>>> On 20.11.15 at 16:03, <stefan.ba...@canonical.com> wrote:
> I am currently trying to backport the changes of XSA156 back to Xen-4.1.x and
> I
> am struggling with the VMX side. I did see the backports made for 4.2 and 3.4
> on
> the security mailing list but I am not sure the 3.4 backport is not having the
> same issues (or similar ones).
>
> Trying to write down my understanding of the changes: For the 3.4 backport
> there
> are only changes to the toggles for debugging and the general trap mask. So
> if I
> understand this right, before the change, TRAP_debug and TRAP_int3 were only
> handled in vmexit when a debugger was attached to the domain. Now, only
> TRAP_int3 will be toggled and TRAP_debug is always handled.
I've never looked at that 3.4 backport, but not changing the VMEXIT
handling certainly sounds wrong. I'll attach what I have done for 4.1.
Please report back any problems you encounter.
Jan
References: bsc#953527 CVE-2015-5307 XSA-156
x86/HVM: always intercept #AC and #DB
Both being benign exceptions, and both being possible to get triggered
by exception delivery, this is required to prevent a guest from locking
up a CPU (resulting from no other VM exits occurring once getting into
such a loop).
The specific scenarios:
1) #AC may be raised during exception delivery if the handler is set to
be a ring-3 one by a 32-bit guest, and the stack is misaligned.
2) #DB may be raised during exception delivery when a breakpoint got
placed on a data structure involved in delivering the exception. This
can result in an endless loop when a 64-bit guest uses a non-zero IST
for the vector 1 IDT entry, but even without use of IST the time it
takes until a contributory fault would get raised (results depending
on the handler) may be quite long.
This is XSA-156.
Signed-off-by: Jan Beulich <jbeul...@suse.com>
Reviewed-by: Andrew Cooper <andrew.coop...@citrix.com>
Tested-by: Andrew Cooper <andrew.coop...@citrix.com>
--- a/xen/arch/x86/hvm/svm/svm.c
+++ b/xen/arch/x86/hvm/svm/svm.c
@@ -764,10 +764,11 @@ static void svm_do_resume(struct vcpu *v
if ( unlikely(v->arch.hvm_vcpu.debug_state_latch != debug_state) )
{
uint32_t intercepts = vmcb_get_exception_intercepts(vmcb);
- uint32_t mask = (1U << TRAP_debug) | (1U << TRAP_int3);
+
v->arch.hvm_vcpu.debug_state_latch = debug_state;
vmcb_set_exception_intercepts(
- vmcb, debug_state ? (intercepts | mask) : (intercepts & ~mask));
+ vmcb, debug_state ? (intercepts | (1U << TRAP_int3))
+ : (intercepts & ~(1U << TRAP_int3)));
}
if ( v->arch.hvm_svm.launch_core != smp_processor_id() )
@@ -1640,8 +1641,9 @@ void svm_vmexit_handler(struct cpu_user_
case VMEXIT_EXCEPTION_DB:
if ( !v->domain->debugger_attached )
- goto exit_and_crash;
- domain_pause_for_debugger();
+ svm_inject_exception(TRAP_debug, HVM_DELIVER_NO_ERROR_CODE, 0);
+ else
+ domain_pause_for_debugger();
break;
case VMEXIT_EXCEPTION_BP:
@@ -1689,6 +1691,10 @@ void svm_vmexit_handler(struct cpu_user_
break;
}
+ case VMEXIT_EXCEPTION_AC:
+ svm_inject_exception(TRAP_alignment_check, vmcb->exitinfo1, 0);
+ break;
+
case VMEXIT_EXCEPTION_UD:
svm_vmexit_ud_intercept(regs);
break;
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -1129,18 +1129,12 @@ static void vmx_update_host_cr3(struct v
void vmx_update_debug_state(struct vcpu *v)
{
- unsigned long mask;
-
ASSERT(v == current);
- mask = 1u << TRAP_int3;
- if ( !cpu_has_monitor_trap_flag )
- mask |= 1u << TRAP_debug;
-
if ( v->arch.hvm_vcpu.debug_state_latch )
- v->arch.hvm_vmx.exception_bitmap |= mask;
+ v->arch.hvm_vmx.exception_bitmap |= 1U << TRAP_int3;
else
- v->arch.hvm_vmx.exception_bitmap &= ~mask;
+ v->arch.hvm_vmx.exception_bitmap &= ~(1U << TRAP_int3);
vmx_update_exception_bitmap(v);
}
@@ -2341,9 +2335,10 @@ void vmx_vmexit_handler(struct cpu_user_
*/
exit_qualification = __vmread(EXIT_QUALIFICATION);
write_debugreg(6, exit_qualification | 0xffff0ff0);
- if ( !v->domain->debugger_attached || cpu_has_monitor_trap_flag )
- goto exit_and_crash;
- domain_pause_for_debugger();
+ if ( !v->domain->debugger_attached )
+ vmx_inject_hw_exception(vector, HVM_DELIVER_NO_ERROR_CODE);
+ else
+ domain_pause_for_debugger();
break;
case TRAP_int3:
{
@@ -2397,6 +2392,10 @@ void vmx_vmexit_handler(struct cpu_user_
v->arch.hvm_vcpu.guest_cr[2] = exit_qualification;
vmx_inject_hw_exception(TRAP_page_fault, regs->error_code);
break;
+ case TRAP_alignment_check:
+ vmx_inject_hw_exception(vector,
+ __vmread(VM_EXIT_INTR_ERROR_CODE));
+ break;
case TRAP_nmi:
if ( (intr_info & INTR_INFO_INTR_TYPE_MASK) !=
(X86_EVENTTYPE_NMI << 8) )
--- a/xen/include/asm-x86/hvm/hvm.h
+++ b/xen/include/asm-x86/hvm/hvm.h
@@ -307,7 +307,10 @@ static inline int hvm_do_pmu_interrupt(s
(cpu_has_xsave ? X86_CR4_OSXSAVE : 0))))
/* These exceptions must always be intercepted. */
-#define HVM_TRAP_MASK ((1U << TRAP_machine_check) | (1U << TRAP_invalid_op))
+#define HVM_TRAP_MASK ((1U << TRAP_debug) | \
+ (1U << TRAP_invalid_op) | \
+ (1U << TRAP_alignment_check) | \
+ (1U << TRAP_machine_check))
/*
* x86 event types. This enumeration is valid for:
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
