main/xen: security fix for CVE-2016-7777

2 files changed, 180 insertions, 1 deletions

diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index e3f2b1a751..112936fec8 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=xen
 pkgver=4.7.0
-pkgrel=4
+pkgrel=5
 pkgdesc="Xen hypervisor"
 url="http://www.xen.org/"
 arch="x86_64 armhf"
@@ -24,6 +24,8 @@ makedepends="$depends_dev autoconf automake libtool "
 #     - CVE-2016-7092 XSA-185
 #     - CVE-2016-7093 XSA-186
 #     - CVE-2016-7094 XSA-187
+#   4.7.0-r5:
+#     - CVE-2016-7777 XSA-190
 
 case "$CARCH" in
 x86*)
@@ -76,6 +78,7 @@ source="http://bits.xensource.com/oss-xen/release/$pkgver/$pkgname-$pkgver.tar.g
 	xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
 	xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
 	xsa187-4.7-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
+	xsa190.patch
 
 	qemu-coroutine-gthread.patch
 	qemu-xen_paths.patch
@@ -316,6 +319,7 @@ cc0904605d03a9e4f6f21d16824e41c9  xsa184-qemuu-master.patch
 7849473e564a01b348d9f60a53fefe65  xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
 c426383254acdcbb9466bbec2d6f8d9b  xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
 ed2ad5eaaa275dd64f9fdca3ef8a5ca7  xsa187-4.7-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
+73bd0fc4a4d51c7160eadf527adb1195  xsa190.patch
 de1a3db370b87cfb0bddb51796b50315  qemu-coroutine-gthread.patch
 08bfdf8caff5d631f53660bf3fd4edaf  qemu-xen_paths.patch
 e449bb3359b490804ffc7b0ae08d62a0  hotplug-vif-vtrill.patch
@@ -370,6 +374,7 @@ f2082a36d968a47e477bb5082d0e0aaa58e6cb3dc20b26389f043a9b7b595fa6  xsa186-0001-x8
 5a826a32763d82ac83c924f8c89d12aae5f069a4cbc7d5193aa8413a02b6dc05  xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
 be9fe85d36c2c1fbca246c1f4d834c3ef11b6ab3d5467da0ac8c079aa5a68de9  xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
 36b22d6a168be39f31a1c1304f708269a2a10fe5105f7da4a06877d6059f1cd6  xsa187-4.7-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
+21e7b1d08874527ab2e4cd23d467e9945afcd753dd3390ab2aaf9d24d231916c  xsa190.patch
 3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe  qemu-coroutine-gthread.patch
 e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98  qemu-xen_paths.patch
 dd1e784bc455eb62cb85b3fa24bfc34f575ceaab9597ef6a2f1ee7ff7b3cae0a  hotplug-vif-vtrill.patch
@@ -424,6 +429,7 @@ bf899dde20cee730598b90e0a07941155b20e0ea17b9a3017a53bd0e1495fb6e5dc251934e01d029
 8e2a6c32aeb7cfb6ffa4395709ea849850d4c356dce139857a6783310b2efb47a01b1cf946b890264f7db543c5304830f64b5e40563c72318391569986146ab7  xsa186-4.7-0002-hvm-fep-Allow-testing-of-instructions-crossing-the.patch
 d85bc3c56805ff5b3df6b85b2b34ff97d15fe254fc5a873b5c43c2c15564eea42753723a6296292a543e7b7dc83ad71f0fafe01fa6a6ebf82fa0a7268fc67486  xsa187-4.7-0001-x86-shadow-Avoid-overflowing-sh_ctxt-seg.patch
 f60b51de992225ea6f48ad108c18717fb84a6f3c7cc3a3d567a1799403eefdc965c1ec4ccb9190affa58f81c48f13525a86144b04674b42732c8bdcad6084ff2  xsa187-4.7-0002-x86-segment-Bounds-check-accesses-to-emulation-ctx.patch
+7cd36ad72a97ddbcf3454c87e6adebddfa3204f023446e399c38ecb8914a165a9df2d4939efd40dba149260df3380b2751321c654aff7011b5110e215b0afb37  xsa190.patch
 c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562  qemu-coroutine-gthread.patch
 1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3  qemu-xen_paths.patch
 f095ea373f36381491ad36f0662fb4f53665031973721256b23166e596318581da7cbb0146d0beb2446729adfdb321e01468e377793f6563a67d68b8b0f7ffe3  hotplug-vif-vtrill.patch
diff --git a/main/xen/xsa190.patch b/main/xen/xsa190.patch
new file mode 100644
index 0000000000..3c242e6cc2
--- /dev/null
+++ b/main/xen/xsa190.patch
@@ -0,0 +1,173 @@
+x86emul: honor guest CR0.TS and CR0.EM
+
+We must not emulate any instructions accessing respective registers
+when either of these flags is set in the guest view of the register, or
+else we may do so on data not belonging to the guest's current task.
