diff options
Diffstat (limited to 'main/xen/xsa54.patch')
| -rw-r--r-- | main/xen/xsa54.patch | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/main/xen/xsa54.patch b/main/xen/xsa54.patch new file mode 100644 index 000000000..83c8993d6 --- /dev/null +++ b/main/xen/xsa54.patch @@ -0,0 +1,24 @@ +x86/xsave: properly check guest input to XSETBV + +Other than the HVM emulation path, the PV case so far failed to check +that YMM state requires SSE state to be enabled, allowing for a #GP to +occur upon passing the inputs to XSETBV inside the hypervisor. + +This is CVE-2013-2078 / XSA-54. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- a/xen/arch/x86/traps.c ++++ b/xen/arch/x86/traps.c +@@ -2205,6 +2205,11 @@ static int emulate_privileged_op(struct + if ( !(new_xfeature & XSTATE_FP) || (new_xfeature & ~xfeature_mask) ) + goto fail; + ++ /* YMM state takes SSE state as prerequisite. */ ++ if ( (xfeature_mask & new_xfeature & XSTATE_YMM) && ++ !(new_xfeature & XSTATE_SSE) ) ++ goto fail; ++ + v->arch.xcr0 = new_xfeature; + v->arch.xcr0_accum |= new_xfeature; + set_xcr0(new_xfeature); |