# Commit 6a98383b0877bb66ebfe189da43bf81abe3d7909 # Date 2024-04-09 12:49:40 +0100 # Author Jan Beulich # Committer Andrew Cooper x86/HVM: clear upper halves of GPRs upon entry from 32-bit code Hypercalls in particular can be the subject of continuations, and logic there checks updated state against incoming register values. If the guest manufactured a suitable argument register with a non-zero upper half before entering compatibility mode and issuing a hypercall from there, checks in hypercall_xlat_continuation() might trip. Since for HVM we want to also be sure to not hit a corner case in the emulator, initiate the clipping right from the top of {svm,vmx}_vmexit_handler(). Also rename the invoked function, as it no longer does only invalidation of fields. Note that architecturally the upper halves of registers are undefined after a switch between compatibility and 64-bit mode (either direction). Hence once having entered compatibility mode, the guest can't assume the upper half of any register to retain its value. This is part of XSA-454 / CVE-2023-46842. Fixes: b8a7efe8528a ("Enable compatibility mode operation for HYPERVISOR_memory_op") Reported-by: Manuel Andreas Signed-off-by: Jan Beulich Reviewed-by: Roger Pau MonnĂ© # Commit d0a718a45f14b86471d8eb3083acd72760963470 # Date 2024-04-11 13:23:08 +0100 # Author Andrew Cooper # Committer Andrew Cooper x86/hvm: Fix Misra Rule 19.1 regression Despite noticing an impending Rule 19.1 violation, the adjustment made (the uint32_t cast) wasn't sufficient to avoid it. Try again. Subsequently noticed by Coverity too. Fixes: 6a98383b0877 ("x86/HVM: clear upper halves of GPRs upon entry from 32-bit code") Coverity-IDs: 1596289 thru 1596298 Signed-off-by: Andrew Cooper Reviewed-by: Stefano Stabellini --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -2599,7 +2599,8 @@ void svm_vmexit_handler(struct cpu_user_ regs->rsp = vmcb->rsp; regs->rflags = vmcb->rflags; - hvm_invalidate_regs_fields(regs); + hvm_sanitize_regs_fields( + regs, !(vmcb_get_efer(vmcb) & EFER_LMA) || !(vmcb->cs.l)); if ( paging_mode_hap(v->domain) ) v->arch.hvm.guest_cr[3] = v->arch.hvm.hw_cr[3] = vmcb_get_cr3(vmcb); --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -3762,6 +3762,7 @@ static int vmx_handle_apic_write(void) void vmx_vmexit_handler(struct cpu_user_regs *regs) { unsigned long exit_qualification, exit_reason, idtv_info, intr_info = 0; + unsigned long cs_ar_bytes = 0; unsigned int vector = 0; struct vcpu *v = current; struct domain *currd = v->domain; @@ -3770,7 +3771,10 @@ void vmx_vmexit_handler(struct cpu_user_ __vmread(GUEST_RSP, ®s->rsp); __vmread(GUEST_RFLAGS, ®s->rflags); - hvm_invalidate_regs_fields(regs); + if ( hvm_long_mode_active(v) ) + __vmread(GUEST_CS_AR_BYTES, &cs_ar_bytes); + + hvm_sanitize_regs_fields(regs, !(cs_ar_bytes & X86_SEG_AR_CS_LM_ACTIVE)); if ( paging_mode_hap(v->domain) ) { --- a/xen/include/asm-x86/hvm/hvm.h +++ b/xen/include/asm-x86/hvm/hvm.h @@ -546,8 +546,24 @@ static inline void hvm_set_info_guest(st return hvm_funcs.set_info_guest(v); } -static inline void hvm_invalidate_regs_fields(struct cpu_user_regs *regs) +static inline void hvm_sanitize_regs_fields(struct cpu_user_regs *regs, + bool compat) { + if ( compat ) + { + /* Clear GPR upper halves, to counteract guests playing games. */ + regs->rbp = (uint32_t)regs->rbp; + regs->rbx = (uint32_t)regs->rbx; + regs->rax = (uint32_t)regs->rax; + regs->rcx = (uint32_t)regs->rcx; + regs->rdx = (uint32_t)regs->rdx; + regs->rsi = (uint32_t)regs->rsi; + regs->rdi = (uint32_t)regs->rdi; + regs->rip = (uint32_t)regs->rip; + regs->rflags = (uint32_t)regs->rflags; + regs->rsp = (uint32_t)regs->rsp; + } + #ifndef NDEBUG regs->error_code = 0xbeef; regs->entry_vector = 0xbeef;