[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] x86/hvm: further restrict access to x2apic MSRs

commit 8d0a20587e4ebf3691ee88a55f91f398c4d2ee83
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Tue Oct 21 17:34:20 2014 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Oct 21 17:34:20 2014 +0200

    x86/hvm: further restrict access to x2apic MSRs
    
    The x2apic specification reserves the entire MSR range 0x800-0xbff, while 
only
    the first 0x3f MSRs have defined purposes.  All reserved MSRs in this region
    are architecturally required to raise #GP faults upon access.
    
    Xen used to pass this entire range to hvm_x2apic_msr_{read,write}(), but the
    range was restricted somewhat by XSA-108 (c/s 61fdda7ac) to prevent guests
    being able to read pages adjacent to the domheap page backing the 
vlapic->regs
    array.
    
    While removing the vulnerability, a side effect of XSA-108 was that the MSR
    range 0x900-0xbff fell through the switch statement and ends up reading the
    hosts x2apic range. This behaviour is a problem in general, but specifically
    it turns out that MSRs 0xa00-0xa02 are implemented (but undocumented) on
    certain SandyBridge and IvyBridge systems.
    
    Experimentally, no operating system in XenServer's test suite (including all
    versions of Windows currently supported by Microsoft) ever peek at these 
MSRs,
    even on hosts where some of them are implemented.
    
    This patch undoes the fix for XSA-108 (c/s 61fdda7ac), returning the primary
    bounds check to the entire specified range.  hvm_x2apic_msr_write() was 
always
    safe, as it is whitelist based.  hvm_x2apic_msr_read() changes to a 
whitelist
    approach, which avoids the vulnerability, and provides a more 
architecturally
    accurate emulation of the reserved MSRs (which would previously read as 0
    rather than fault).
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    Acked-by: Jun Nakajima <jun.nakajima@xxxxxxxxx>
---
 xen/arch/x86/hvm/hvm.c    |    4 ++--
 xen/arch/x86/hvm/vlapic.c |   27 +++++++++++++++++++++++----
 2 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index f0e1edc..559b769 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -4355,7 +4355,7 @@ int hvm_msr_read_intercept(unsigned int msr, uint64_t 
*msr_content)
         *msr_content = vcpu_vlapic(v)->hw.apic_base_msr;
         break;
 
-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
+    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
         if ( hvm_x2apic_msr_read(v, msr, msr_content) )
             goto gp_fault;
         break;
@@ -4482,7 +4482,7 @@ int hvm_msr_write_intercept(unsigned int msr, uint64_t 
msr_content)
         vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content);
         break;
 
-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
+    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
         if ( hvm_x2apic_msr_write(v, msr, msr_content) )
             goto gp_fault;
         break;
diff --git a/xen/arch/x86/hvm/vlapic.c b/xen/arch/x86/hvm/vlapic.c
index 089d13f..2f09713 100644
--- a/xen/arch/x86/hvm/vlapic.c
+++ b/xen/arch/x86/hvm/vlapic.c
@@ -649,16 +649,35 @@ int hvm_x2apic_msr_read(struct vcpu *v, unsigned int msr, 
uint64_t *msr_content)
     if ( !vlapic_x2apic_mode(vlapic) )
         return X86EMUL_UNHANDLEABLE;
 
-    vlapic_read_aligned(vlapic, offset, &low);
     switch ( offset )
     {
     case APIC_ICR:
         vlapic_read_aligned(vlapic, APIC_ICR2, &high);
+        /* Fallthrough. */
+    case APIC_ID:
+    case APIC_LVR:
+    case APIC_TASKPRI:
+    case APIC_PROCPRI:
+    case APIC_LDR:
+    case APIC_SPIV:
+    case APIC_ISR ... APIC_ISR + 0x70:
+    case APIC_TMR ... APIC_TMR + 0x70:
+    case APIC_IRR ... APIC_IRR + 0x70:
+    case APIC_ESR:
+    case APIC_CMCI:
+    case APIC_LVTT:
+    case APIC_LVTTHMR:
+    case APIC_LVTPC:
+    case APIC_LVT0:
+    case APIC_LVT1:
+    case APIC_LVTERR:
+    case APIC_TMICT:
+    case APIC_TMCCT:
+    case APIC_TDCR:
+        vlapic_read_aligned(vlapic, offset, &low);
         break;
 
-    case APIC_EOI:
-    case APIC_ICR2:
-    case APIC_SELF_IPI:
+    default:
         return X86EMUL_UNHANDLEABLE;
     }
 
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.