On 23/08/2023 12:15 pm, Roger Pau Monné wrote:
> On Wed, Apr 05, 2023 at 10:52:45PM +0100, Andrew Cooper wrote:
>> At the time of XSA-170, the x86 instruction emulator was genuinely broken.
>> It
>> would load arbitrary values into %rip and putting a check here probably was
>> the best stopgap security fix. It should have been reverted following c/s
>> 81d3a0b26c1 "x86emul: limit-check branch targets" which corrected the
>> emulator
>> behaviour.
>>
>> However, everyone involved in XSA-170, myself included, failed to read the
>> SDM
>> correctly. On the subject of %rip consistency checks, the SDM stated:
>>
>> If the processor supports N < 64 linear-address bits, bits 63:N must be
>> identical
>>
>> A non-canonical %rip (and SSP more recently) is an explicitly legal state in
>> x86, and the VMEntry consistency checks are intentionally off-by-one from a
>> regular canonical check.
>>
>> The consequence of this bug is that Xen will currently take a legal x86 state
>> which would successfully VMEnter, and corrupt it into having
>> non-architectural
>> behaviour.
>>
>> Furthermore, in the time this bugfix has been pending in public, I
>> successfully persuaded Intel to clarify the SDM, adding the following
>> clarification:
>>
>> The guest RIP value is not required to be canonical; the value of bit N-1
>> may differ from that of bit N.
>>
>> Fixes: ffbbfda377 ("x86/VMX: sanitize rIP before re-entering guest")
> I think the fixes tag should likely be "x86emul: limit-check branch
> targets", since it's that commit that missed the revert done here?
Well, not really. ffbbfda377 really does have a bug, irrespective of
the changes in the emulator.
The presence of 81d3a0b26c1 is why this bugfix is a full revert of
ffbbfda377, and not just an off-by-1 adjustment.
>
>> Signed-off-by: Andrew Cooper <[email protected]>
> Acked-by: Roger Pau Monné <[email protected]>
Thanks.
~Andrew
