From c762409b331479c95fbc74ce9e43931e97f3af17 Mon Sep 17 00:00:00 2001 From: Michael Young Date: Apr 09 2024 20:43:30 +0000 Subject: x86: Native Branch History Injection [XSA-456, CVE-2024-2201] update to xen 4.18.2, remove patches now included upstream --- diff --git a/.gitignore b/.gitignore index 97a51c2..439b7c0 100644 --- a/.gitignore +++ b/.gitignore @@ -6,4 +6,4 @@ lwip-1.3.0.tar.gz pciutils-2.2.9.tar.bz2 zlib-1.2.3.tar.gz polarssl-1.1.4-gpl.tgz -/xen-4.18.1.tar.gz +/xen-4.18.2.tar.gz diff --git a/sources b/sources index 8d4dabc..5b1c173 100644 --- a/sources +++ b/sources @@ -4,4 +4,4 @@ SHA512 (newlib-1.16.0.tar.gz) = 40eb96bbc6736a16b6399e0cdb73e853d0d90b685c967e77 SHA512 (zlib-1.2.3.tar.gz) = 021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e SHA512 (polarssl-1.1.4-gpl.tgz) = 88da614e4d3f4409c4fd3bb3e44c7587ba051e3fed4e33d526069a67e8180212e1ea22da984656f50e290049f60ddca65383e5983c0f8884f648d71f698303ad SHA512 (pciutils-2.2.9.tar.bz2) = 2b3d98d027e46d8c08037366dde6f0781ca03c610ef2b380984639e4ef39899ed8d8b8e4cd9c9dc54df101279b95879bd66bfd4d04ad07fef41e847ea7ae32b5 -SHA512 (xen-4.18.1.tar.gz) = 6d67c177a31dae6979c111498f65cff2a7a792299cc72e658ae9f926468c14092807de94b6e269849fafdb6ed5a9d076400ecde0c4fec3b2b4bdb5f5ef39fcbb +SHA512 (xen-4.18.2.tar.gz) = c5feb450155883b5d2e7f43b05a64e7215b661b7d2f438d8f5a0896bd57283379ee11ca8e2e7a1d8787813cc6f1a260253fcb8688ed7d61a2bfb636db1626941 diff --git a/xen.spec b/xen.spec index 6a7c0c6..6441674 100644 --- a/xen.spec +++ b/xen.spec @@ -54,8 +54,8 @@ Summary: Xen is a virtual machine monitor Name: xen -Version: 4.18.1 -Release: 2%{?dist} +Version: 4.18.2 +Release: 1%{?dist} License: GPLv2+ and LGPLv2+ and BSD URL: http://xen.org/ Source0: https://downloads.xenproject.org/release/xen/%{version}/xen-%{version}.tar.gz @@ -114,9 +114,6 @@ Patch49: xen.python3.12.patch Patch50: xen.ocaml5.fixes.patch Patch52: xen.gcc14.fixes.patch Patch53: newlib.gcc14.fixes.patch -Patch54: xsa454-4.18-1.patch -Patch55: xsa454-4.18-2.patch -Patch56: xsa455.patch %if %build_qemutrad @@ -331,9 +328,6 @@ manage Xen virtual machines. %endif %patch 52 -p1 %patch 53 -p1 -%patch 54 -p1 -%patch 55 -p1 -%patch 56 -p1 # qemu-xen-traditional patches pushd tools/qemu-xen-traditional @@ -940,6 +934,10 @@ fi %endif %changelog +* Tue Apr 09 2024 Michael Young - 4.18.2-1 +- x86: Native Branch History Injection [XSA-456, CVE-2024-2201] +- update to xen 4.18.2, remove patches now included upstream + * Tue Apr 09 2024 Michael Young - 4.18.1-2 - x86 HVM hypercalls may trigger Xen bug check [XSA-454, CVE-2023-46842] - x86: Incorrect logic for BTC/SRSO mitigations [XSA-455, CVE-2024-31142] diff --git a/xsa454-4.18-1.patch b/xsa454-4.18-1.patch deleted file mode 100644 index 3655cc4..0000000 --- a/xsa454-4.18-1.patch +++ /dev/null @@ -1,88 +0,0 @@ -From: Jan Beulich -Subject: x86/HVM: clear upper halves of GPRs upon entry from 32-bit code - -Hypercalls in particular can be the subject of continuations, and logic -there checks updated state against incoming register values. If the -guest manufactured a suitable argument register with a non-zero upper -half before entering compatibility mode and issuing a hypercall from -there, checks in hypercall_xlat_continuation() might