On Wed, Apr 05, 2023 at 10:52:45PM +0100, Andrew Cooper wrote:
> At the time of XSA-170, the x86 instruction emulator was genuinely broken. It
> would load arbitrary values into %rip and putting a check here probably was
> the best stopgap security fix. It should have been reverted following c/s
> 81d3a0b26c1 "x86emul: limit-check branch targets" which corrected the emulator
> behaviour.
>
> However, everyone involved in XSA-170, myself included, failed to read the SDM
> correctly. On the subject of %rip consistency checks, the SDM stated:
>
> If the processor supports N < 64 linear-address bits, bits 63:N must be
> identical
>
> A non-canonical %rip (and SSP more recently) is an explicitly legal state in
> x86, and the VMEntry consistency checks are intentionally off-by-one from a
> regular canonical check.
>
> The consequence of this bug is that Xen will currently take a legal x86 state
> which would successfully VMEnter, and corrupt it into having non-architectural
> behaviour.
>
> Furthermore, in the time this bugfix has been pending in public, I
> successfully persuaded Intel to clarify the SDM, adding the following
> clarification:
>
> The guest RIP value is not required to be canonical; the value of bit N-1
> may differ from that of bit N.
>
> Fixes: ffbbfda377 ("x86/VMX: sanitize rIP before re-entering guest")
I think the fixes tag should likely be "x86emul: limit-check branch
targets", since it's that commit that missed the revert done here?
> Signed-off-by: Andrew Cooper <[email protected]>
Acked-by: Roger Pau Monné <[email protected]>
Thanks, Roger.
