Hypervisor crash due to missing exception recovery on XSETBV
Processors do certain validity checks on the register values passed to XSETBV. For the PV emulation path for that instruction the hypervisor code didn’t check for certain invalid bit combinations, thus exposing itself to a fault occurring when invoking that instruction on behalf of the guest.
lack of check (for certain invalid bit)
x86/xsave: properly check guest input to XSETBV
Other than the HVM emulation path, the PV case so far failed to check that YMM state requires SSE state to be enabled, allowing for a #GP to occur upon passing the inputs to XSETBV inside the hypervisor.
--- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -2205,6 +2205,11 @@ static int emulate_privileged_op(struct if ( !(new_xfeature & XSTATE_FP) || (new_xfeature & ~xfeature_mask) ) goto fail; + /* YMM state takes SSE state as prerequisite. */ + if ( (xfeature_mask & new_xfeature & XSTATE_YMM) && + !(new_xfeature & XSTATE_SSE) ) + goto fail; + v->arch.xcr0 = new_xfeature; v->arch.xcr0_accum |= new_xfeature; set_xcr0(new_xfeature);
Malicious or buggy unprivileged user space can cause the entire host to crash.