This reverts commit 6065a05adf152a556fb9f11a5218c89e41b62893.
The discussed "proper fix" has now been implemented, and the #DF path no
longer writes out-of-bounds. Restore the proper #DF IST pointer.
Signed-off-by: Andrew Cooper <andrew.coop...@citrix.com>
---
CC: Jan Beulich <jbeul...@suse.com>
CC: Roger Pau Monné <roger....@citrix.com>
Only 5 years late...
---
xen/arch/x86/cpu/common.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c
index e8d4ca3203be..b934ce7ca487 100644
--- a/xen/arch/x86/cpu/common.c
+++ b/xen/arch/x86/cpu/common.c
@@ -847,13 +847,7 @@ void load_system_tables(void)
tss->ist[IST_MCE - 1] = stack_top + (1 + IST_MCE) * PAGE_SIZE;
tss->ist[IST_NMI - 1] = stack_top + (1 + IST_NMI) * PAGE_SIZE;
tss->ist[IST_DB - 1] = stack_top + (1 + IST_DB) * PAGE_SIZE;
- /*
- * Gross bodge. The #DF handler uses the vm86 fields of cpu_user_regs
- * beyond the hardware frame. Adjust the stack entrypoint so this
- * doesn't manifest as an OoB write which hits the guard page.
- */
- tss->ist[IST_DF - 1] = stack_top + (1 + IST_DF) * PAGE_SIZE -
- (sizeof(struct cpu_user_regs) - offsetof(struct cpu_user_regs,
es));
+ tss->ist[IST_DF - 1] = stack_top + (1 + IST_DF) * PAGE_SIZE;
tss->bitmap = IOBMP_INVALID_OFFSET;
/* All other stack pointers poisioned. */
--
2.39.5
