head	1.2;
access;
symbols
	pkgsrc-2025Q3:1.1.0.18
	pkgsrc-2025Q3-base:1.1
	pkgsrc-2025Q2:1.1.0.16
	pkgsrc-2025Q2-base:1.1
	pkgsrc-2025Q1:1.1.0.14
	pkgsrc-2025Q1-base:1.1
	pkgsrc-2024Q4:1.1.0.12
	pkgsrc-2024Q4-base:1.1
	pkgsrc-2024Q3:1.1.0.10
	pkgsrc-2024Q3-base:1.1
	pkgsrc-2024Q2:1.1.0.8
	pkgsrc-2024Q2-base:1.1
	pkgsrc-2024Q1:1.1.0.6
	pkgsrc-2024Q1-base:1.1
	pkgsrc-2023Q4:1.1.0.4
	pkgsrc-2023Q4-base:1.1
	pkgsrc-2023Q3:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2025.10.21.13.42.55;	author bouyer;	state dead;
branches;
next	1.1;
commitid	7iYGhItznjMPorfG;

1.1
date	2023.11.15.15.59.36;	author bouyer;	state Exp;
branches
	1.1.2.1;
next	;
commitid	ChAJVaTOI2nkQIME;

1.1.2.1
date	2023.11.15.15.59.36;	author bsiegert;	state dead;
branches;
next	1.1.2.2;
commitid	GoFxWjHbRICPvANE;

1.1.2.2
date	2023.11.22.09.37.25;	author bsiegert;	state Exp;
branches;
next	;
commitid	GoFxWjHbRICPvANE;


desc
@@


1.2
log
@remove xenkernel415 and xentools415. Xen 4.15 is EOL upstream
@
text
@$NetBSD: patch-XSA446,v 1.1 2023/11/15 15:59:36 bouyer Exp $

From 80d5aada598c3a800a350003d5d582931545e13c Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@@citrix.com>
Date: Thu, 26 Oct 2023 14:37:38 +0100
Subject: [PATCH] x86/spec-ctrl: Remove conditional IRQs-on-ness for INT
 $0x80/0x82 paths
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Before speculation defences, some paths in Xen could genuinely get away with
being IRQs-on at entry.  But XPTI invalidated this property on most paths, and
attempting to maintain it on the remaining paths was a mistake.

Fast forward, and DO_SPEC_CTRL_COND_IBPB (protection for AMD BTC/SRSO) is not
IRQ-safe, running with IRQs enabled in some cases.  The other actions taken on
these paths happen to be IRQ-safe.

Make entry_int82() and int80_direct_trap() unconditionally Interrupt Gates
rather than Trap Gates.  Remove the conditional re-adjustment of
int80_direct_trap() in smp_prepare_cpus(), and have entry_int82() explicitly
enable interrupts when safe to do so.

In smp_prepare_cpus(), with the conditional re-adjustment removed, the
clearing of pv_cr3 is the only remaining action gated on XPTI, and it is out
of place anyway, repeating work already done by smp_prepare_boot_cpu().  Drop
the entire if() condition to avoid leaving an incorrect vestigial remnant.

Also drop comments which make incorrect statements about when its safe to
enable interrupts.

This is XSA-446 / CVE-2023-46836

Signed-off-by: Andrew Cooper <andrew.cooper3@@citrix.com>
Reviewed-by: Roger Pau Monné <roger.pau@@citrix.com>
---
 xen/arch/x86/pv/traps.c            |  4 ++--
 xen/arch/x86/smpboot.c             | 14 --------------
 xen/arch/x86/x86_64/compat/entry.S |  2 ++
 xen/arch/x86/x86_64/entry.S        |  1 -
 4 files changed, 4 insertions(+), 17 deletions(-)

diff --git a/xen/arch/x86/pv/traps.c b/xen/arch/x86/pv/traps.c
index 74f333da7e1c..240d1a2db7a3 100644
--- xen/arch/x86/pv/traps.c.orig
+++ xen/arch/x86/pv/traps.c
@@@@ -139,11 +139,11 @@@@ void __init pv_trap_init(void)
 #ifdef CONFIG_PV32
     /* The 32-on-64 hypercall vector is only accessible from ring 1. */
     _set_gate(idt_table + HYPERCALL_VECTOR,
-              SYS_DESC_trap_gate, 1, entry_int82);
+              SYS_DESC_irq_gate, 1, entry_int82);
 #endif
 
     /* Fast trap for int80 (faster than taking the #GP-fixup path). */
-    _set_gate(idt_table + LEGACY_SYSCALL_VECTOR, SYS_DESC_trap_gate, 3,
+    _set_gate(idt_table + LEGACY_SYSCALL_VECTOR, SYS_DESC_irq_gate, 3,
               &int80_direct_trap);
 
     open_softirq(NMI_SOFTIRQ, nmi_softirq);
diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c
index 3a1a659082c6..4c54ecbc91d7 100644
--- xen/arch/x86/smpboot.c.orig
+++ xen/arch/x86/smpboot.c
@@@@ -1158,20 +1158,6 @@@@ void __init smp_prepare_cpus(void)
 
     stack_base[0] = (void *)((unsigned long)stack_start & ~(STACK_SIZE - 1));
 
