[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-4.0-testing] x86/hvm: don't leave emulator in inconsistent state


  • To: xen-changelog@xxxxxxxxxxxxxxxxxxx
  • From: Xen patchbot-4.0-testing <patchbot@xxxxxxx>
  • Date: Thu, 26 Jul 2012 23:44:07 +0000
  • Delivery-date: Thu, 26 Jul 2012 23:44:26 +0000
  • List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>

# HG changeset patch
# User Jan Beulich <jbeulich@xxxxxxxx>
# Date 1343318238 -3600
# Node ID 82fcf3a5dc3aafc5be375d52a901e00ecbe01fa4
# Parent  a25160773a384eefbe7d86b6caaf4ea516027436
x86/hvm: don't leave emulator in inconsistent state

The fact that handle_mmio(), and thus the instruction emulator, is
being run through twice for emulations that require involvement of the
device model, allows for the second run to see a different guest state
than the first one. Since only the MMIO-specific emulation routines
update the vCPU's io_state, if they get invoked on the second pass,
internal state (and particularly this variable) can be left in a state
making successful emulation of a subsequent MMIO operation impossible.

Consequently, whenever the emulator invocation returns without
requesting a retry of the guest instruction, reset io_state.

[ This is a security issue.  XSA#10. -iwj ]

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Acked-by: Keir Fraser <keir@xxxxxxx>
Committed-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>

xen-unstable changeset: 25682:ffcb24876b4f
Committed-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
---


diff -r a25160773a38 -r 82fcf3a5dc3a xen/arch/x86/hvm/io.c
--- a/xen/arch/x86/hvm/io.c     Sun Jul 22 16:39:40 2012 +0100
+++ b/xen/arch/x86/hvm/io.c     Thu Jul 26 16:57:18 2012 +0100
@@ -176,6 +176,8 @@ int handle_mmio(void)
 
     rc = hvm_emulate_one(&ctxt);
 
+    if ( rc != X86EMUL_RETRY )
+        curr->arch.hvm_vcpu.io_state = HVMIO_none;
     if ( curr->arch.hvm_vcpu.io_state == HVMIO_awaiting_completion )
         curr->arch.hvm_vcpu.io_state = HVMIO_handle_mmio_awaiting_completion;
     else

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.