1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
From 77f2bec134049aba29b9b459f955022722d10847 Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Fri, 23 Jun 2023 11:32:00 +0100
Subject: [PATCH 41/67] x86/vmx: Perform VERW flushing later in the VMExit path
Broken out of the following patch because this change is subtle enough on its
own. See it for the rational of why we're moving VERW.
As for how, extend the trick already used to hold one condition in
flags (RESUME vs LAUNCH) through the POPing of GPRs.
Move the MOV CR earlier. Intel specify flags to be undefined across it.
Encode the two conditions we want using SF and PF. See the code comment for
exactly how.
Leave a comment to explain the lack of any content around
SPEC_CTRL_EXIT_TO_VMX, but leave the block in place. Sods law says if we
delete it, we'll need to reintroduce it.
This is part of XSA-452 / CVE-2023-28746.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
(cherry picked from commit 475fa20b7384464210f42bad7195f87bd6f1c63f)
---
xen/arch/x86/hvm/vmx/entry.S | 36 +++++++++++++++++++++---
xen/arch/x86/include/asm/asm_defns.h | 8 ++++++
xen/arch/x86/include/asm/spec_ctrl_asm.h | 7 +++++
xen/arch/x86/x86_64/asm-offsets.c | 1 +
4 files changed, 48 insertions(+), 4 deletions(-)
diff --git a/xen/arch/x86/hvm/vmx/entry.S b/xen/arch/x86/hvm/vmx/entry.S
index 5f5de45a13..cdde76e138 100644
--- a/xen/arch/x86/hvm/vmx/entry.S
+++ b/xen/arch/x86/hvm/vmx/entry.S
@@ -87,17 +87,39 @@ UNLIKELY_END(realmode)
/* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */
/* SPEC_CTRL_EXIT_TO_VMX Req: %rsp=regs/cpuinfo Clob: */
- DO_SPEC_CTRL_COND_VERW
+ /*
+ * All speculation safety work happens to be elsewhere. VERW is after
+ * popping the GPRs, while restoring the guest MSR_SPEC_CTRL is left
+ * to the MSR load list.
+ */
mov VCPU_hvm_guest_cr2(%rbx),%rax
+ mov %rax, %cr2
+
+ /*
+ * We need to perform two conditional actions (VERW, and Resume vs
+ * Launch) after popping GPRs. With some cunning, we can encode both
+ * of these in eflags together.
+ *
+ * Parity is only calculated over the bottom byte of the answer, while
+ * Sign is simply the top bit.
+ *
+ * Therefore, the final OR instruction ends up producing:
+ * SF = VCPU_vmx_launched
+ * PF = !SCF_verw
+ */
+ BUILD_BUG_ON(SCF_verw & ~0xff)
+ movzbl VCPU_vmx_launched(%rbx), %ecx
+ shl $31, %ecx
+ movzbl CPUINFO_spec_ctrl_flags(%rsp), %eax
+ and $SCF_verw, %eax
+ or %eax, %ecx
pop %r15
pop %r14
pop %r13
pop %r12
pop %rbp
- mov %rax,%cr2
- cmpb $0,VCPU_vmx_launched(%rbx)
pop %rbx
pop %r11
pop %r10
@@ -108,7 +130,13 @@ UNLIKELY_END(realmode)
pop %rdx
pop %rsi
pop %rdi
- je .Lvmx_launch
+
+ jpe .L_skip_verw
+ /* VERW clobbers ZF, but preserves all others, including SF. */
+ verw STK_REL(CPUINFO_verw_sel, CPUINFO_error_code)(%rsp)
+.L_skip_verw:
+
+ jns .Lvmx_launch
/*.Lvmx_resume:*/
VMRESUME
diff --git a/xen/arch/x86/include/asm/asm_defns.h b/xen/arch/x86/include/asm/asm_defns.h
index d9431180cf..abc6822b08 100644
--- a/xen/arch/x86/include/asm/asm_defns.h
+++ b/xen/arch/x86/include/asm/asm_defns.h
@@ -81,6 +81,14 @@ register unsigned long current_stack_pointer asm("rsp");
#ifdef __ASSEMBLY__
+.macro BUILD_BUG_ON condstr, cond:vararg
+ .if \cond
+ .error "Condition \"\condstr\" not satisfied"
+ .endif
+.endm
+/* preprocessor macro to make error message more user friendly */
+#define BUILD_BUG_ON(cond) BUILD_BUG_ON #cond, cond
+
#ifdef HAVE_AS_QUOTED_SYM
#define SUBSECTION_LBL(tag) \
.ifndef .L.tag; \
diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h
index f4b8b9d956..ca9cb0f5dd 100644
--- a/xen/arch/x86/include/asm/spec_ctrl_asm.h
+++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h
@@ -164,6 +164,13 @@
#endif
.endm
+/*
+ * Helper to improve the readibility of stack dispacements with %rsp in
+ * unusual positions. Both @field and @top_of_stack should be constants from
+ * the same object. @top_of_stack should be where %rsp is currently pointing.
+ */
+#define STK_REL(field, top_of_stk) ((field) - (top_of_stk))
+
.macro DO_SPEC_CTRL_COND_VERW
/*
* Requires %rsp=cpuinfo
diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c
index 31fa63b77f..a4e94d6930 100644
--- a/xen/arch/x86/x86_64/asm-offsets.c
+++ b/xen/arch/x86/x86_64/asm-offsets.c
@@ -135,6 +135,7 @@ void __dummy__(void)
#endif
OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs);
+ OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code);
OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel);
OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu);
OFFSET(CPUINFO_per_cpu_offset, struct cpu_info, per_cpu_offset);
--
2.44.0
|
GitWeb