head	1.2;
access;
symbols
	pkgsrc-2016Q4:1.1.0.4
	pkgsrc-2016Q4-base:1.1
	pkgsrc-2016Q3:1.1.0.2
	pkgsrc-2016Q3-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2017.03.20.18.17.13;	author bouyer;	state dead;
branches;
next	1.1;
commitid	d3qkVwbNTy4nKjKz;

1.1
date	2016.09.08.15.44.07;	author bouyer;	state Exp;
branches;
next	;
commitid	rVgN7Hpc3S5D6vlz;


desc
@@


1.2
log
@Update xenkernel46 and xentools46 to 4.6.5. Changes since 4.6.3:
various bug fixes. Includes all security patches up to and including
XSA-209
@
text
@$NetBSD: patch-XSA-186-1,v 1.1 2016/09/08 15:44:07 bouyer Exp $

From: Andrew Cooper <andrew.cooper3@@citrix.com>
Subject: hvm/fep: Allow testing of instructions crossing the -1 -> 0 virtual boundary

The Force Emulation Prefix is named to follow its PV counterpart for cpuid or
rdtsc, but isn't really an instruction prefix.  It behaves as a break-out into
Xen, with the purpose of emulating the next instruction in the current state.

It is important to be able to test legal situations which occur in real
hardware, including instruction which cross certain boundaries, and
instructions starting at 0.

Reported-by: Brian Marcotte <marcotte@@panix.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@@suse.com>

--- xen/arch/x86/hvm/svm/svm.c.orig
+++ xen/arch/x86/hvm/svm/svm.c
@@@@ -2139,6 +2139,10 @@@@ static void svm_vmexit_ud_intercept(stru
         {
             regs->eip += sizeof(sig);
             regs->eflags &= ~X86_EFLAGS_RF;
+
+            /* Zero the upper 32 bits of %rip if not in long mode. */
+            if ( svm_guest_x86_mode(current) != 8 )
+                regs->eip = regs->_eip;
         }
     }
 
--- xen/arch/x86/hvm/vmx/vmx.c.orig
+++ xen/arch/x86/hvm/vmx/vmx.c
@@@@ -2757,6 +2757,10 @@@@ static void vmx_vmexit_ud_intercept(stru
         {
             regs->eip += sizeof(sig);
             regs->eflags &= ~X86_EFLAGS_RF;
+
+            /* Zero the upper 32 bits of %rip if not in long mode. */
+            if ( vmx_guest_x86_mode(current) != 8 )
+                regs->eip = regs->_eip;
         }
     }
 
@


1.1
log
@Apply upstream patches for:
XSA-185: x86: Disallow L3 recursive pagetable for 32-bit PV guests
XSA-186: x86: Mishandling of instruction pointer truncation during emulation
XSA-187: x86 HVM: Overflow of sh_ctxt->seg_reg[]
bump PKGREVISION
@
text
@d1 1
a1 1
$NetBSD: $
@