On 09.04.2025 17:33, Roger Pau Monné wrote: > On Wed, Apr 09, 2025 at 04:08:47PM +0200, Jan Beulich wrote: >> On 09.04.2025 16:01, Roger Pau Monné wrote: >>> As I understand the checks done in >>> mmio_ro_emulated_write() are to ensure correctness, but carrying the >>> access even when the %cr2 check fail wouldn't cause issues to Xen >>> itself? >> >> Well, "wouldn't" is too strong for my taste, "shouldn't" would fit. The >> checking is there to avoid guests playing games. Whether that prevents >> merely in-guest just-bugs or actual XSAs we can't know until we find a >> case where the game playing might make us do something wrong. I expect >> it's unlikely for Xen itself to be affected. But an in-guest privilege >> escalation would already be bad enough. > > I see. That was kind of my understanding of the checks. At least on > HVM it feels a bit weird to handle r/o regions this way. It would IMO > be more natural to use an hvm_io_handler, but that's maybe because I'm > more familiar with those.
I guess this would be an option; I assume it's the way it is because PVHv1 inherited it from PV, and PVHv2 inherited it from PVHv1. > And in that regard, hvm_io_handler don't seem to do any of the extra > checking that mmio_ro_emulated_write() does with the %cr2, but maybe > that's done by some higher layer? AFAICT that would ultimately get > called by hvmemul_read(), and there are no checks there at all. That more general framework isn't page-fault specific, and hence there's no CR2 recorded to check against. Jan