-    if ( opt_xpti_hwdom || opt_xpti_domu )
-    {
-        get_cpu_info()->pv_cr3 = 0;
-
-#ifdef CONFIG_PV
-        /*
-         * All entry points which may need to switch page tables have to start
-         * with interrupts off. Re-write what pv_trap_init() has put there.
-         */
-        _set_gate(idt_table + LEGACY_SYSCALL_VECTOR, SYS_DESC_irq_gate, 3,
-                  &int80_direct_trap);
-#endif
-    }
-
     set_nr_sockets();
 
     socket_cpumask = xzalloc_array(cpumask_t *, nr_sockets);
diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
index bd5abd8040bd..fcc3a721f147 100644
--- xen/arch/x86/x86_64/compat/entry.S.orig
+++ xen/arch/x86/x86_64/compat/entry.S
@@@@ -21,6 +21,8 @@@@ ENTRY(entry_int82)
         SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */
         /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */
 
+        sti
+
         CR4_PV32_RESTORE
 
         GET_CURRENT(bx)
diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
index 5ca74f5f62b2..9a7b129aa7e4 100644
--- xen/arch/x86/x86_64/entry.S.orig
+++ xen/arch/x86/x86_64/entry.S
@@@@ -327,7 +327,6 @@@@ ENTRY(sysenter_entry)
 #ifdef CONFIG_XEN_SHSTK
         ALTERNATIVE "", "setssbsy", X86_FEATURE_XEN_SHSTK
 #endif
-        /* sti could live here when we don't switch page tables below. */
         pushq $FLAT_USER_SS
         pushq $0
         pushfq

base-commit: 7befef87cc9b1bb8ca15d866ce1ecd9165ccb58c
prerequisite-patch-id: 142a87c707411d49e136c3fb76f1b14963ec6dc8
-- 
2.30.2

@


1.1
log
@xen*415: apply upstream patches for Xen Security Advisory
XSA-439, XSA-440, XSA-442, XSA-443, XSA-444, XSA-445, XSA-446
bump PKGREVISIONs
@
text
@d1 1
a1 1
$NetBSD: $
@


1.1.2.1
log
@file patch-XSA446 was added on branch pkgsrc-2023Q3 on 2023-11-22 09:37:25 +0000
@
text
@d1 117
@


1.1.2.2
log
@Pullup ticket #6823 - requested by bouyer
sysutils/xenkernel415: security fix
sysutils/xentools415: security fix

Revisions pulled up:
- sysutils/xenkernel415/Makefile                                1.12
- sysutils/xenkernel415/distinfo                                1.11
- sysutils/xenkernel415/patches/patch-XSA439                    1.1
- sysutils/xenkernel415/patches/patch-XSA442                    1.1
- sysutils/xenkernel415/patches/patch-XSA444                    1.1
- sysutils/xenkernel415/patches/patch-XSA445                    1.1
- sysutils/xenkernel415/patches/patch-XSA446                    1.1
- sysutils/xentools415/Makefile                                 1.28
- sysutils/xentools415/PLIST                                    1.4
- sysutils/xentools415/distinfo                                 1.14
- sysutils/xentools415/patches/patch-XSA440                     1.1
- sysutils/xentools415/patches/patch-XSA443                     1.1

---
   Module Name:	pkgsrc
   Committed By:	bouyer
   Date:		Wed Nov 15 15:59:36 UTC 2023

   Modified Files:
   	pkgsrc/sysutils/xenkernel415: Makefile distinfo
   	pkgsrc/sysutils/xentools415: Makefile PLIST distinfo
   Added Files:
   	pkgsrc/sysutils/xenkernel415/patches: patch-XSA439 patch-XSA442
   	    patch-XSA444 patch-XSA445 patch-XSA446
   	pkgsrc/sysutils/xentools415/patches: patch-XSA440 patch-XSA443

   Log Message:
   xen*415: apply upstream patches for Xen Security Advisory
   XSA-439, XSA-440, XSA-442, XSA-443, XSA-444, XSA-445, XSA-446
   bump PKGREVISIONs
@
text
@a0 117
$NetBSD: patch-XSA446,v 1.1 2023/11/15 15:59:36 bouyer Exp $

From 80d5aada598c3a800a350003d5d582931545e13c Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@@citrix.com>
Date: Thu, 26 Oct 2023 14:37:38 +0100
Subject: [PATCH] x86/spec-ctrl: Remove conditional IRQs-on-ness for INT
 $0x80/0x82 paths
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Before speculation defences, some paths in Xen could genuinely get away with
being IRQs-on at entry.  But XPTI invalidated this property on most paths, and
attempting to maintain it on the remaining paths was a mistake.

