From nobody Sun Feb 8 17:28:47 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org ARC-Seal: i=1; a=rsa-sha256; t=1567619917; cv=none; d=zoho.com; s=zohoarc; b=iX3zUNxQpu1bbEqTXm75apUWNB/oGXrJiJJ8l3KKTc1Ao/N5Cub5cLtsL8Gmr415h0T3qjOKM9F7leZKOpLYNnhopHX6fMolQW+dUKeQnEKtZSXZ6uQDZ+jAx6gnZTW7p3NXrwsdKpj19JikqYKBV1JD+xfOAVSCwtQSdK6djLA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1567619917; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=MPIoWX6F031AiwzTr+8V5b+xhOjWnuVeukif9L5fwRE=; b=NHLhq0poZq8WkYxbPaCVk2PuuXe76AHDc2IodmgNks3E4s28r8ar0kUAHxA4azvXxSEWeuBRxeoZDam9IBG5/3iGBFSbjjJ1LZ//qqyFtBmlMVEeYVU2Thwb0RIUguHXfXlLo2kQoxf6lJhJaa5TYwOysDuwemxemaQudNXyJFs= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=fail; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1567619917016658.8386417206734; Wed, 4 Sep 2019 10:58:37 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i5ZWu-00033F-L2; Wed, 04 Sep 2019 17:57:16 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1i5ZWt-00032z-NI for xen-devel@lists.xenproject.org; Wed, 04 Sep 2019 17:57:15 +0000 Received: from esa5.hc3370-68.iphmx.com (unknown [216.71.155.168]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 6c8359aa-cf3d-11e9-abbd-12813bfff9fa; Wed, 04 Sep 2019 17:57:13 +0000 (UTC) X-Inumbo-ID: 6c8359aa-cf3d-11e9-abbd-12813bfff9fa DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1567619833; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=ad77wkfceL92gBvrDcFCzIxp1HumTPb9rBpjvNO4y30=; b=edfkW8KOjiQL1lbIXgsrkdSnXLDH4OYx7d9YAVAUN9CRcJCNIKv24zum rqBKc55wDSlMmRs799PdL29O4ThMi5mEW/FnJsdlkdfqkryHZNV1S5bzy oRaPFmWrqASzwnIeHfFxaid9doIFDSt8UPIFqmCKgpElsTbDfaCr6Soj3 c=; Authentication-Results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Received-SPF: None (esa5.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa5.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ~all" Received-SPF: None (esa5.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: oC3ACnvQxj9MpdBlFDf+kR9DfCICksYk88pYJpgzU8aldyMw21VUq04Z+j42GZVQVOvox7Kzu9 bjqutr3CD8S5GpLQJoRJP83gl0NmbE+ugEL5vhgztDie11IOZ7KVdLFTXfSgVmEK32j8Iu7nuk 6/vhQh5KDU2O1h8D2P8nP13uvHkkH/aNFH9j95VT73aMdl511a1NxGlP5q560m3RG9uJ/7QLcW 5VSVrzTkYeuKRw8dvD7axlygLQuEI+2GwStkYJDfEFoaR6w+/RfUeKEnWUxgFr93jEoyMWNAjU 0LI= X-SBRS: 2.7 X-MesageID: 5321569 X-Ironport-Server: esa5.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.64,467,1559534400"; d="scan'208";a="5321569" From: Andrew Cooper To: Xen-devel Date: Wed, 4 Sep 2019 18:57:08 +0100 Message-ID: <20190904175708.18853-1-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190819182612.16706-1-andrew.cooper3@citrix.com> References: <20190819182612.16706-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH v3 2/2] x86/AMD: Fix handling of x87 exception pointers on Fam17h hardware X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Andrew Cooper , Wei Liu , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) AMD Pre-Fam17h CPUs "optimise" {F,}X{SAVE,RSTOR} by not saving/restoring FOP/FIP/FDP if an x87 exception isn't pending. This causes an information leak, CVE-2006-1056, and worked around by several OSes, including Xen. AMD Fam17h CPUs no longer have this leak, and advertise so in a CPUID bit. Introduce the RSTR_FP_ERR_PTRS feature, as specified by AMD, and expose to = all guests by default. While adjusting libxl's cpuid table, add CLZERO which looks to have been omitted previously. Also introduce an X86_BUG bit to trigger the (F)XRSTOR workaround, and set = it on AMD hardware where RSTR_FP_ERR_PTRS is not advertised. Optimise the conditions for the workaround paths. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Wei Liu CC: Roger Pau Monn=C3=A9 v3: * Rename to X86_BUG_FPU_PTRS * Reinstate, contrary to personal opinion, the fsw/fcw checks. v2: * Use the AMD naming, not that I am convinced this is a sensible name to u= se. * Adjust the i387 codepaths as well as the xstate ones. * Add xen-cpuid/libxl data for the CPUID bit. --- tools/libxl/libxl_cpuid.c | 3 +++ tools/misc/xen-cpuid.c | 1 + xen/arch/x86/cpu/amd.c | 7 +++++++ xen/arch/x86/i387.c | 16 +++++++--------- xen/arch/x86/xstate.c | 7 +++---- xen/include/asm-x86/cpufeature.h | 3 +++ xen/include/asm-x86/cpufeatures.h | 2 ++ xen/include/public/arch-x86/cpufeatureset.h | 1 + 8 files changed, 27 insertions(+), 13 deletions(-) diff --git a/tools/libxl/libxl_cpuid.c b/tools/libxl/libxl_cpuid.c index f1c6ce2076..953a3bbd8c 100644 --- a/tools/libxl/libxl_cpuid.c +++ b/tools/libxl/libxl_cpuid.c @@ -257,8 +257,11 @@ int libxl_cpuid_parse_config(libxl_cpuid_policy_list *= cpuid, const char* str) =20 {"invtsc", 0x80000007, NA, CPUID_REG_EDX, 8, 1}, =20 + {"clzero", 0x80000008, NA, CPUID_REG_EBX, 0, 1}, + {"rstr-fp-err-ptrs", 0x80000008, NA, CPUID_REG_EBX, 2, 1}, {"wbnoinvd", 0x80000008, NA, CPUID_REG_EBX, 9, 1}, {"ibpb", 0x80000008, NA, CPUID_REG_EBX, 12, 1}, + {"nc", 0x80000008, NA, CPUID_REG_ECX, 0, 8}, {"apicidsize", 0x80000008, NA, CPUID_REG_ECX, 12, 4}, =20 diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c index be6a8d27a5..f51facffb6 100644 --- a/tools/misc/xen-cpuid.c +++ b/tools/misc/xen-cpuid.c @@ -145,6 +145,7 @@ static const char *const str_e7d[32] =3D static const char *const str_e8b[32] =3D { [ 0] =3D "clzero", + [ 2] =3D "rstr-fp-err-ptrs", =20 /* [ 8] */ [ 9] =3D "wbnoinvd", =20 diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c index a2f83c79a5..dc9ed55ba6 100644 --- a/xen/arch/x86/cpu/amd.c +++ b/xen/arch/x86/cpu/amd.c @@ -580,6 +580,13 @@ static void init_amd(struct cpuinfo_x86 *c) } =20 /* + * Older AMD CPUs don't save/load FOP/FIP/FDP unless an FPU exception + * is pending. Xen works around this at (F)XRSTOR time. + */ + if ( !cpu_has(c, X86_FEATURE_RSTR_FP_ERR_PTRS) ) + setup_force_cpu_cap(X86_BUG_FPU_PTRS); + + /* * Attempt to set lfence to be Dispatch Serialising. This MSR almost * certainly isn't virtualised (and Xen at least will leak the real * value in but silently discard writes), as well as being per-core diff --git a/xen/arch/x86/i387.c b/xen/arch/x86/i387.c index 88178485cb..e4f0965eed 100644 --- a/xen/arch/x86/i387.c +++ b/xen/arch/x86/i387.c @@ -43,20 +43,18 @@ static inline void fpu_fxrstor(struct vcpu *v) const typeof(v->arch.xsave_area->fpu_sse) *fpu_ctxt =3D v->arch.fpu_ct= xt; =20 /* - * AMD CPUs don't save/restore FDP/FIP/FOP unless an exception + * Some CPUs don't save/restore FDP/FIP/FOP unless an exception * is pending. Clear the x87 state here by setting it to fixed * values. The hypervisor data segment can be sometimes 0 and * sometimes new user value. Both should be ok. Use the FPU saved * data block as a safe address because it should be in L1. */ - if ( !(fpu_ctxt->fsw & ~fpu_ctxt->fcw & 0x003f) && - boot_cpu_data.x86_vendor =3D=3D X86_VENDOR_AMD ) - { + if ( cpu_bug_fpu_ptrs && + !