+
+Being architecturally required behavior, the logic gets placed in the
+instruction emulator instead of hvmemul_get_fpu(). It should be noted,
+though, that hvmemul_get_fpu() being the only current handler for the
+get_fpu() callback, we don't have an active problem with CR4: Both
+CR4.OSFXSR and CR4.OSXSAVE get handled as necessary by that function.
+
+This is XSA-190.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+---
+v4: Only raise #NM on FWAIT when CR0.TS and CR0.MP are set.
+v3: Correct which exception to raise upon set CR0.EM.
+v2: Require the read_cr hook to be set, which then requires a change to
+    the test code too.
+---
+The change to xen/arch/x86/hvm/emulate.c isn't strictly needed for
+fixing the security issue, but the patch would be rather incomplete
+without.
+
+--- a/tools/tests/x86_emulator/test_x86_emulator.c
++++ b/tools/tests/x86_emulator/test_x86_emulator.c
+@@ -158,6 +158,22 @@ static inline uint64_t xgetbv(uint32_t x
+     (ebx & (1U << 5)) != 0; \
+ })
+ 
++static int read_cr(
++    unsigned int reg,
++    unsigned long *val,
++    struct x86_emulate_ctxt *ctxt)
++{
++    /* Fake just enough state for the emulator's _get_fpu() to be happy. */
++    switch ( reg )
++    {
++    case 0:
++        *val = 0x00000001; /* PE */
++        return X86EMUL_OKAY;
++    }
++
++    return X86EMUL_UNHANDLEABLE;
++}
++
+ int get_fpu(
+     void (*exception_callback)(void *, struct cpu_user_regs *),
+     void *exception_callback_arg,
+@@ -189,6 +205,7 @@ static struct x86_emulate_ops emulops =
+     .write      = write,
+     .cmpxchg    = cmpxchg,
+     .cpuid      = cpuid,
++    .read_cr    = read_cr,
+     .get_fpu    = get_fpu,
+ };
+ 
+--- a/xen/arch/x86/hvm/emulate.c
++++ b/xen/arch/x86/hvm/emulate.c
+@@ -1628,14 +1628,14 @@ static int hvmemul_get_fpu(
+     switch ( type )
+     {
+     case X86EMUL_FPU_fpu:
++    case X86EMUL_FPU_wait:
+         break;
+     case X86EMUL_FPU_mmx:
+         if ( !cpu_has_mmx )
+             return X86EMUL_UNHANDLEABLE;
+         break;
+     case X86EMUL_FPU_xmm:
+-        if ( (curr->arch.hvm_vcpu.guest_cr[0] & X86_CR0_EM) ||
+-             !(curr->arch.hvm_vcpu.guest_cr[4] & X86_CR4_OSFXSR) )
++        if ( !(curr->arch.hvm_vcpu.guest_cr[4] & X86_CR4_OSFXSR) )
+             return X86EMUL_UNHANDLEABLE;
+         break;
+     case X86EMUL_FPU_ymm:
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -420,6 +420,9 @@ typedef union {
+ 
+ /* Control register flags. */
+ #define CR0_PE    (1<<0)
++#define CR0_MP    (1<<1)
++#define CR0_EM    (1<<2)
++#define CR0_TS    (1<<3)
+ #define CR4_TSD   (1<<2)
+ 
+ /* EFLAGS bit definitions. */
+@@ -447,6 +450,7 @@ typedef union {
+ #define EXC_OF  4
+ #define EXC_BR  5
+ #define EXC_UD  6