Fast forward, and DO_SPEC_CTRL_COND_IBPB (protection for AMD BTC/SRSO) is not
IRQ-safe, running with IRQs enabled in some cases.  The other actions taken on
these paths happen to be IRQ-safe.

Make entry_int82() and int80_direct_trap() unconditionally Interrupt Gates
rather than Trap Gates.  Remove the conditional re-adjustment of
int80_direct_trap() in smp_prepare_cpus(), and have entry_int82() explicitly
enable interrupts when safe to do so.

In smp_prepare_cpus(), with the conditional re-adjustment removed, the
clearing of pv_cr3 is the only remaining action gated on XPTI, and it is out
of place anyway, repeating work already done by smp_prepare_boot_cpu().  Drop
the entire if() condition to avoid leaving an incorrect vestigial remnant.

Also drop comments which make incorrect statements about when its safe to
enable interrupts.

This is XSA-446 / CVE-2023-46836

Signed-off-by: Andrew Cooper <andrew.cooper3@@citrix.com>
Reviewed-by: Roger Pau Monné <roger.pau@@citrix.com>
---
 xen/arch/x86/pv/traps.c            |  4 ++--
 xen/arch/x86/smpboot.c             | 14 --------------
 xen/arch/x86/x86_64/compat/entry.S |  2 ++
 xen/arch/x86/x86_64/entry.S        |  1 -
 4 files changed, 4 insertions(+), 17 deletions(-)

diff --git a/xen/arch/x86/pv/traps.c b/xen/arch/x86/pv/traps.c
index 74f333da7e1c..240d1a2db7a3 100644
--- xen/arch/x86/pv/traps.c.orig
+++ xen/arch/x86/pv/traps.c
@@@@ -139,11 +139,11 @@@@ void __init pv_trap_init(void)
 #ifdef CONFIG_PV32
     /* The 32-on-64 hypercall vector is only accessible from ring 1. */
     _set_gate(idt_table + HYPERCALL_VECTOR,
-              SYS_DESC_trap_gate, 1, entry_int82);
+              SYS_DESC_irq_gate, 1, entry_int82);
 #endif
 
     /* Fast trap for int80 (faster than taking the #GP-fixup path). */
-    _set_gate(idt_table + LEGACY_SYSCALL_VECTOR, SYS_DESC_trap_gate, 3,
+    _set_gate(idt_table + LEGACY_SYSCALL_VECTOR, SYS_DESC_irq_gate, 3,
               &int80_direct_trap);
 
     open_softirq(NMI_SOFTIRQ, nmi_softirq);
diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c
index 3a1a659082c6..4c54ecbc91d7 100644
--- xen/arch/x86/smpboot.c.orig
+++ xen/arch/x86/smpboot.c
@@@@ -1158,20 +1158,6 @@@@ void __init smp_prepare_cpus(void)
 
     stack_base[0] = (void *)((unsigned long)stack_start & ~(STACK_SIZE - 1));
 
-    if ( opt_xpti_hwdom || opt_xpti_domu )
-    {
-        get_cpu_info()->pv_cr3 = 0;
-
-#ifdef CONFIG_PV
-        /*
-         * All entry points which may need to switch page tables have to start
-         * with interrupts off. Re-write what pv_trap_init() has put there.
-         */
-        _set_gate(idt_table + LEGACY_SYSCALL_VECTOR, SYS_DESC_irq_gate, 3,
-                  &int80_direct_trap);
-#endif
-    }
-
     set_nr_sockets();
 
     socket_cpumask = xzalloc_array(cpumask_t *, nr_sockets);
diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S
index bd5abd8040bd..fcc3a721f147 100644
--- xen/arch/x86/x86_64/compat/entry.S.orig
+++ xen/arch/x86/x86_64/compat/entry.S
@@@@ -21,6 +21,8 @@@@ ENTRY(entry_int82)
         SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */
         /* WARNING! `ret`, `call *`, `jmp *` not safe before this point. */
 
+        sti
+
         CR4_PV32_RESTORE
 
         GET_CURRENT(bx)
diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S
index 5ca74f5f62b2..9a7b129aa7e4 100644
--- xen/arch/x86/x86_64/entry.S.orig
+++ xen/arch/x86/x86_64/entry.S
@@@@ -327,7 +327,6 @@@@ ENTRY(sysenter_entry)
 #ifdef CONFIG_XEN_SHSTK
         ALTERNATIVE "", "setssbsy", X86_FEATURE_XEN_SHSTK
 #endif
-        /* sti could live here when we don't switch page tables below. */
         pushq $FLAT_USER_SS
         pushq $0
         pushfq

base-commit: 7befef87cc9b1bb8ca15d866ce1ecd9165ccb58c
prerequisite-patch-id: 142a87c707411d49e136c3fb76f1b14963ec6dc8
-- 
2.30.2

@