From: Jan Beulich <jbeulich@suse.com>
Date: Wed, 20 Jan 2016 12:50:10 +0000 (+0100)
Subject: x86/VMX: prevent INVVPID failure due to non-canonical guest address
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~1916
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=bf05e88ed7342a91cceba050b6c622accb809842;p=xen.git

x86/VMX: prevent INVVPID failure due to non-canonical guest address

While INVLPG (and on SVM INVLPGA) don't fault on non-canonical
addresses, INVVPID fails (in the "individual address" case) when passed
such an address.

Since such intercepted INVLPG are effectively no-ops anyway, don't fix
this in vmx_invlpg_intercept(), but instead have paging_invlpg() never
return true in such a case.

This is CVE-2016-1571 / XSA-168.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
---

diff --git a/xen/include/asm-x86/paging.h b/xen/include/asm-x86/paging.h
index 483b2d75de..6215f57ebc 100644
--- a/xen/include/asm-x86/paging.h
+++ b/xen/include/asm-x86/paging.h
@@ -245,7 +245,7 @@ paging_fault(unsigned long va, struct cpu_user_regs *regs)
  * or 0 if it's safe not to do so. */
 static inline int paging_invlpg(struct vcpu *v, unsigned long va)
 {
-    return paging_get_hostmode(v)->invlpg(v, va);
+    return is_canonical_address(va) && paging_get_hostmode(v)->invlpg(v, va);
 }
 
 /* Translate a guest virtual address to the frame number that the