1. Patchew
  2. Xen
  3. [PATCH 0/8] x86: Drop the vm86 segments selectors from struct cpu_user_regs
  4. View patch

[PATCH 4/8] Revert "x86/traps: 'Fix' safety of read_registers() in #DF path"

Andrew Cooper posted 8 patches 9 months, 1 week ago
There is a newer version of this series
[PATCH 4/8] Revert "x86/traps: 'Fix' safety of read_registers() in #DF path"
Posted by Andrew Cooper 9 months, 1 week ago 
This reverts commit 6065a05adf152a556fb9f11a5218c89e41b62893.

The discussed "proper fix" has now been implemented, and the #DF path no
longer writes out-of-bounds.  Restore the proper #DF IST pointer.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monné <roger.pau@citrix.com>

Only 5 years late...
---
 xen/arch/x86/cpu/common.c | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c
index e8d4ca3203be..b934ce7ca487 100644
--- a/xen/arch/x86/cpu/common.c
+++ b/xen/arch/x86/cpu/common.c
@@ -847,13 +847,7 @@ void load_system_tables(void)
 	tss->ist[IST_MCE - 1] = stack_top + (1 + IST_MCE) * PAGE_SIZE;
 	tss->ist[IST_NMI - 1] = stack_top + (1 + IST_NMI) * PAGE_SIZE;
 	tss->ist[IST_DB  - 1] = stack_top + (1 + IST_DB)  * PAGE_SIZE;
-	/*
-	 * Gross bodge.  The #DF handler uses the vm86 fields of cpu_user_regs
-	 * beyond the hardware frame.  Adjust the stack entrypoint so this
-	 * doesn't manifest as an OoB write which hits the guard page.
-	 */
-	tss->ist[IST_DF  - 1] = stack_top + (1 + IST_DF)  * PAGE_SIZE -
-		(sizeof(struct cpu_user_regs) - offsetof(struct cpu_user_regs, es));
+	tss->ist[IST_DF  - 1] = stack_top + (1 + IST_DF)  * PAGE_SIZE;
 	tss->bitmap = IOBMP_INVALID_OFFSET;
 
 	/* All other stack pointers poisioned. */
-- 
2.39.5
Re: [PATCH 4/8] Revert "x86/traps: 'Fix' safety of read_registers() in #DF path"
Posted by Jan Beulich 9 months, 1 week ago 
On 11.03.2025 22:10, Andrew Cooper wrote:
> This reverts commit 6065a05adf152a556fb9f11a5218c89e41b62893.
> 
> The discussed "proper fix" has now been implemented, and the #DF path no
> longer writes out-of-bounds.  Restore the proper #DF IST pointer.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Acked-by: Jan Beulich <jbeulich@suse.com>

> --- a/xen/arch/x86/cpu/common.c
> +++ b/xen/arch/x86/cpu/common.c
> @@ -847,13 +847,7 @@ void load_system_tables(void)
>  	tss->ist[IST_MCE - 1] = stack_top + (1 + IST_MCE) * PAGE_SIZE;
>  	tss->ist[IST_NMI - 1] = stack_top + (1 + IST_NMI) * PAGE_SIZE;
>  	tss->ist[IST_DB  - 1] = stack_top + (1 + IST_DB)  * PAGE_SIZE;
> -	/*
> -	 * Gross bodge.  The #DF handler uses the vm86 fields of cpu_user_regs
> -	 * beyond the hardware frame.  Adjust the stack entrypoint so this
> -	 * doesn't manifest as an OoB write which hits the guard page.
> -	 */
> -	tss->ist[IST_DF  - 1] = stack_top + (1 + IST_DF)  * PAGE_SIZE -
> -		(sizeof(struct cpu_user_regs) - offsetof(struct cpu_user_regs, es));
> +	tss->ist[IST_DF  - 1] = stack_top + (1 + IST_DF)  * PAGE_SIZE;

And one of these "es is special" also gone.

Jan

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.