trip. - -Since for HVM we want to also be sure to not hit a corner case in the -emulator, initiate the clipping right from the top of -{svm,vmx}_vmexit_handler(). Also rename the invoked function, as it no -longer does only invalidation of fields. - -Note that architecturally the upper halves of registers are undefined -after a switch between compatibility and 64-bit mode (either direction). -Hence once having entered compatibility mode, the guest can't assume -the upper half of any register to retain its value. - -This is part of XSA-454 / CVE-2023-46842. - -Fixes: b8a7efe8528a ("Enable compatibility mode operation for HYPERVISOR_memory_op") -Reported-by: Manuel Andreas -Signed-off-by: Jan Beulich -Reviewed-by: Roger Pau MonnĂ© - ---- a/xen/arch/x86/hvm/svm/svm.c -+++ b/xen/arch/x86/hvm/svm/svm.c -@@ -2603,7 +2603,8 @@ void svm_vmexit_handler(void) - regs->rsp = vmcb->rsp; - regs->rflags = vmcb->rflags; - -- hvm_invalidate_regs_fields(regs); -+ hvm_sanitize_regs_fields( -+ regs, !(vmcb_get_efer(vmcb) & EFER_LMA) || !(vmcb->cs.l)); - - if ( paging_mode_hap(v->domain) ) - v->arch.hvm.guest_cr[3] = v->arch.hvm.hw_cr[3] = vmcb_get_cr3(vmcb); ---- a/xen/arch/x86/hvm/vmx/vmx.c -+++ b/xen/arch/x86/hvm/vmx/vmx.c -@@ -4041,6 +4041,7 @@ static void undo_nmis_unblocked_by_iret( - void vmx_vmexit_handler(struct cpu_user_regs *regs) - { - unsigned long exit_qualification, exit_reason, idtv_info, intr_info = 0; -+ unsigned long cs_ar_bytes = 0; - unsigned int vector = 0; - struct vcpu *v = current; - struct domain *currd = v->domain; -@@ -4049,7 +4050,10 @@ void vmx_vmexit_handler(struct cpu_user_ - __vmread(GUEST_RSP, ®s->rsp); - __vmread(GUEST_RFLAGS, ®s->rflags); - -- hvm_invalidate_regs_fields(regs); -+ if ( hvm_long_mode_active(v) ) -+ __vmread(GUEST_CS_AR_BYTES, &cs_ar_bytes); -+ -+ hvm_sanitize_regs_fields(regs, !(cs_ar_bytes & X86_SEG_AR_CS_LM_ACTIVE)); - - if ( paging_mode_hap(v->domain) ) - { ---- a/xen/arch/x86/include/asm/hvm/hvm.h -+++ b/xen/arch/x86/include/asm/hvm/hvm.h -@@ -579,8 +579,24 @@ static inline unsigned int hvm_get_insn_ - ? alternative_call(hvm_funcs.get_insn_bytes, v, buf) : 0); - } - --static inline void hvm_invalidate_regs_fields(struct cpu_user_regs *regs) -+static inline void hvm_sanitize_regs_fields(struct cpu_user_regs *regs, -+ bool compat) - { -+ if ( compat ) -+ { -+ /* Clear GPR upper halves, to counteract guests playing games. */ -+ regs->rbp = regs->ebp; -+ regs->rbx = regs->ebx; -+ regs->rax = regs->eax; -+ regs->rcx = regs->ecx; -+ regs->rdx = regs->edx; -+ regs->rsi = regs->esi; -+ regs->rdi = regs->edi; -+ regs->rip = regs->eip; -+ regs->rflags = regs->eflags; -+ regs->rsp = regs->esp; -+ } -+ - #ifndef NDEBUG - regs->error_code = 0xbeef; - regs->entry_vector = 0xbeef; diff --git a/xsa454-4.18-2.patch b/xsa454-4.18-2.patch deleted file mode 100644 index ff8c350..0000000 --- a/xsa454-4.18-2.patch +++ /dev/null @@ -1,68 +0,0 @@ -From: Bjoern Doebel -Subject: hypercall_xlat_continuation: Replace BUG_ON with domain_crash - -Instead of crashing the host in case of unexpected hypercall parameters, -resort to only crashing the calling domain. - -This is part of XSA-454 / CVE-2023-46842. - -Fixes: b8a7efe8528a ("Enable compatibility mode operation for