On 11.03.2025 22:10, Andrew Cooper wrote: > This reverts commit 6065a05adf152a556fb9f11a5218c89e41b62893. > > The discussed "proper fix" has now been implemented, and the #DF path no > longer writes out-of-bounds. Restore the proper #DF IST pointer. > > Signed-off-by: Andrew Cooper <[email protected]>
Acked-by: Jan Beulich <[email protected]> > --- a/xen/arch/x86/cpu/common.c > +++ b/xen/arch/x86/cpu/common.c > @@ -847,13 +847,7 @@ void load_system_tables(void) > tss->ist[IST_MCE - 1] = stack_top + (1 + IST_MCE) * PAGE_SIZE; > tss->ist[IST_NMI - 1] = stack_top + (1 + IST_NMI) * PAGE_SIZE; > tss->ist[IST_DB - 1] = stack_top + (1 + IST_DB) * PAGE_SIZE; > - /* > - * Gross bodge. The #DF handler uses the vm86 fields of cpu_user_regs > - * beyond the hardware frame. Adjust the stack entrypoint so this > - * doesn't manifest as an OoB write which hits the guard page. > - */ > - tss->ist[IST_DF - 1] = stack_top + (1 + IST_DF) * PAGE_SIZE - > - (sizeof(struct cpu_user_regs) - offsetof(struct cpu_user_regs, > es)); > + tss->ist[IST_DF - 1] = stack_top + (1 + IST_DF) * PAGE_SIZE; And one of these "es is special" also gone. Jan
