From 4dc6f761c8795bd7201c191fec3d30030c63184c Mon Sep 17 00:00:00 2001
From: Michael Young <m.a.young@durham.ac.uk>
Date: Apr 09 2024 18:25:08 +0000
Subject: 2 security updates


x86 HVM hypercalls may trigger Xen bug check [XSA-454, CVE-2023-46842]
x86: Incorrect logic for BTC/SRSO mitigations [XSA-455, CVE-2024-31142]

---

diff --git a/xen.spec b/xen.spec
index 06a5573..6a7c0c6 100644
--- a/xen.spec
+++ b/xen.spec
@@ -55,7 +55,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.18.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
 Source0: https://downloads.xenproject.org/release/xen/%{version}/xen-%{version}.tar.gz
@@ -114,6 +114,9 @@ Patch49: xen.python3.12.patch
 Patch50: xen.ocaml5.fixes.patch
 Patch52: xen.gcc14.fixes.patch
 Patch53: newlib.gcc14.fixes.patch
+Patch54: xsa454-4.18-1.patch
+Patch55: xsa454-4.18-2.patch
+Patch56: xsa455.patch
 
 
 %if %build_qemutrad
@@ -328,6 +331,9 @@ manage Xen virtual machines.
 %endif
 %patch 52 -p1
 %patch 53 -p1
+%patch 54 -p1
+%patch 55 -p1
+%patch 56 -p1
 
