# HG changeset patch
# User kfraser@xxxxxxxxxxxxxxxxxxxxx
# Node ID b9af81884b99def770685dc4a872ba6fee902b31
# Parent 130eee9e972876bba82c73a19e56d314859d8b77
[XEN] Fix x86/64 bug where a guest application can crash the
guest OS by setting AC flag in RFLAGS. This wasn't being
cleared on entry to the guest kernel, causing unwanted faults
because the kernel runs in ring 3 on Xen.
Signed-off-by: Keir Fraser <keir@xxxxxxxxxxxxx>
---
xen/arch/x86/domain.c | 3 ++-
xen/arch/x86/x86_32/entry.S | 3 ++-
xen/arch/x86/x86_64/entry.S | 4 +++-
3 files changed, 7 insertions(+), 3 deletions(-)
diff -r 130eee9e9728 -r b9af81884b99 xen/arch/x86/domain.c
--- a/xen/arch/x86/domain.c Thu Aug 17 12:01:44 2006 +0100
+++ b/xen/arch/x86/domain.c Thu Aug 17 12:08:26 2006 +0100
@@ -556,7 +556,8 @@ static void load_segments(struct vcpu *n
n->vcpu_info->evtchn_upcall_mask = 1;
regs->entry_vector = TRAP_syscall;
- regs->rflags &= 0xFFFCBEFFUL;
+ regs->rflags &= ~(X86_EFLAGS_AC|X86_EFLAGS_VM|X86_EFLAGS_RF|
+ X86_EFLAGS_NT|X86_EFLAGS_TF);
regs->ss = __GUEST_SS;
regs->rsp = (unsigned long)(rsp-11);
regs->cs = __GUEST_CS;
diff -r 130eee9e9728 -r b9af81884b99 xen/arch/x86/x86_32/entry.S
--- a/xen/arch/x86/x86_32/entry.S Thu Aug 17 12:01:44 2006 +0100
+++ b/xen/arch/x86/x86_32/entry.S Thu Aug 17 12:08:26 2006 +0100
@@ -356,7 +356,8 @@ 2: testl $X86_EFLAGS_VM,UREGS_eflag
movl %eax,UREGS_gs+4(%esp)
nvm86_3:/* Rewrite our stack frame and return to ring 1. */
/* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */
- andl $0xfffcbeff,UREGS_eflags+4(%esp)
+ andl $~(X86_EFLAGS_VM|X86_EFLAGS_RF|\
+ X86_EFLAGS_NT|X86_EFLAGS_TF),UREGS_eflags+4(%esp)
mov %gs,UREGS_ss+4(%esp)
movl %esi,UREGS_esp+4(%esp)
movzwl TRAPBOUNCE_cs(%edx),%eax
diff -r 130eee9e9728 -r b9af81884b99 xen/arch/x86/x86_64/entry.S
--- a/xen/arch/x86/x86_64/entry.S Thu Aug 17 12:01:44 2006 +0100
+++ b/xen/arch/x86/x86_64/entry.S Thu Aug 17 12:08:26 2006 +0100
@@ -294,8 +294,10 @@ FLT13: movq %rax,(%rsi)
FLT13: movq %rax,(%rsi) # RCX
/* Rewrite our stack frame and return to guest-OS mode. */
/* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */
+ /* Also clear AC: alignment checks shouldn't trigger in kernel mode. */
movl $TRAP_syscall,UREGS_entry_vector+8(%rsp)
- andl $0xfffcbeff,UREGS_eflags+8(%rsp)
+ andl $~(X86_EFLAGS_AC|X86_EFLAGS_VM|X86_EFLAGS_RF|\
+ X86_EFLAGS_NT|X86_EFLAGS_TF),UREGS_eflags+8(%rsp)
movq $__GUEST_SS,UREGS_ss+8(%rsp)
movq %rsi,UREGS_rsp+8(%rsp)
movq $__GUEST_CS,UREGS_cs+8(%rsp)
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|