HYPERVISOR_memory_op") -Reported-by: Manuel Andreas -Signed-off-by: Bjoern Doebel -Signed-off-by: Jan Beulich -Reviewed-by: Roger Pau MonnĂ© - ---- a/xen/arch/x86/hypercall.c -+++ b/xen/arch/x86/hypercall.c -@@ -140,8 +140,10 @@ int hypercall_xlat_continuation(unsigned - cval = va_arg(args, unsigned int); - if ( cval == nval ) - mask &= ~1U; -- else -- BUG_ON(nval == (unsigned int)nval); -+ else if ( nval == (unsigned int)nval ) -+ domain_crash(current->domain, -+ "multicall (op %lu) bogus continuation arg%u (%#lx)\n", -+ mcs->call.op, i, nval); - } - else if ( id && *id == i ) - { -@@ -153,8 +155,10 @@ int hypercall_xlat_continuation(unsigned - mcs->call.args[i] = cval; - ++rc; - } -- else -- BUG_ON(mcs->call.args[i] != (unsigned int)mcs->call.args[i]); -+ else if ( mcs->call.args[i] != (unsigned int)mcs->call.args[i] ) -+ domain_crash(current->domain, -+ "multicall (op %lu) bad continuation arg%u (%#lx)\n", -+ mcs->call.op, i, mcs->call.args[i]); - } - } - else -@@ -180,8 +184,10 @@ int hypercall_xlat_continuation(unsigned - cval = va_arg(args, unsigned int); - if ( cval == nval ) - mask &= ~1U; -- else -- BUG_ON(nval == (unsigned int)nval); -+ else if ( nval == (unsigned int)nval ) -+ domain_crash(current->domain, -+ "hypercall (op %u) bogus continuation arg%u (%#lx)\n", -+ regs->eax, i, nval); - } - else if ( id && *id == i ) - { -@@ -193,8 +199,10 @@ int hypercall_xlat_continuation(unsigned - *reg = cval; - ++rc; - } -- else -- BUG_ON(*reg != (unsigned int)*reg); -+ else if ( *reg != (unsigned int)*reg ) -+ domain_crash(current->domain, -+ "hypercall (op %u) bad continuation arg%u (%#lx)\n", -+ regs->eax, i, *reg); - } - } - diff --git a/xsa455.patch b/xsa455.patch deleted file mode 100644 index 637d21f..0000000 --- a/xsa455.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 5bc561024f81371ff267edae73ae4a768b2f7a91 Mon Sep 17 00:00:00 2001 -From: Andrew Cooper -Date: Tue, 26 Mar 2024 22:47:25 +0000 -Subject: x86/spec-ctrl: Fix BTC/SRSO mitigations - -We were looking for SCF_entry_ibpb in the wrong variable in the top-of-stack -block, and xen_spec_ctrl won't have had bit 5 set because Xen doesn't -understand SPEC_CTRL_RRSBA_DIS_U yet. - -This is XSA-455 / CVE-2024-31142. - -Fixes: 53a570b28569 ("x86/spec-ctrl: Support IBPB-on-entry") -Signed-off-by: Andrew Cooper -Reviewed-by: Jan Beulich - -diff --git a/xen/arch/x86/hvm/svm/entry.S b/xen/arch/x86/hvm/svm/entry.S -index 60b0b00ed0af..071b3997b1c0 100644 ---- a/xen/arch/x86/hvm/svm/entry.S -+++ b/xen/arch/x86/hvm/svm/entry.S -@@ -101,7 +101,7 @@ __UNLIKELY_END(nsvm_hap) - /* SPEC_CTRL_ENTRY_FROM_SVM Req: %rsp=regs/cpuinfo, %rdx=0 Clob: acd */ - - .macro svm_vmexit_cond_ibpb -- testb $SCF_entry_ibpb, CPUINFO_xen_spec_ctrl(%rsp) -+ testb $SCF_entry_ibpb, CPUINFO_spec_ctrl_flags(%rsp) - jz .L_skip_ibpb - - mov $MSR_PRED_CMD, %ecx -diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h -index 629518cc6925..c19b39d8c200 100644 ---- a/xen/arch/x86/include/asm/spec_ctrl_asm.h -+++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h -@@ -90,7 +90,7 @@ - jz .L\@_skip - testb $3, UREGS_cs(%rsp) - .else -- testb $SCF_entry_ibpb, CPUINFO_xen_spec_ctrl(%rsp) -+ testb $SCF_entry_ibpb, CPUINFO_spec_ctrl_flags(%rsp) - .endif - jz .L\@_skip -