 # qemu-xen-traditional patches
 pushd tools/qemu-xen-traditional
@@ -934,6 +940,10 @@ fi
 %endif
 
 %changelog
+* Tue Apr 09 2024 Michael Young <m.a.young@durham.ac.uk> - 4.18.1-2
+- x86 HVM hypercalls may trigger Xen bug check [XSA-454, CVE-2023-46842]
+- x86: Incorrect logic for BTC/SRSO mitigations [XSA-455, CVE-2024-31142]
+
 * Wed Mar 20 2024 Michael Young <m.a.young@durham.ac.uk> - 4.18.1-1
 - update to xen-4.18.1
   rebase xen.gcc12.fixes.patch
diff --git a/xsa454-4.18-1.patch b/xsa454-4.18-1.patch
new file mode 100644
index 0000000..3655cc4
--- /dev/null
+++ b/xsa454-4.18-1.patch
@@ -0,0 +1,88 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86/HVM: clear upper halves of GPRs upon entry from 32-bit code
+
+Hypercalls in particular can be the subject of continuations, and logic
+there checks updated state against incoming register values. If the
+guest manufactured a suitable argument register with a non-zero upper
+half before entering compatibility mode and issuing a hypercall from
+there, checks in hypercall_xlat_continuation() might trip.
+
+Since for HVM we want to also be sure to not hit a corner case in the
+emulator, initiate the clipping right from the top of
+{svm,vmx}_vmexit_handler(). Also rename the invoked function, as it no
+longer does only invalidation of fields.
+
+Note that architecturally the upper halves of registers are undefined
+after a switch between compatibility and 64-bit mode (either direction).
+Hence once having entered compatibility mode, the guest can't assume
+the upper half of any register to retain its value.
+
+This is part of XSA-454 / CVE-2023-46842.
+
+Fixes: b8a7efe8528a ("Enable compatibility mode operation for HYPERVISOR_memory_op")
+Reported-by: Manuel Andreas <manuel.andreas@tum.de>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
+
+--- a/xen/arch/x86/hvm/svm/svm.c
++++ b/xen/arch/x86/hvm/svm/svm.c
+@@ -2603,7 +2603,8 @@ void svm_vmexit_handler(void)
+     regs->rsp = vmcb->rsp;
+     regs->rflags = vmcb->rflags;
+ 
+-    hvm_invalidate_regs_fields(regs);
++    hvm_sanitize_regs_fields(
++        regs, !(vmcb_get_efer(vmcb) & EFER_LMA) || !(vmcb->cs.l));
+ 
+     if ( paging_mode_hap(v->domain) )
+         v->arch.hvm.guest_cr[3] = v->arch.hvm.hw_cr[3] = vmcb_get_cr3(vmcb);
+--- a/xen/arch/x86/hvm/vmx/vmx.c
++++ b/xen/arch/x86/hvm/vmx/vmx.c
+@@ -4041,6 +4041,7 @@ static void undo_nmis_unblocked_by_iret(
+ void vmx_vmexit_handler(struct cpu_user_regs *regs)
+ {
+     unsigned long exit_qualification, exit_reason, idtv_info, intr_info = 0;
++    unsigned long cs_ar_bytes = 0;
+     unsigned int vector = 0;
+     struct vcpu *v = current;
+     struct domain *currd = v->domain;
+@@ -4049,7 +4050,10 @@ void vmx_vmexit_handler(struct cpu_user_
+     __vmread(GUEST_RSP,    &regs->rsp);
+     __vmread(GUEST_RFLAGS, &regs->rflags);
+ 
+-    hvm_invalidate_regs_fields(regs);
++    if ( hvm_long_mode_active(v) )
++        __vmread(GUEST_CS_AR_BYTES, &cs_ar_bytes);
++
++    hvm_sanitize_regs_fields(regs, !(cs_ar_bytes & X86_SEG_AR_CS_LM_ACTIVE));
+ 
+     if ( paging_mode_hap(v->domain) )
+     {
+--- a/xen/arch/x86/include/asm/hvm/hvm.h
++++ b/xen/arch/x86/include/asm/hvm/hvm.h
+@@ -579,8 +579,24 @@ static inline unsigned int hvm_get_insn_
+             ? alternative_call(hvm_funcs.get_insn_bytes, v, buf) : 0);
+ }
+ 
+-static inline void hvm_invalidate_regs_fields(struct cpu_user_regs *regs)
++static inline void hvm_sanitize_regs_fields(struct cpu_user_regs *regs,
++                                            bool compat)
+ {
++    if ( compat )
++    {
++        /* Clear GPR upper halves, to counteract guests playing games. */
++        regs->rbp = regs->ebp;
++        regs->rbx = regs->ebx;
++        regs->rax = regs->eax;
++        regs->rcx = regs->ecx;
++        regs->rdx = regs->edx;
++        regs->rsi = regs->esi;
++        regs->rdi = regs->edi;
++        regs->rip = regs->eip;
++        regs->rflags = regs->eflags;
++        regs->rsp = regs->esp;
++    }
++
+ #ifndef NDEBUG
+     regs->error_code = 0xbeef;
+     regs->entry_vector = 0xbeef;
diff --git a/xsa454-4.18-2.patch b/xsa454-4.18-2.patch
new file mode 100644
index 0000000..ff8c350
--- /dev/null
+++ b/xsa454-4.18-2.patch
@@ -0,0 +1,68 @@
+From: Bjoern Doebel <doebel@amazon.de>
+Subject: hypercall_xlat_continuation: Replace BUG_ON with domain_crash
+
