From 4e968a50d398db5876647084e60e5be39302b460 Mon Sep 17 00:00:00 2001
Message-Id: <4e968a50d398db5876647084e60e5be39302b460.1459496262.git.hahn@univention.de>
From: Philipp Hahn <hahn@univention.de>
Date: Wed, 30 Mar 2016 19:12:44 +0200
Subject: [PATCH 1/3] xsa172-4.3
Organization: Univention GmbH, Bremen, Germany
To: xen-devel@lists.xen.org

x86: fix information leak on AMD CPUs

The fix for XSA-52 was wrong, and so was the change synchronizing that
new behavior to the FXRSTOR logic: AMD's manuals explictly state that
writes to the ES bit are ignored, and it instead gets calculated from
the exception and mask bits (it gets set whenever there is an unmasked
exception, and cleared otherwise). Hence we need to follow that model
in our workaround.

This is XSA-172 / CVE-2016-3158.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Philipp Hahn <hahn@univention.de>
---
 xen/arch/x86/i387.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/xen/arch/x86/i387.c
+++ b/xen/arch/x86/i387.c
@@ -52,7 +52,7 @@ static void xrstor(struct vcpu *v)
      * data block as a safe address because it should be in L1.
      */
     if ( (ptr->xsave_hdr.xstate_bv & XSTATE_FP) &&
-         !(ptr->fpu_sse.fsw & 0x0080) &&
+         !(ptr->fpu_sse.fsw & ~ptr->fpu_sse.fcw & 0x003f) &&
          boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
         asm volatile ( "fnclex\n\t"        /* clear exceptions */
                        "ffree %%st(7)\n\t" /* clear stack tag */