>>> On 29.01.16 at 20:17, <andrew.coop...@citrix.com> wrote: > c/s 0f1cb96e "x86 hvm: Allow cross-vendor migration" caused HVM domains to > unconditionally intercept #UD exceptions. While cross-vendor migration is > cool as a demo, it is extremely niche. > > Intercepting #UD allows userspace code in a multi-vcpu guest to execute > arbitrary instructions in the x86 emulator by having one thread execute a > ud2a > instruction, and having a second thread rewrite the instruction before the > emulator performs an instruction fetch. > > XSAs 105, 106 and 110 are all examples where guest userspace can use bugs in > the x86 emulator to compromise security of the domain, either by privilege > escalation or causing a crash. > > c/s 2d67a7a4 "x86: synchronize PCI config space access decoding" > introduced (amongst other things) a per-domain vendor, based on the guests > cpuid policy. > > Use the per-guest vendor to enable #UD interception only when a domain is > configured for a vendor different to the current hardware. (#UD > interception > is also enabled if hvm_fep is specified on the Xen command line. This is a > debug-only option whose entire purpose is for testing the x86 emulator.) > > As a result, the overwhelming majority of usecases now have #UD interception > disabled, removing an attack surface for malicious guest userspace. > > Signed-off-by: Andrew Cooper <andrew.coop...@citrix.com> > Reviewed-by: Boris Ostrovsky <boris.ostrov...@oracle.com>
Reviewed-by: Jan Beulich <jbeul...@suse.com> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
