From eb97b7dc2b268b799596764eb7ed8c41708223e1 Mon Sep 17 00:00:00 2001
From: "kfraser@localhost.localdomain" <kfraser@localhost.localdomain>
Date: Thu, 17 Aug 2006 12:08:26 +0100
Subject: [PATCH] [XEN] Fix x86/64 bug where a guest application can crash the
 guest OS by setting AC flag in RFLAGS. This wasn't being cleared on entry to
 the guest kernel, causing unwanted faults because the kernel runs in ring 3
 on Xen. Signed-off-by: Keir Fraser <keir@xensource.com>

---
 xen/arch/x86/domain.c       | 3 ++-
 xen/arch/x86/x86_32/entry.S | 3 ++-
 xen/arch/x86/x86_64/entry.S | 4 +++-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
index 65e4dc4b9c..e94dc773e7 100644
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -556,7 +556,8 @@ static void load_segments(struct vcpu *n)
             n->vcpu_info->evtchn_upcall_mask = 1;
 
         regs->entry_vector  = TRAP_syscall;
-        regs->rflags       &= 0xFFFCBEFFUL;
+        regs->rflags       &= ~(X86_EFLAGS_AC|X86_EFLAGS_VM|X86_EFLAGS_RF|
+                                X86_EFLAGS_NT|X86_EFLAGS_TF);
         regs->ss            = __GUEST_SS;
         regs->rsp           = (unsigned long)(rsp-11);
         regs->cs            = __GUEST_CS;
diff --git a/xen/arch/x86/x86_32/entry.S b/xen/arch/x86/x86_32/entry.S
index 6b9980fd7a..7dd8ae5310 100644
--- a/xen/arch/x86/x86_32/entry.S
+++ b/xen/arch/x86/x86_32/entry.S
@@ -356,7 +356,8 @@ FLT25:  movl %eax,%gs:12(%esi)
         movl %eax,UREGS_gs+4(%esp)
 nvm86_3:/* Rewrite our stack frame and return to ring 1. */
         /* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */
-        andl $0xfffcbeff,UREGS_eflags+4(%esp)
+        andl $~(X86_EFLAGS_VM|X86_EFLAGS_RF|\
+                X86_EFLAGS_NT|X86_EFLAGS_TF),UREGS_eflags+4(%esp)
         mov  %gs,UREGS_ss+4(%esp)
         movl %esi,UREGS_esp+4(%esp)
         movzwl TRAPBOUNCE_cs(%edx),%eax
diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
index 9680530f43..7fe8651639 100644
--- a/xen/arch/x86/x86_64/entry.S
+++ b/xen/arch/x86/x86_64/entry.S
@@ -294,8 +294,10 @@ FLT12:  movq  %rax,8(%rsi)              # R11
 FLT13:  movq  %rax,(%rsi)               # RCX
         /* Rewrite our stack frame and return to guest-OS mode. */
         /* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */
+        /* Also clear AC: alignment checks shouldn't trigger in kernel mode. */
         movl  $TRAP_syscall,UREGS_entry_vector+8(%rsp)
-        andl  $0xfffcbeff,UREGS_eflags+8(%rsp)
+        andl  $~(X86_EFLAGS_AC|X86_EFLAGS_VM|X86_EFLAGS_RF|\
+                 X86_EFLAGS_NT|X86_EFLAGS_TF),UREGS_eflags+8(%rsp)
         movq  $__GUEST_SS,UREGS_ss+8(%rsp)
         movq  %rsi,UREGS_rsp+8(%rsp)
         movq  $__GUEST_CS,UREGS_cs+8(%rsp)
-- 
2.30.2