linux/arch/x86/xen
Frediano Ziglio 7cde9b27e7 xen: Fix possible user space selector corruption
Due to the way kernel is initialized under Xen is possible that the
ring1 selector used by the kernel for the boot cpu end up to be copied
to userspace leading to segmentation fault in the userspace.

Xen code in the kernel initialize no-boot cpus with correct selectors (ds
and es set to __USER_DS) but the boot one keep the ring1 (passed by Xen).
On task context switch (switch_to) we assume that ds, es and cs already
point to __USER_DS and __KERNEL_CSso these selector are not changed.

If processor is an Intel that support sysenter instruction sysenter/sysexit
is used so ds and es are not restored switching back from kernel to
userspace. In the case the selectors point to a ring1 instead of __USER_DS
the userspace code will crash on first memory access attempt (to be
precise Xen on the emulated iret used to do sysexit will detect and set ds
and es to zero which lead to GPF anyway).

Now if an userspace process call kernel using sysenter and get rescheduled
(for me it happen on a specific init calling wait4) could happen that the
ring1 selector is set to ds and es.

This is quite hard to detect cause after a while these selectors are fixed
(__USER_DS seems sticky).

Bisecting the code commit 7076aada10 appears
to be the first one that have this issue.

Signed-off-by: Frediano Ziglio <frediano.ziglio@citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
2013-10-10 14:39:37 +00:00
..
apic.c xen/apic/xenbus/swiotlb/pcifront/grant/tmem: Make functions or variables static. 2012-08-21 14:50:03 -04:00
debugfs.c debugfs: Add support to print u32 array in debugfs 2012-04-17 00:18:36 -04:00
debugfs.h debugfs: Add support to print u32 array in debugfs 2012-04-17 00:18:36 -04:00
enlighten.c Bug-fixes: 2013-09-10 20:07:04 -07:00
grant-table.c Merge commit 'v3.2-rc3' into stable/for-linus-3.3 2011-12-20 17:01:18 -05:00
irq.c x86/xen: disable premption when enabling local irqs 2013-08-20 10:02:03 -04:00
Kconfig x86: Make Linux guest support optional 2013-03-04 13:14:25 -08:00
Makefile xen/x86: Implement x86_apic_ops 2012-05-01 14:50:33 -04:00
mmu.c Merge branch 'x86-kaslr-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-04-30 08:37:24 -07:00
mmu.h
multicalls.c
multicalls.h xen: use this_cpu_xxx replace percpu_xxx funcs 2012-01-24 12:20:24 -05:00
p2m.c xen/p2m: check MFN is in range before using the m2p table 2013-09-25 09:00:03 -04:00
pci-swiotlb-xen.c Merge branch 'stable/late-swiotlb.v3.3' into stable/for-linus-3.7 2012-09-22 20:01:24 -04:00
platform-pci-unplug.c xen/apic/xenbus/swiotlb/pcifront/grant/tmem: Make functions or variables static. 2012-08-21 14:50:03 -04:00
setup.c Linux 3.11-rc7 2013-09-09 12:05:37 -04:00
smp.c xen: Fix possible user space selector corruption 2013-10-10 14:39:37 +00:00
smp.h xen: Clean up apic ipi interface 2013-05-29 09:04:21 -04:00
spinlock.c xen: Do not enable spinlocks before jump_label_init() has executed 2013-09-24 16:22:26 -04:00
suspend.c Revert "xen PVonHVM: use E820_Reserved area for shared_info" 2013-02-14 21:29:31 -05:00
time.c Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-07-06 14:09:38 -07:00
trace.c
vdso.h
vga.c xen/vga: add the xen EFI video mode support 2012-09-24 09:28:57 -04:00
xen-asm_32.S x86/xen: don't assume %ds is usable in xen_iret for 32-bit PVOPS. 2013-02-13 15:40:30 -05:00
xen-asm_64.S
xen-asm.h
xen-asm.S xen: correctly check for pending events when restoring irq flags 2012-04-27 16:04:21 -04:00
xen-head.S xen/perf: Define .glob for the different hypercalls. 2012-07-30 14:27:48 -04:00
xen-ops.h x86/asmlinkage: Fix warning in xen asmlinkage change 2013-08-22 09:17:19 +02:00