| Message ID | 20200204202938.9605-1-andrew.cooper3@citrix.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | libxc/restore: Fix REC_TYPE_X86_PV_VCPU_XSAVE data auditing (take 2) | expand |
On Tue, Feb 04, 2020 at 08:29:38PM +0000, Andrew Cooper wrote: > It turns out that a bug (since forever) in Xen causes XSAVE records to have > non-architectural behaviour on xsave-capable hardware, when a PV guest has not > touched the state. > > In such a case, the data record returned from Xen is 2*uint64_t, both claiming > the (illegitimate) state of %xcr0 and %xcr0_accum being 0. > > Adjust the bound in handle_x86_pv_vcpu_blob() to cope with this. > > Fixes: 2a62c22715b "libxc/restore: Fix data auditing in handle_x86_pv_vcpu_blob()" > Reported-by: Igor Druzhinin <igor.druzhinin@citrix.com> > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Wei Liu <wl@xen.org>
diff --git a/tools/libxc/xc_sr_restore_x86_pv.c b/tools/libxc/xc_sr_restore_x86_pv.c index 16e738884e..904ccc462a 100644 --- a/tools/libxc/xc_sr_restore_x86_pv.c +++ b/tools/libxc/xc_sr_restore_x86_pv.c @@ -827,10 +827,10 @@ static int handle_x86_pv_vcpu_blob(struct xc_sr_context *ctx, break; case REC_TYPE_X86_PV_VCPU_XSAVE: - if ( blobsz < 128 ) + if ( blobsz < 16 ) { ERROR("%s record too short: min %zu, got %u", - rec_name, sizeof(*vhdr) + 128, rec->length); + rec_name, sizeof(*vhdr) + 16, rec->length); goto out; } blob = &vcpu->xsave;
It turns out that a bug (since forever) in Xen causes XSAVE records to have non-architectural behaviour on xsave-capable hardware, when a PV guest has not touched the state. In such a case, the data record returned from Xen is 2*uint64_t, both claiming the (illegitimate) state of %xcr0 and %xcr0_accum being 0. Adjust the bound in handle_x86_pv_vcpu_blob() to cope with this. Fixes: 2a62c22715b "libxc/restore: Fix data auditing in handle_x86_pv_vcpu_blob()" Reported-by: Igor Druzhinin <igor.druzhinin@citrix.com> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> --- CC: Ian Jackson <Ian.Jackson@citrix.com> CC: Wei Liu <wl@xen.org> CC: Igor Druzhinin <igor.druzhinin@citrix.com> I'll see about fixing Xen at some other point. A second bug is that we have two copies of part of the vCPU's FPU state. --- tools/libxc/xc_sr_restore_x86_pv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)