On 04.07.2019 15:44, Andrew Cooper wrote:
> On 31/01/2019 14:27, Jan Beulich wrote:
>> Array indexes used in the MMIO and MSR read/write emulation functions
>> are derived from guest controlled values. Restrict their ranges to limit
>> the side effects of speculative execution.
>>
>> Remove the unused vlapic_lvt_{vector,dm}() instead of adjusting them.
>>
>> Signed-off-by: Jan Beulich <jbeul...@suse.com>
>
> While they are all guest controlled, the MMIO side of things is on the
> end of a function pointer call, which has already determined that the
> access is within 4k. I don't think there any safety concerns here.
I.e. are you suggesting there's no speculation through indirect
calls?
> guest_rdmsr_x2apic() does get values in the range 0x800...0xbff, so I
> think this is the only case which needs protecting.
What about vlapic_apicv_write(), which does get called directly?
And what about the vlapic_lvt_mask[] accesses?
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
