[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] x86/hvm: further restrict access to x2apic MSRs
commit 8d0a20587e4ebf3691ee88a55f91f398c4d2ee83 Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> AuthorDate: Tue Oct 21 17:34:20 2014 +0200 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Tue Oct 21 17:34:20 2014 +0200 x86/hvm: further restrict access to x2apic MSRs The x2apic specification reserves the entire MSR range 0x800-0xbff, while only the first 0x3f MSRs have defined purposes. All reserved MSRs in this region are architecturally required to raise #GP faults upon access. Xen used to pass this entire range to hvm_x2apic_msr_{read,write}(), but the range was restricted somewhat by XSA-108 (c/s 61fdda7ac) to prevent guests being able to read pages adjacent to the domheap page backing the vlapic->regs array. While removing the vulnerability, a side effect of XSA-108 was that the MSR range 0x900-0xbff fell through the switch statement and ends up reading the hosts x2apic range. This behaviour is a problem in general, but specifically it turns out that MSRs 0xa00-0xa02 are implemented (but undocumented) on certain SandyBridge and IvyBridge systems. Experimentally, no operating system in XenServer's test suite (including all versions of Windows currently supported by Microsoft) ever peek at these MSRs, even on hosts where some of them are implemented. This patch undoes the fix for XSA-108 (c/s 61fdda7ac), returning the primary bounds check to the entire specified range. hvm_x2apic_msr_write() was always safe, as it is whitelist based. hvm_x2apic_msr_read() changes to a whitelist approach, which avoids the vulnerability, and provides a more architecturally accurate emulation of the reserved MSRs (which would previously read as 0 rather than fault). Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> Acked-by: Jun Nakajima <jun.nakajima@xxxxxxxxx> --- xen/arch/x86/hvm/hvm.c | 4 ++-- xen/arch/x86/hvm/vlapic.c | 27 +++++++++++++++++++++++---- 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index f0e1edc..559b769 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -4355,7 +4355,7 @@ int hvm_msr_read_intercept(unsigned int msr, uint64_t *msr_content) *msr_content = vcpu_vlapic(v)->hw.apic_base_msr; break; - case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff: + case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: if ( hvm_x2apic_msr_read(v, msr, msr_content) ) goto gp_fault; break; @@ -4482,7 +4482,7 @@ int hvm_msr_write_intercept(unsigned int msr, uint64_t msr_content) vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content); break; - case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff: + case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: if ( hvm_x2apic_msr_write(v, msr, msr_content) ) goto gp_fault; break; diff --git a/xen/arch/x86/hvm/vlapic.c b/xen/arch/x86/hvm/vlapic.c index 089d13f..2f09713 100644 --- a/xen/arch/x86/hvm/vlapic.c +++ b/xen/arch/x86/hvm/vlapic.c @@ -649,16 +649,35 @@ int hvm_x2apic_msr_read(struct vcpu *v, unsigned int msr, uint64_t *msr_content) if ( !vlapic_x2apic_mode(vlapic) ) return X86EMUL_UNHANDLEABLE; - vlapic_read_aligned(vlapic, offset, &low); switch ( offset ) { case APIC_ICR: vlapic_read_aligned(vlapic, APIC_ICR2, &high); + /* Fallthrough. */ + case APIC_ID: + case APIC_LVR: + case APIC_TASKPRI: + case APIC_PROCPRI: + case APIC_LDR: + case APIC_SPIV: + case APIC_ISR ... APIC_ISR + 0x70: + case APIC_TMR ... APIC_TMR + 0x70: + case APIC_IRR ... APIC_IRR + 0x70: + case APIC_ESR: + case APIC_CMCI: + case APIC_LVTT: + case APIC_LVTTHMR: + case APIC_LVTPC: + case APIC_LVT0: + case APIC_LVT1: + case APIC_LVTERR: + case APIC_TMICT: + case APIC_TMCCT: + case APIC_TDCR: + vlapic_read_aligned(vlapic, offset, &low); break; - case APIC_EOI: - case APIC_ICR2: - case APIC_SELF_IPI: + default: return X86EMUL_UNHANDLEABLE; } -- generated by git-patchbot for /home/xen/git/xen.git#master _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |