> From: Andrew Cooper <andrew.coop...@citrix.com>
> Sent: Thursday, April 6, 2023 5:53 AM
>
> At the time of XSA-170, the x86 instruction emulator was genuinely broken.
> It
> would load arbitrary values into %rip and putting a check here probably was
> the best stopgap security fix. It should have been reverted following c/s
> 81d3a0b26c1 "x86emul: limit-check branch targets" which corrected the
> emulator
> behaviour.
>
> However, everyone involved in XSA-170, myself included, failed to read the
> SDM
> correctly. On the subject of %rip consistency checks, the SDM stated:
>
> If the processor supports N < 64 linear-address bits, bits 63:N must be
> identical
>
> A non-canonical %rip (and SSP more recently) is an explicitly legal state in
> x86, and the VMEntry consistency checks are intentionally off-by-one from a
> regular canonical check.
>
> The consequence of this bug is that Xen will currently take a legal x86 state
> which would successfully VMEnter, and corrupt it into having non-
> architectural
> behaviour.
>
> Furthermore, in the time this bugfix has been pending in public, I
> successfully persuaded Intel to clarify the SDM, adding the following
> clarification:
>
> The guest RIP value is not required to be canonical; the value of bit N-1
> may differ from that of bit N.
>
> Fixes: ffbbfda377 ("x86/VMX: sanitize rIP before re-entering guest")
> Signed-off-by: Andrew Cooper <andrew.coop...@citrix.com>
Reviewed-by: Kevin Tian <kevin.t...@intel.com>
