area. */
+    if ( unlikely(!access_ok(regs->esp, 40)) )
+        domain_crash_synchronous();
 
     /* Pop and restore EAX (clobbered by hypercall). */
     pop_from_guest_stack(&regs->eax, regs, 4);
 
-    /* Pop and restore EFLAGS, CS and EIP. */
-    pop_from_guest_stack(&regs->eip, regs, 12);
+    /* Pop and restore CS and EIP. */
+    pop_from_guest_stack(&regs->eip, regs, 8);
+
+    /*
+     * Pop, fix up and restore EFLAGS. We fix up in a local staging area
+     * to avoid firing the BUG_ON(IOPL) check in arch_getdomaininfo_ctxt.
+     */
+    pop_from_guest_stack(&eflags, regs, 4);
+    regs->eflags = (eflags & ~X86_EFLAGS_IOPL) | X86_EFLAGS_IF;
 
     if ( VM86_MODE(regs) )
     {
         /* Return to VM86 mode: pop and restore ESP,SS,ES,DS,FS and GS. */
         pop_from_guest_stack(&regs->esp, regs, 24);
     }
-    else if ( RING_0(regs) )
+    else if ( unlikely(RING_0(regs)) )
     {
         domain_crash_synchronous();
     }
@@ -189,10 +201,6 @@
         /* Return to ring 2/3: pop and restore ESP and SS. */
         pop_from_guest_stack(&regs->esp, regs, 8);
     }
-
-    /* Fixup EFLAGS. */
-    regs->eflags &= ~X86_EFLAGS_IOPL;
-    regs->eflags |= X86_EFLAGS_IF;
 
     /* No longer in NMI context. */
     clear_bit(_VCPUF_nmi_masked, &current->vcpu_flags);

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] More do_iret() fixes. We need to take care in restoring, Xen patchbot -unstable <=