
Xen Advisory – x86 CMPXCHG8B emulation fails to ignore operand size override - based2
http://xenbits.xen.org/xsa/advisory-200.html
======
unwind
Note that this is a bug in Xen
([https://en.wikipedia.org/wiki/Xen](https://en.wikipedia.org/wiki/Xen), the
hypervisor), not in any actual x86 hardware.

It accidentally failed to ignore operand size information from the instruction
stream, which could lead to leaks of 32 or 96 bits of hypervisor memory
contents to a guest.

The patch is pretty straight-forward:

    
    
                 if ( op_bytes == 8 )
        +        {
                     host_and_vcpu_must_have(cx16);
        -        op_bytes *= 2;
        +            op_bytes = 16;
        +        }
        +        else
        +            op_bytes = 8;
    

I assume (didn't read the full code) that op_bytes came from the instruction
stream.

------
based2
[http://faydoc.tripod.com/cpu/cmpxchg8b.htm](http://faydoc.tripod.com/cpu/cmpxchg8b.htm)

------
JoachimSchipper
Note that this is a Xen bug, not an Intel bug.

That said, those who believe the x86 instruction set is too complex do have
one more argument now.

------
Sintendo
Why does Xen need x86 emulation code anyway?

~~~
unwind
To run x86 code on non-x86 machines would be my first guess. But I know
nothing.

~~~
Sintendo
I thought so too at first, but I'd expect non-x86 host systems running x86
guests to be vulnerable if that were the case. The advisory seems to indicate
otherwise.

Anyway, I've done some digging and found an explanation here:
[https://insinuator.net/2015/02/the-dangers-
of-x86-emulation-...](https://insinuator.net/2015/02/the-dangers-
of-x86-emulation-xen-xsa-110-and-105/)

tl;dr: it falls back to emulation for very specific cases that cannot be
handled by hardware-assisted virtualization

------
tptacek
Amusingly, not the first CMPXCHG8B-related bug.

------
based2
[https://en.wikipedia.org/wiki/Pentium_F00F_bug](https://en.wikipedia.org/wiki/Pentium_F00F_bug)

~~~
wolfgke
Quote from
[https://en.wikipedia.org/w/index.php?title=Pentium_F00F_bug&...](https://en.wikipedia.org/w/index.php?title=Pentium_F00F_bug&oldid=744308327):

"The Intel Quark series processors are also affected by this bug.
[[https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=738575]"](https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=738575\]")

