[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.1] VMX: disable EPT when !cpu_has_vmx_pat



commit 649e7ae0df99ffb5bccc17b4cb139c46ce2359a2
Author:     Liu Jinsong <jinsong.liu@xxxxxxxxx>
AuthorDate: Mon Dec 9 14:50:55 2013 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Mon Dec 9 14:50:55 2013 +0100

    VMX: disable EPT when !cpu_has_vmx_pat
    
    Recently Oracle developers found a Xen security issue as DOS affecting,
    named as XSA-60. Please refer http://xenbits.xen.org/xsa/advisory-60.html
    Basically it involves how to handle guest cr0.cd setting, which under
    some environment it consumes much time resulting in DOS-like behavior.
    
    This is a preparing patch for fixing XSA-60. Later patch will fix XSA-60
    via PAT under Intel EPT case, which depends on cpu_has_vmx_pat.
    
    This is CVE-2013-2212 / XSA-60.
    
    Signed-off-by: Liu Jinsong <jinsong.liu@xxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Tim Deegan <tim@xxxxxxx>
    Acked-by: Jun Nakajima <jun.nakajima@xxxxxxxxx>
    master commit: c13b0d65ddedd74508edef5cd66defffe30468fc
    master date: 2013-11-06 10:11:18 +0100
---
 xen/arch/x86/hvm/vmx/vmcs.c |    4 ++--
 xen/arch/x86/hvm/vmx/vmx.c  |   10 +++++++---
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c
index 6966acc..9eee3d1 100644
--- a/xen/arch/x86/hvm/vmx/vmcs.c
+++ b/xen/arch/x86/hvm/vmx/vmcs.c
@@ -742,7 +742,7 @@ static int construct_vmcs(struct vcpu *v)
         vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_CS);
         vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_ESP);
         vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_EIP);
-        if ( cpu_has_vmx_pat && paging_mode_hap(d) )
+        if ( paging_mode_hap(d) )
             vmx_disable_intercept_for_msr(v, MSR_IA32_CR_PAT);
     }
 
@@ -872,7 +872,7 @@ static int construct_vmcs(struct vcpu *v)
     if ( cpu_has_vmx_vpid )
         __vmwrite(VIRTUAL_PROCESSOR_ID, v->arch.hvm_vcpu.asid);
 
-    if ( cpu_has_vmx_pat && paging_mode_hap(d) )
+    if ( paging_mode_hap(d) )
     {
         u64 host_pat, guest_pat;
 
diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index 425030b..5dc8bde 100644
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -923,7 +923,7 @@ static void vmx_set_segment_register(struct vcpu *v, enum 
x86_segment seg,
 
 static int vmx_set_guest_pat(struct vcpu *v, u64 gpat)
 {
-    if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) )
+    if ( !paging_mode_hap(v->domain) )
         return 0;
 
     vmx_vmcs_enter(v);
@@ -937,7 +937,7 @@ static int vmx_set_guest_pat(struct vcpu *v, u64 gpat)
 
 static int vmx_get_guest_pat(struct vcpu *v, u64 *gpat)
 {
-    if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) )
+    if ( !paging_mode_hap(v->domain) )
         return 0;
 
     vmx_vmcs_enter(v);
@@ -1450,7 +1450,11 @@ struct hvm_function_table * __init start_vmx(void)
         return NULL;
     }
 
-    if ( cpu_has_vmx_ept )
+    /*
+     * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security hole
+     * (refer to http://xenbits.xen.org/xsa/advisory-60.html).
+     */
+    if ( cpu_has_vmx_ept && cpu_has_vmx_pat )
     {
         vmx_function_table.hap_supported = 1;
 
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.1

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.