On 23/08/2023 12:15 pm, Roger Pau Monné wrote: > On Wed, Apr 05, 2023 at 10:52:45PM +0100, Andrew Cooper wrote: >> At the time of XSA-170, the x86 instruction emulator was genuinely broken. >> It >> would load arbitrary values into %rip and putting a check here probably was >> the best stopgap security fix. It should have been reverted following c/s >> 81d3a0b26c1 "x86emul: limit-check branch targets" which corrected the >> emulator >> behaviour. >> >> However, everyone involved in XSA-170, myself included, failed to read the >> SDM >> correctly. On the subject of %rip consistency checks, the SDM stated: >> >> If the processor supports N < 64 linear-address bits, bits 63:N must be >> identical >> >> A non-canonical %rip (and SSP more recently) is an explicitly legal state in >> x86, and the VMEntry consistency checks are intentionally off-by-one from a >> regular canonical check. >> >> The consequence of this bug is that Xen will currently take a legal x86 state >> which would successfully VMEnter, and corrupt it into having >> non-architectural >> behaviour. >> >> Furthermore, in the time this bugfix has been pending in public, I >> successfully persuaded Intel to clarify the SDM, adding the following >> clarification: >> >> The guest RIP value is not required to be canonical; the value of bit N-1 >> may differ from that of bit N. >> >> Fixes: ffbbfda377 ("x86/VMX: sanitize rIP before re-entering guest") > I think the fixes tag should likely be "x86emul: limit-check branch > targets", since it's that commit that missed the revert done here?
Well, not really. ffbbfda377 really does have a bug, irrespective of the changes in the emulator. The presence of 81d3a0b26c1 is why this bugfix is a full revert of ffbbfda377, and not just an off-by-1 adjustment. > >> Signed-off-by: Andrew Cooper <andrew.coop...@citrix.com> > Acked-by: Roger Pau Monné <roger....@citrix.com> Thanks. ~Andrew