(fpu_ctxt->fsw & ~fpu_ctxt->fcw & 0x003f) ) asm volatile ( "fnclex\n\t" "ffree %%st(7)\n\t" /* clear stack tag */ "fildl %0" /* load to clear state */ : : "m" (*fpu_ctxt) ); - } =20 /* * FXRSTOR can fault if passed a corrupted data block. We handle this @@ -169,11 +167,11 @@ static inline void fpu_fxsave(struct vcpu *v) : "=3Dm" (*fpu_ctxt) : "R" (fpu_ctxt) ); =20 /* - * AMD CPUs don't save/restore FDP/FIP/FOP unless an exception - * is pending. + * Some CPUs don't save/restore FDP/FIP/FOP unless an exception is + * pending. In this case, the restore side will arrange safe valu= es, + * and there is no point trying to restore FCS/FDS in addition. */ - if ( !(fpu_ctxt->fsw & 0x0080) && - boot_cpu_data.x86_vendor =3D=3D X86_VENDOR_AMD ) + if ( cpu_bug_fpu_ptrs && !(fpu_ctxt->fsw & 0x0080) ) return; =20 /* diff --git a/xen/arch/x86/xstate.c b/xen/arch/x86/xstate.c index 3293ef834f..10016a05d0 100644 --- a/xen/arch/x86/xstate.c +++ b/xen/arch/x86/xstate.c @@ -369,15 +369,14 @@ void xrstor(struct vcpu *v, uint64_t mask) unsigned int faults, prev_faults; =20 /* - * AMD CPUs don't save/restore FDP/FIP/FOP unless an exception + * Some CPUs don't save/restore FDP/FIP/FOP unless an exception * is pending. Clear the x87 state here by setting it to fixed * values. The hypervisor data segment can be sometimes 0 and * sometimes new user value. Both should be ok. Use the FPU saved * data block as a safe address because it should be in L1. */ - if ( (mask & ptr->xsave_hdr.xstate_bv & X86_XCR0_FP) && - !(ptr->fpu_sse.fsw & ~ptr->fpu_sse.fcw & 0x003f) && - boot_cpu_data.x86_vendor =3D=3D X86_VENDOR_AMD ) + if ( cpu_bug_fpu_ptrs && + !(ptr->fpu_sse.fsw & ~ptr->fpu_sse.fcw & 0x003f) ) asm volatile ( "fnclex\n\t" /* clear exceptions */ "ffree %%st(7)\n\t" /* clear stack tag */ "fildl %0" /* load to clear state */ diff --git a/xen/include/asm-x86/cpufeature.h b/xen/include/asm-x86/cpufeat= ure.h index 7e1ff17ad4..00d22caac7 100644 --- a/xen/include/asm-x86/cpufeature.h +++ b/xen/include/asm-x86/cpufeature.h @@ -138,6 +138,9 @@ =20 #define cpu_has_msr_tsc_aux (cpu_has_rdtscp || cpu_has_rdpid) =20 +/* Bugs. */ +#define cpu_bug_fpu_ptrs boot_cpu_has(X86_BUG_FPU_PTRS) + enum _cache_type { CACHE_TYPE_NULL =3D 0, CACHE_TYPE_DATA =3D 1, diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufea= tures.h index ab3650f73b..91eccf5161 100644 --- a/xen/include/asm-x86/cpufeatures.h +++ b/xen/include/asm-x86/cpufeatures.h @@ -43,5 +43,7 @@ XEN_CPUFEATURE(SC_VERW_IDLE, X86_SYNTH(25)) /* VERW = used by Xen for idle */ #define X86_NR_BUG 1 #define X86_BUG(x) ((FSCAPINTS + X86_NR_SYNTH) * 32 + (x)) =20 +#define X86_BUG_FPU_PTRS X86_BUG( 0) /* (F)X{SAVE,RSTOR} doesn't = save/restore FOP/FIP/FDP. */ + /* Total number of capability words, inc synth and bug words. */ #define NCAPINTS (FSCAPINTS + X86_NR_SYNTH + X86_NR_BUG) /* N 32-bit words= worth of info */ diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/publ= ic/arch-x86/cpufeatureset.h index f2ec470179..48d8d1f4e2 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -244,6 +244,7 @@ XEN_CPUFEATURE(EFRO, 7*32+10) /* APERF/MPERF= Read Only interface */ =20 /* AMD-defined CPU features, CPUID level 0x80000008.ebx, word 8 */ XEN_CPUFEATURE(CLZERO, 8*32+ 0) /*A CLZERO instruction */ +XEN_CPUFEATURE(RSTR_FP_ERR_PTRS, 8*32+ 2) /*A (F)X{SAVE,RSTOR} always sav= es/restores FPU Error pointers */ XEN_CPUFEATURE(WBNOINVD, 8*32+ 9) /* WBNOINVD instruction */ XEN_CPUFEATURE(IBPB, 8*32+12) /*A IBPB support only (no IBRS, us= ed by AMD) */ =20 --=20 2.11.0 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel