> From: Andrew Cooper <andrew.coop...@citrix.com> > Sent: Thursday, April 6, 2023 5:53 AM > > At the time of XSA-170, the x86 instruction emulator was genuinely broken. > It > would load arbitrary values into %rip and putting a check here probably was > the best stopgap security fix. It should have been reverted following c/s > 81d3a0b26c1 "x86emul: limit-check branch targets" which corrected the > emulator > behaviour. > > However, everyone involved in XSA-170, myself included, failed to read the > SDM > correctly. On the subject of %rip consistency checks, the SDM stated: > > If the processor supports N < 64 linear-address bits, bits 63:N must be > identical > > A non-canonical %rip (and SSP more recently) is an explicitly legal state in > x86, and the VMEntry consistency checks are intentionally off-by-one from a > regular canonical check. > > The consequence of this bug is that Xen will currently take a legal x86 state > which would successfully VMEnter, and corrupt it into having non- > architectural > behaviour. > > Furthermore, in the time this bugfix has been pending in public, I > successfully persuaded Intel to clarify the SDM, adding the following > clarification: > > The guest RIP value is not required to be canonical; the value of bit N-1 > may differ from that of bit N. > > Fixes: ffbbfda377 ("x86/VMX: sanitize rIP before re-entering guest") > Signed-off-by: Andrew Cooper <andrew.coop...@citrix.com>
Reviewed-by: Kevin Tian <kevin.t...@intel.com>