This is for additional defence-in-depth following LDT/GDT/IDT corruption.
It causes attempted control transfers to ring 1 or 2 (via a call gate), or
attempts to use IST 3 through 7 to yield #SS[0], rather than executing with a
stack starting at the top of virtual address space.
Signed-off-by: Andrew Cooper <andrew.coop...@citrix.com>
---
CC: Jan Beulich <jbeul...@suse.com>
---
xen/arch/x86/cpu/common.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c
index 6c27008..8796568 100644
--- a/xen/arch/x86/cpu/common.c
+++ b/xen/arch/x86/cpu/common.c
@@ -645,6 +645,14 @@ void load_system_tables(void)
tss->ist[IST_DF - 1] = stack_top + IST_DF * PAGE_SIZE;
tss->ist[IST_NMI - 1] = stack_top + IST_NMI * PAGE_SIZE;
+ /* Poision all other stack pointers to prevent their accidental use. */
+ tss->rsp1 = 0x8600111111111111ul;
+ tss->rsp2 = 0x8600222222222222ul;
+ tss->ist[3] = 0x8600444444444444ul;
+ tss->ist[4] = 0x8600555555555555ul;
+ tss->ist[5] = 0x8600666666666666ul;
+ tss->ist[6] = 0x8600777777777777ul;
+
_set_tssldt_desc(
gdt + TSS_ENTRY,
(unsigned long)tss,
--
2.1.4
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
