[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] VMX: disable EPT when !cpu_has_vmx_pat
commit c13b0d65ddedd74508edef5cd66defffe30468fc Author: Liu Jinsong <jinsong.liu@xxxxxxxxx> AuthorDate: Wed Nov 6 10:11:18 2013 +0100 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Wed Nov 6 10:11:18 2013 +0100 VMX: disable EPT when !cpu_has_vmx_pat Recently Oracle developers found a Xen security issue as DOS affecting, named as XSA-60. Please refer http://xenbits.xen.org/xsa/advisory-60.html Basically it involves how to handle guest cr0.cd setting, which under some environment it consumes much time resulting in DOS-like behavior. This is a preparing patch for fixing XSA-60. Later patch will fix XSA-60 via PAT under Intel EPT case, which depends on cpu_has_vmx_pat. This is CVE-2013-2212 / XSA-60. Signed-off-by: Liu Jinsong <jinsong.liu@xxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Reviewed-by: Tim Deegan <tim@xxxxxxx> Acked-by: Jun Nakajima <jun.nakajima@xxxxxxxxx> --- xen/arch/x86/hvm/vmx/vmcs.c | 4 ++-- xen/arch/x86/hvm/vmx/vmx.c | 10 +++++++--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c index 6526504..6916c6d 100644 --- a/xen/arch/x86/hvm/vmx/vmcs.c +++ b/xen/arch/x86/hvm/vmx/vmcs.c @@ -921,7 +921,7 @@ static int construct_vmcs(struct vcpu *v) vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_CS, MSR_TYPE_R | MSR_TYPE_W); vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_ESP, MSR_TYPE_R | MSR_TYPE_W); vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_EIP, MSR_TYPE_R | MSR_TYPE_W); - if ( cpu_has_vmx_pat && paging_mode_hap(d) ) + if ( paging_mode_hap(d) ) vmx_disable_intercept_for_msr(v, MSR_IA32_CR_PAT, MSR_TYPE_R | MSR_TYPE_W); } @@ -1063,7 +1063,7 @@ static int construct_vmcs(struct vcpu *v) __vmwrite(EPT_POINTER, ept_get_eptp(ept)); } - if ( cpu_has_vmx_pat && paging_mode_hap(d) ) + if ( paging_mode_hap(d) ) { u64 host_pat, guest_pat; diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c index 9ca8632..e6743b8 100644 --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -908,7 +908,7 @@ static unsigned long vmx_get_shadow_gs_base(struct vcpu *v) static int vmx_set_guest_pat(struct vcpu *v, u64 gpat) { - if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) ) + if ( !paging_mode_hap(v->domain) ) return 0; vmx_vmcs_enter(v); @@ -919,7 +919,7 @@ static int vmx_set_guest_pat(struct vcpu *v, u64 gpat) static int vmx_get_guest_pat(struct vcpu *v, u64 *gpat) { - if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) ) + if ( !paging_mode_hap(v->domain) ) return 0; vmx_vmcs_enter(v); @@ -1591,7 +1591,11 @@ const struct hvm_function_table * __init start_vmx(void) return NULL; } - if ( cpu_has_vmx_ept ) + /* + * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security hole + * (refer to http://xenbits.xen.org/xsa/advisory-60.html). + */ + if ( cpu_has_vmx_ept && cpu_has_vmx_pat ) { vmx_function_table.hap_supported = 1; -- generated by git-patchbot for /home/xen/git/xen.git#master _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |