From: Jan Beulich <jbeulich@suse.com>
Date: Tue, 4 Jun 2013 07:29:07 +0000 (+0200)
Subject: x86/xsave: properly check guest input to XSETBV
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~6762
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https:/%22bookmarks://%22/%22http:/www.example.com/cgi/%22https:/%22bookmarks:/%22?a=commitdiff_plain;h=365c95f7de789e1dca03f119eab7dc61fe0f77c9;p=xen.git

x86/xsave: properly check guest input to XSETBV

Other than the HVM emulation path, the PV case so far failed to check
that YMM state requires SSE state to be enabled, allowing for a #GP to
occur upon passing the inputs to XSETBV inside the hypervisor.

This is CVE-2013-2078 / XSA-54.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
---

diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index 087bbebf5f..ef964c3e39 100644
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -2205,6 +2205,11 @@ static int emulate_privileged_op(struct cpu_user_regs *regs)
                     if ( !(new_xfeature & XSTATE_FP) || (new_xfeature & ~xfeature_mask) )
                         goto fail;
 
+                    /* YMM state takes SSE state as prerequisite. */
+                    if ( (xfeature_mask & new_xfeature & XSTATE_YMM) &&
+                         !(new_xfeature & XSTATE_SSE) )
+                        goto fail;
+
                     v->arch.xcr0 = new_xfeature;
                     v->arch.xcr0_accum |= new_xfeature;
                     set_xcr0(new_xfeature);