From 2bd075f9cdc83dbfc7c50b20bd01da580a805b64 Mon Sep 17 00:00:00 2001
From: Michael Young <m.a.young@durham.ac.uk>
Date: Mar 29 2016 20:32:11 +0000
Subject: broken AMD FPU FIP/FDP/FOP leak workaround [XSA-172, CVE-2016-3158,

CVE-2016-3159]

---

diff --git a/xen.spec b/xen.spec
index 7b50f84..b8cb6b3 100644
--- a/xen.spec
+++ b/xen.spec
@@ -51,7 +51,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.5.2
-Release: 9%{?dist}
+Release: 10%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -149,6 +149,7 @@ Patch80: qemu.trad.CVE-2016-2857.patch
 Patch81: qemu.CVE-2015-8817+8.patch
 Patch82: qemu.git-60253ed1e6ec6d8e5ef2efe7bf755f475.patch
 Patch83: qemu.CVE-2016-1714.patch
+Patch84: xsa172.patch
 
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -400,6 +401,7 @@ manage Xen virtual machines.
 %patch81 -p1
 %patch82 -p1
 %patch83 -p1
+%patch84 -p1
 
 # stubdom sources
 cp -v %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} stubdom
@@ -923,6 +925,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Tue Mar 29 2016 Michael Young <m.a.young@durham.ac.uk> - 4.5.2-10
+- broken AMD FPU FIP/FDP/FOP leak workaround [XSA-172, CVE-2016-3158,
+	CVE-2016-3159] (#1321944)
+
 * Mon Mar 07 2016 Michael Young <m.a.young@durham.ac.uk> - 4.5.2-9
 - Qemu: nvram: OOB r/w access in processing firmware configurations
 	CVE-2016-1714 (#1296080)
diff --git a/xsa172.patch b/xsa172.patch
new file mode 100644
index 0000000..8b1d01f
--- /dev/null
+++ b/xsa172.patch
@@ -0,0 +1,39 @@
+x86: fix information leak on AMD CPUs
+
+The fix for XSA-52 was wrong, and so was the change synchronizing that
+new behavior to the FXRSTOR logic: AMD's manuals explictly state that
+writes to the ES bit are ignored, and it instead gets calculated from
+the exception and mask bits (it gets set whenever there is an unmasked
+exception, and cleared otherwise). Hence we need to follow that model
+in our workaround.
+
+This is XSA-172.
+
+The first hunk (xen/arch/x86/i387.c:fpu_fxrstor) is CVE-2016-3159.
+The second hunk (xen/arch/x86/xstate.c:xrstor) is CVE-2016-3158.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/i387.c
++++ b/xen/arch/x86/i387.c
+@@ -49,7 +49,7 @@ static inline void fpu_fxrstor(struct vc
+      * sometimes new user value. Both should be ok. Use the FPU saved
+      * data block as a safe address because it should be in L1.
+      */
+-    if ( !(fpu_ctxt->fsw & 0x0080) &&
++    if ( !(fpu_ctxt->fsw & ~fpu_ctxt->fcw & 0x003f) &&
+          boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
+     {
+         asm volatile ( "fnclex\n\t"
+--- a/xen/arch/x86/xstate.c
++++ b/xen/arch/x86/xstate.c
+@@ -344,7 +344,7 @@ void xrstor(struct vcpu *v, uint64_t mas
+      * data block as a safe address because it should be in L1.
+      */
+     if ( (mask & ptr->xsave_hdr.xstate_bv & XSTATE_FP) &&
+-         !(ptr->fpu_sse.fsw & 0x0080) &&
++         !(ptr->fpu_sse.fsw & ~ptr->fpu_sse.fcw & 0x003f) &&
+          boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
+         asm volatile ( "fnclex\n\t"        /* clear exceptions */
+                        "ffree %%st(7)\n\t" /* clear stack tag */