[Xen-changelog] [xen-4.1-testing] x86/hvm: don't leave emulator in inconsistent state

[Xen patchbot-4.1-testing <patchbot@xxxxxxx>]

# HG changeset patch
# User Jan Beulich <jbeulich@xxxxxxxx>
# Date 1343318195 -3600
# Node ID a43f5b4b03319117edba76ebca8f827119d4e9a8
# Parent  e89be0dedeb4e4a9556cf3e1b9a5295ba0b59edf
x86/hvm: don't leave emulator in inconsistent state

The fact that handle_mmio(), and thus the instruction emulator, is
being run through twice for emulations that require involvement of the
device model, allows for the second run to see a different guest state
than the first one. Since only the MMIO-specific emulation routines
update the vCPU's io_state, if they get invoked on the second pass,
internal state (and particularly this variable) can be left in a state
making successful emulation of a subsequent MMIO operation impossible.

Consequently, whenever the emulator invocation returns without
requesting a retry of the guest instruction, reset io_state.

[ This is a security issue.  XSA#10. -iwj ]

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Acked-by: Keir Fraser <keir@xxxxxxx>
Committed-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>

xen-unstable changeset: 25682:ffcb24876b4f
Committed-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
---


diff -r e89be0dedeb4 -r a43f5b4b0331 xen/arch/x86/hvm/io.c
--- a/xen/arch/x86/hvm/io.c     Sun Jul 22 16:39:00 2012 +0100
+++ b/xen/arch/x86/hvm/io.c     Thu Jul 26 16:56:35 2012 +0100
@@ -176,6 +176,8 @@ int handle_mmio(void)
 
     rc = hvm_emulate_one(&ctxt);
 
+    if ( rc != X86EMUL_RETRY )
+        curr->arch.hvm_vcpu.io_state = HVMIO_none;
     if ( curr->arch.hvm_vcpu.io_state == HVMIO_awaiting_completion )
         curr->arch.hvm_vcpu.io_state = HVMIO_handle_mmio_awaiting_completion;
     else

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog