From e5c98b0e6059b8a108ef78ec4448c91af1f8232b Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Fri, 6 Jan 2017 20:05:36 +0000
Subject: [PATCH] x86/pv: Check that emulate_privileged_op() don't change any
 unexpected flags

No bits, other than arithmetic ones and the resume flag (which will most
likely change from 1 to 0), can be changed by the instructions we permit.
Extend the check to cover other flags.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
 xen/arch/x86/traps.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index 4f29c3af93..ea0ce528f3 100644
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -3012,9 +3012,11 @@ static int emulate_privileged_op(struct cpu_user_regs *regs)
 
     /*
      * Un-mirror virtualized state from EFLAGS.
-     * Nothing we allow to be emulated can change TF, IF, or IOPL.
+     * Nothing we allow to be emulated can change anything other than the
+     * arithmetic bits, and the resume flag.
      */
-    ASSERT(!((regs->_eflags ^ eflags) & (X86_EFLAGS_IF | X86_EFLAGS_IOPL)));
+    ASSERT(!((regs->_eflags ^ eflags) &
+             ~(X86_EFLAGS_RF | X86_EFLAGS_ARITH_MASK)));
     regs->_eflags |= X86_EFLAGS_IF;
     regs->_eflags &= ~X86_EFLAGS_IOPL;
 
-- 
2.30.2