1 files changed, 46 insertions, 0 deletions

diff --git a/main/xen/xsa62.patch b/main/xen/xsa62.patch
new file mode 100644
index 0000000000..3bb432762a
--- /dev/null
+++ b/main/xen/xsa62.patch
@@ -0,0 +1,46 @@
+x86/xsave: initialize extended register state when guests enable it
+
+Till now, when setting previously unset bits in XCR0 we wouldn't touch
+the active register state, thus leaving in the newly enabled registers
+whatever a prior user of it left there, i.e. potentially leaking
+information between guests.
+
+This is CVE-2013-1442 / XSA-62.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/xstate.c
++++ b/xen/arch/x86/xstate.c
+@@ -307,6 +307,7 @@ int validate_xstate(u64 xcr0, u64 xcr0_a
+ int handle_xsetbv(u32 index, u64 new_bv)
+ {
+     struct vcpu *curr = current;
++    u64 mask;
+ 
+     if ( index != XCR_XFEATURE_ENABLED_MASK )
+         return -EOPNOTSUPP;
+@@ -320,9 +321,23 @@ int handle_xsetbv(u32 index, u64 new_bv)
+     if ( !set_xcr0(new_bv) )
+         return -EFAULT;
+ 
++    mask = new_bv & ~curr->arch.xcr0_accum;
+     curr->arch.xcr0 = new_bv;
+     curr->arch.xcr0_accum |= new_bv;
+ 
++    mask &= curr->fpu_dirtied ? ~XSTATE_FP_SSE : XSTATE_NONLAZY;
++    if ( mask )
++    {
++        unsigned long cr0 = read_cr0();
++
++        clts();
++        if ( curr->fpu_dirtied )
++            asm ( "stmxcsr %0" : "=m" (curr->arch.xsave_area->fpu_sse.mxcsr) );
++        xrstor(curr, mask);
++        if ( cr0 & X86_CR0_TS )
++            write_cr0(cr0);
++    }
++
+     return 0;
+ }
+