++#define EXC_NM  7
+ #define EXC_TS 10
+ #define EXC_NP 11
+ #define EXC_SS 12
+@@ -746,10 +750,45 @@ static void fpu_handle_exception(void *_
+     regs->eip += fic->insn_bytes;
+ }
+ 
++static int _get_fpu(
++    enum x86_emulate_fpu_type type,
++    struct fpu_insn_ctxt *fic,
++    struct x86_emulate_ctxt *ctxt,
++    const struct x86_emulate_ops *ops)
++{
++    int rc;
++
++    fic->exn_raised = 0;
++
++    fail_if(!ops->get_fpu);
++    rc = ops->get_fpu(fpu_handle_exception, fic, type, ctxt);
++
++    if ( rc == X86EMUL_OKAY )
++    {
++        unsigned long cr0;
++
++        fail_if(!ops->read_cr);
++        rc = ops->read_cr(0, &cr0, ctxt);
++        if ( rc != X86EMUL_OKAY )
++            return rc;
++        if ( cr0 & CR0_EM )
++        {
++            generate_exception_if(type == X86EMUL_FPU_fpu, EXC_NM, -1);
++            generate_exception_if(type == X86EMUL_FPU_mmx, EXC_UD, -1);
++            generate_exception_if(type == X86EMUL_FPU_xmm, EXC_UD, -1);
++        }
++        generate_exception_if((cr0 & CR0_TS) &&
++                              (type != X86EMUL_FPU_wait || (cr0 & CR0_MP)),
++                              EXC_NM, -1);
++    }
++
++ done:
++    return rc;
++}
++
+ #define get_fpu(_type, _fic)                                    \
+-do{ (_fic)->exn_raised = 0;                                     \
+-    fail_if(ops->get_fpu == NULL);                              \
+-    rc = ops->get_fpu(fpu_handle_exception, _fic, _type, ctxt); \
++do {                                                            \
++    rc = _get_fpu(_type, _fic, ctxt, ops);                      \
+     if ( rc ) goto done;                                        \
+ } while (0)
+ #define _put_fpu()                                              \
+@@ -2879,8 +2918,14 @@ x86_emulate(
+     }
+ 
+     case 0x9b:  /* wait/fwait */
+-        emulate_fpu_insn("fwait");
++    {
++        struct fpu_insn_ctxt fic = { .insn_bytes = 1 };
++
++        get_fpu(X86EMUL_FPU_wait, &fic);
++        asm volatile ( "fwait" ::: "memory" );
++        put_fpu(&fic);
+         break;
++    }
+ 
+     case 0x9c: /* pushf */
+         src.val = _regs.eflags;
+--- a/xen/arch/x86/x86_emulate/x86_emulate.h
++++ b/xen/arch/x86/x86_emulate/x86_emulate.h
+@@ -115,6 +115,7 @@ struct __packed segment_register {
+ /* FPU sub-types which may be requested via ->get_fpu(). */
+ enum x86_emulate_fpu_type {
+     X86EMUL_FPU_fpu, /* Standard FPU coprocessor instruction set */
++    X86EMUL_FPU_wait, /* WAIT/FWAIT instruction */
+     X86EMUL_FPU_mmx, /* MMX instruction set (%mm0-%mm7) */
+     X86EMUL_FPU_xmm, /* SSE instruction set (%xmm0-%xmm7/15) */
+     X86EMUL_FPU_ymm  /* AVX/XOP instruction set (%ymm0-%ymm7/15) */