[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.3] x86/HVM: only kill guest when unknown VM exit occurred in guest kernel mode



commit d6281e354393f1c8a02fac55f4f611b4d4856303
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Thu Nov 13 09:58:56 2014 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Nov 13 09:58:56 2014 +0100

    x86/HVM: only kill guest when unknown VM exit occurred in guest kernel mode
    
    A recent KVM change by Nadav Amit <namit@xxxxxxxxxxxxxxxxx> pointed out
    that unconditional VM exits (like VMX'es ones for the INVEPT, INVVPID,
    and XSETBV instructions) may result from guest user mode activity (in
    the example cases, e.g. prior to a privilege level check being done).
    Consequently convert the unconditional domain_crash() to a conditional
    one (when guest is in kernel mode) with the alternative of injecting
    #UD (when in user mode).
    
    This is meant to be a precaution against in-guest security issues
    introduced when any such VM exit becomes possible (on newer hardware)
    without the hypervisor immediately being aware of it. There are no such
    unhandled VM exits currently (and hence this is not an active security
    issue), but old (no longer security maintained) versions exhibit issues
    in the cases given as examples above.
    
    Suggested-by: Tim Deegan <tim@xxxxxxx>
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>
    Acked-by: Kevin Tian <kevin.tian@xxxxxxxxx>
    master commit: 5283b310e14884341f51be35253cdd59c4cb034c
    master date: 2014-10-31 11:32:27 +0100
---
 xen/arch/x86/hvm/svm/svm.c |    6 +++++-
 xen/arch/x86/hvm/vmx/vmx.c |   15 +++++++++++++--
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c
index 0e7fb0c..30e130f 100644
--- a/xen/arch/x86/hvm/svm/svm.c
+++ b/xen/arch/x86/hvm/svm/svm.c
@@ -2458,7 +2458,11 @@ void svm_vmexit_handler(struct cpu_user_regs *regs)
                  "exitinfo1 = %#"PRIx64", exitinfo2 = %#"PRIx64"\n",
                  exit_reason, 
                  (u64)vmcb->exitinfo1, (u64)vmcb->exitinfo2);
-        domain_crash(v->domain);
+        if ( vmcb_get_cpl(vmcb) )
+            hvm_inject_hw_exception(TRAP_invalid_op,
+                                    HVM_DELIVER_NO_ERROR_CODE);
+        else
+            domain_crash(v->domain);
         break;
     }
 
diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index 9c5ec60..7f38378 100644
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -2958,8 +2958,19 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs)
     /* fall through */
     default:
     exit_and_crash:
-        gdprintk(XENLOG_ERR, "Bad vmexit (reason %#x)\n", exit_reason);
-        domain_crash(v->domain);
+        {
+            struct segment_register ss;
+
+            gdprintk(XENLOG_WARNING, "Bad vmexit (reason %#x)\n",
+                     exit_reason);
+
+            vmx_get_segment_register(v, x86_seg_ss, &ss);
+            if ( ss.attr.fields.dpl )
+                hvm_inject_hw_exception(TRAP_invalid_op,
+                                        HVM_DELIVER_NO_ERROR_CODE);
+            else
+                domain_crash(v->domain);
+        }
         break;
     }
 
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.3

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.