x86/xen: don't do PV iret hypercall through hypercall page

commit a2796dff62d6c6bfc5fbebdf2bee0d5ac0438906 upstream.

Instead of jumping to the Xen hypercall page for doing the iret
hypercall, directly code the required sequence in xen-asm.S.

This is done in preparation of no longer using hypercall page at all,
as it has shown to cause problems with speculation mitigations.

This is part of XSA-466 / CVE-2024-53241.

Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/arch/x86/xen/xen-asm.S b/arch/x86/xen/xen-asm.S
index 3a33713cf449fbb4f85ac51c5ac513554f7e1f66..94bed27f67291f7a0e3506a43b67c269fd4607f6 100644 (file)
--- a/arch/x86/xen/xen-asm.S
+++ b/arch/x86/xen/xen-asm.S
@@ -198,7 +198,6 @@ SYM_CODE_START(xen_early_idt_handler_array)
 SYM_CODE_END(xen_early_idt_handler_array)
        __FINIT
 
-hypercall_iret = hypercall_page + __HYPERVISOR_iret * 32
 /*
  * Xen64 iret frame:
  *
@@ -208,16 +207,27 @@ hypercall_iret = hypercall_page + __HYPERVISOR_iret * 32
  *     cs
  *     rip             <-- standard iret frame
  *
- *     flags
+ *     flags           <-- xen_iret must push from here on
  *
- *     rcx             }
- *     r11             }<-- pushed by hypercall page
- * rsp->rax            }
+ *     rcx
+ *     r11
+ * rsp->rax
  */
+.macro xen_hypercall_iret
+       pushq $0        /* Flags */
+       push %rcx
+       push %r11
+       push %rax
+       mov  $__HYPERVISOR_iret, %eax
+       syscall         /* Do the IRET. */
+#ifdef CONFIG_MITIGATION_SLS
+       int3
+#endif
+.endm
+
 SYM_CODE_START(xen_iret)
        UNWIND_HINT_EMPTY
-       pushq $0
-       jmp hypercall_iret
+       xen_hypercall_iret
 SYM_CODE_END(xen_iret)
 
 /*
@@ -318,8 +328,7 @@ SYM_CODE_START(xen_entry_SYSENTER_compat)
        UNWIND_HINT_ENTRY
        lea 16(%rsp), %rsp      /* strip %rcx, %r11 */
        mov $-ENOSYS, %rax
-       pushq $0
-       jmp hypercall_iret
+       xen_hypercall_iret
 SYM_CODE_END(xen_entry_SYSENTER_compat)
 SYM_CODE_END(xen_entry_SYSCALL_compat)