+Instead of crashing the host in case of unexpected hypercall parameters,
+resort to only crashing the calling domain.
+
+This is part of XSA-454 / CVE-2023-46842.
+
+Fixes: b8a7efe8528a ("Enable compatibility mode operation for HYPERVISOR_memory_op")
+Reported-by: Manuel Andreas <manuel.andreas@tum.de>
+Signed-off-by: Bjoern Doebel <doebel@amazon.de>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
+
+--- a/xen/arch/x86/hypercall.c
++++ b/xen/arch/x86/hypercall.c
+@@ -140,8 +140,10 @@ int hypercall_xlat_continuation(unsigned
+                 cval = va_arg(args, unsigned int);
+                 if ( cval == nval )
+                     mask &= ~1U;
+-                else
+-                    BUG_ON(nval == (unsigned int)nval);
++                else if ( nval == (unsigned int)nval )
++                    domain_crash(current->domain,
++                                 "multicall (op %lu) bogus continuation arg%u (%#lx)\n",
++                                 mcs->call.op, i, nval);
+             }
+             else if ( id && *id == i )
+             {
+@@ -153,8 +155,10 @@ int hypercall_xlat_continuation(unsigned
+                 mcs->call.args[i] = cval;
+                 ++rc;
+             }
+-            else
+-                BUG_ON(mcs->call.args[i] != (unsigned int)mcs->call.args[i]);
++            else if ( mcs->call.args[i] != (unsigned int)mcs->call.args[i] )
++                domain_crash(current->domain,
++                             "multicall (op %lu) bad continuation arg%u (%#lx)\n",
++                             mcs->call.op, i, mcs->call.args[i]);
+         }
+     }
+     else
+@@ -180,8 +184,10 @@ int hypercall_xlat_continuation(unsigned
+                 cval = va_arg(args, unsigned int);
+                 if ( cval == nval )
+                     mask &= ~1U;
+-                else
+-                    BUG_ON(nval == (unsigned int)nval);
++                else if ( nval == (unsigned int)nval )
++                    domain_crash(current->domain,
++                                 "hypercall (op %u) bogus continuation arg%u (%#lx)\n",
++                                 regs->eax, i, nval);
+             }
+             else if ( id && *id == i )
+             {
+@@ -193,8 +199,10 @@ int hypercall_xlat_continuation(unsigned
+                 *reg = cval;
+                 ++rc;
+             }
+-            else
+-                BUG_ON(*reg != (unsigned int)*reg);
++            else if ( *reg != (unsigned int)*reg )
++                domain_crash(current->domain,
++                             "hypercall (op %u) bad continuation arg%u (%#lx)\n",
++                             regs->eax, i, *reg);
+         }
+     }
+ 
diff --git a/xsa455.patch b/xsa455.patch
new file mode 100644
index 0000000..637d21f
--- /dev/null
+++ b/xsa455.patch
@@ -0,0 +1,41 @@
+From 5bc561024f81371ff267edae73ae4a768b2f7a91 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Tue, 26 Mar 2024 22:47:25 +0000
+Subject: x86/spec-ctrl: Fix BTC/SRSO mitigations
+
+We were looking for SCF_entry_ibpb in the wrong variable in the top-of-stack
+block, and xen_spec_ctrl won't have had bit 5 set because Xen doesn't
+understand SPEC_CTRL_RRSBA_DIS_U yet.
+
+This is XSA-455 / CVE-2024-31142.
+
+Fixes: 53a570b28569 ("x86/spec-ctrl: Support IBPB-on-entry")
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+diff --git a/xen/arch/x86/hvm/svm/entry.S b/xen/arch/x86/hvm/svm/entry.S
+index 60b0b00ed0af..071b3997b1c0 100644
+--- a/xen/arch/x86/hvm/svm/entry.S
++++ b/xen/arch/x86/hvm/svm/entry.S
+@@ -101,7 +101,7 @@ __UNLIKELY_END(nsvm_hap)
+         /* SPEC_CTRL_ENTRY_FROM_SVM    Req: %rsp=regs/cpuinfo, %rdx=0 Clob: acd */
+ 
+         .macro svm_vmexit_cond_ibpb
+-            testb  $SCF_entry_ibpb, CPUINFO_xen_spec_ctrl(%rsp)
++            testb  $SCF_entry_ibpb, CPUINFO_spec_ctrl_flags(%rsp)
+             jz     .L_skip_ibpb
+ 
+             mov    $MSR_PRED_CMD, %ecx
+diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+index 629518cc6925..c19b39d8c200 100644
+--- a/xen/arch/x86/include/asm/spec_ctrl_asm.h
++++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h
+@@ -90,7 +90,7 @@
+         jz     .L\@_skip
+         testb  $3, UREGS_cs(%rsp)
+     .else
+-        testb  $SCF_entry_ibpb, CPUINFO_xen_spec_ctrl(%rsp)
++        testb  $SCF_entry_ibpb, CPUINFO_spec_ctrl_flags(%rsp)
+     .endif
+     jz     .L\@_skip
+