Commit b73666e1 authored by Juergen Gross's avatar Juergen Gross Committed by Heyuan Wang
Browse files

x86/xen: don't do PV iret hypercall through hypercall page 

stable inclusion
from stable-v6.6.67
commit 82c211ead1ec440dbf81727e17b03b5e3c44b93d
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBCAZE
CVE: CVE-2024-53241

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=82c211ead1ec440dbf81727e17b03b5e3c44b93d



--------------------------------

commit a2796dff62d6c6bfc5fbebdf2bee0d5ac0438906 upstream.

Instead of jumping to the Xen hypercall page for doing the iret
hypercall, directly code the required sequence in xen-asm.S.

This is done in preparation of no longer using hypercall page at all,
as it has shown to cause problems with speculation mitigations.

This is part of XSA-466 / CVE-2024-53241.

Reported-by: default avatarAndrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarHeyuan Wang <wangheyuan2@h-partners.com>
parent 31b452f6

arch/x86/xen/xen-asm.S

+18 −9
Original line number Diff line number Diff line
@@ -176,7 +176,6 @@ SYM_CODE_START(xen_early_idt_handler_array) 
SYM_CODE_END(xen_early_idt_handler_array)

	__FINIT



hypercall_iret = hypercall_page + __HYPERVISOR_iret * 32

/*

 * Xen64 iret frame:

 *
@@ -186,17 +185,28 @@ hypercall_iret = hypercall_page + __HYPERVISOR_iret * 32 
 *	cs

 *	rip		<-- standard iret frame

 *

 *	flags

 *	flags		<-- xen_iret must push from here on

 *

 *	rcx		}

 *	r11		}<-- pushed by hypercall page

 * rsp->rax		}

 *	rcx

 *	r11

 * rsp->rax

 */

.macro xen_hypercall_iret

	pushq $0	/* Flags */

	push %rcx

	push %r11

	push %rax

	mov  $__HYPERVISOR_iret, %eax

	syscall		/* Do the IRET. */

#ifdef CONFIG_MITIGATION_SLS

	int3

#endif

.endm



SYM_CODE_START(xen_iret)

	UNWIND_HINT_UNDEFINED

	ANNOTATE_NOENDBR

	pushq $0

	jmp hypercall_iret

	xen_hypercall_iret

SYM_CODE_END(xen_iret)



/*
@@ -301,8 +311,7 @@ SYM_CODE_START(xen_entry_SYSENTER_compat) 
	ENDBR

	lea 16(%rsp), %rsp	/* strip %rcx, %r11 */

	mov $-ENOSYS, %rax

	pushq $0

	jmp hypercall_iret

	xen_hypercall_iret

SYM_CODE_END(xen_entry_SYSENTER_compat)

SYM_CODE_END(xen_entry_SYSCALL_compat)