* [PATCH] x86emul: also put_fpu() on error paths
@ 2015-05-15 12:37 Jan Beulich
2015-05-15 13:18 ` Andrew Cooper
0 siblings, 1 reply; 2+ messages in thread
From: Jan Beulich @ 2015-05-15 12:37 UTC (permalink / raw)
To: xen-devel; +Cc: Andrew Cooper, Keir Fraser
[-- Attachment #1: Type: text/plain, Size: 2401 bytes --]
fail_if() and generate_exception_if() could theoretically bypass the
normal flow reaching put_fpu(), and not invoking it would leave the
fpu_exception_callback pointer in place, allowing for the callback to
be called at an unexpected time. Luckily the two
generate_exception_if()-s that would actually trigger this are
currently commented out, so this is not (yet) a (security) issue.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -670,10 +670,14 @@ do{ (_fic)->exn_raised = 0;
rc = ops->get_fpu(fpu_handle_exception, _fic, _type, ctxt); \
if ( rc ) goto done; \
} while (0)
-#define put_fpu(_fic) \
-do{ \
+#define _put_fpu() \
+do { \
if ( ops->put_fpu != NULL ) \
- ops->put_fpu(ctxt); \
+ (ops->put_fpu)(ctxt); \
+} while (0)
+#define put_fpu(_fic) \
+do { \
+ _put_fpu(); \
generate_exception_if((_fic)->exn_raised, EXC_MF, -1); \
} while (0)
@@ -3787,6 +3791,7 @@ x86_emulate(
*ctxt->regs = _regs;
done:
+ _put_fpu();
return rc;
twobyte_insn:
@@ -4632,5 +4637,6 @@ x86_emulate(
goto writeback;
cannot_emulate:
+ _put_fpu();
return X86EMUL_UNHANDLEABLE;
}
--- a/xen/arch/x86/x86_emulate/x86_emulate.h
+++ b/xen/arch/x86/x86_emulate/x86_emulate.h
@@ -384,7 +384,11 @@ struct x86_emulate_ops
enum x86_emulate_fpu_type type,
struct x86_emulate_ctxt *ctxt);
- /* put_fpu: Relinquish the FPU. Unhook from FPU/SIMD exception handlers. */
+ /*
+ * put_fpu: Relinquish the FPU. Unhook from FPU/SIMD exception handlers.
+ * The handler, if installed, must be prepared to get called without
+ * the get_fpu one having got called before!
+ */
void (*put_fpu)(
struct x86_emulate_ctxt *ctxt);
[-- Attachment #2: x86emul-put-FPU.patch --]
[-- Type: text/plain, Size: 2437 bytes --]
x86emul: also put_fpu() on error paths
fail_if() and generate_exception_if() could theoretically bypass the
normal flow reaching put_fpu(), and not invoking it would leave the
fpu_exception_callback pointer in place, allowing for the callback to
be called at an unexpected time. Luckily the two
generate_exception_if()-s that would actually trigger this are
currently commented out, so this is not (yet) a (security) issue.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -670,10 +670,14 @@ do{ (_fic)->exn_raised = 0;
rc = ops->get_fpu(fpu_handle_exception, _fic, _type, ctxt); \
if ( rc ) goto done; \
} while (0)
-#define put_fpu(_fic) \
-do{ \
+#define _put_fpu() \
+do { \
if ( ops->put_fpu != NULL ) \
- ops->put_fpu(ctxt); \
+ (ops->put_fpu)(ctxt); \
+} while (0)
+#define put_fpu(_fic) \
+do { \
+ _put_fpu(); \
generate_exception_if((_fic)->exn_raised, EXC_MF, -1); \
} while (0)
@@ -3787,6 +3791,7 @@ x86_emulate(
*ctxt->regs = _regs;
done:
+ _put_fpu();
return rc;
twobyte_insn:
@@ -4632,5 +4637,6 @@ x86_emulate(
goto writeback;
cannot_emulate:
+ _put_fpu();
return X86EMUL_UNHANDLEABLE;
}
--- a/xen/arch/x86/x86_emulate/x86_emulate.h
+++ b/xen/arch/x86/x86_emulate/x86_emulate.h
@@ -384,7 +384,11 @@ struct x86_emulate_ops
enum x86_emulate_fpu_type type,
struct x86_emulate_ctxt *ctxt);
- /* put_fpu: Relinquish the FPU. Unhook from FPU/SIMD exception handlers. */
+ /*
+ * put_fpu: Relinquish the FPU. Unhook from FPU/SIMD exception handlers.
+ * The handler, if installed, must be prepared to get called without
+ * the get_fpu one having got called before!
+ */
void (*put_fpu)(
struct x86_emulate_ctxt *ctxt);
[-- Attachment #3: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] x86emul: also put_fpu() on error paths
2015-05-15 12:37 [PATCH] x86emul: also put_fpu() on error paths Jan Beulich
@ 2015-05-15 13:18 ` Andrew Cooper
0 siblings, 0 replies; 2+ messages in thread
From: Andrew Cooper @ 2015-05-15 13:18 UTC (permalink / raw)
To: Jan Beulich, xen-devel; +Cc: Keir Fraser
On 15/05/15 13:37, Jan Beulich wrote:
> fail_if() and generate_exception_if() could theoretically bypass the
> normal flow reaching put_fpu(), and not invoking it would leave the
> fpu_exception_callback pointer in place, allowing for the callback to
> be called at an unexpected time. Luckily the two
> generate_exception_if()-s that would actually trigger this are
> currently commented out, so this is not (yet) a (security) issue.
>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-05-15 13:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-05-15 12:37 [PATCH] x86emul: also put_fpu() on error paths Jan Beulich
2015-05-15 13:18 ` Andrew Cooper
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).