[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [qemu-xen-unstable] xen: limit guest control of PCI command register
commit ab42b4408cb4fc4f869d73218e3d2034e6f5e8ac Author: Jan Beulich <jbeulich@xxxxxxxx> AuthorDate: Tue Mar 31 16:27:45 2015 +0100 Commit: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> CommitDate: Tue Mar 31 16:27:45 2015 +0100 xen: limit guest control of PCI command register Otherwise the guest can abuse that control to cause e.g. PCIe Unsupported Request responses (by disabling memory and/or I/O decoding and subsequently causing [CPU side] accesses to the respective address ranges), which (depending on system configuration) may be fatal to the host. This is CVE-2015-2756 / XSA-126. Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx> Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx> --- hw/pass-through.c | 54 ++++++++++++++++++---------------------------------- 1 files changed, 19 insertions(+), 35 deletions(-) diff --git a/hw/pass-through.c b/hw/pass-through.c index 4821182..eb2704b 100644 --- a/hw/pass-through.c +++ b/hw/pass-through.c @@ -172,9 +172,6 @@ static int pt_word_reg_read(struct pt_dev *ptdev, static int pt_long_reg_read(struct pt_dev *ptdev, struct pt_reg_tbl *cfg_entry, uint32_t *value, uint32_t valid_mask); -static int pt_cmd_reg_read(struct pt_dev *ptdev, - struct pt_reg_tbl *cfg_entry, - uint16_t *value, uint16_t valid_mask); static int pt_bar_reg_read(struct pt_dev *ptdev, struct pt_reg_tbl *cfg_entry, uint32_t *value, uint32_t valid_mask); @@ -286,9 +283,9 @@ static struct pt_reg_info_tbl pt_emu_reg_header0_tbl[] = { .size = 2, .init_val = 0x0000, .ro_mask = 0xF880, - .emu_mask = 0x0740, + .emu_mask = 0x0743, .init = pt_common_reg_init, - .u.w.read = pt_cmd_reg_read, + .u.w.read = pt_word_reg_read, .u.w.write = pt_cmd_reg_write, .u.w.restore = pt_cmd_reg_restore, }, @@ -1905,7 +1902,7 @@ static int pt_dev_is_virtfn(struct pci_dev *dev) return rc; } -static int pt_register_regions(struct pt_dev *assigned_device) +static int pt_register_regions(struct pt_dev *assigned_device, uint16_t *cmd) { int i = 0; uint32_t bar_data = 0; @@ -1925,17 +1922,26 @@ static int pt_register_regions(struct pt_dev *assigned_device) /* Register current region */ if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_IO ) + { pci_register_io_region((PCIDevice *)assigned_device, i, (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_IO, pt_ioport_map); + *cmd |= PCI_COMMAND_IO; + } else if ( pci_dev->base_addr[i] & PCI_ADDRESS_SPACE_MEM_PREFETCH ) + { pci_register_io_region((PCIDevice *)assigned_device, i, (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM_PREFETCH, pt_iomem_map); + *cmd |= PCI_COMMAND_MEMORY; + } else + { pci_register_io_region((PCIDevice *)assigned_device, i, (uint32_t)pci_dev->size[i], PCI_ADDRESS_SPACE_MEM, pt_iomem_map); + *cmd |= PCI_COMMAND_MEMORY; + } PT_LOG("IO region registered (size=0x%08x base_addr=0x%08x)\n", (uint32_t)(pci_dev->size[i]), @@ -3263,27 +3269,6 @@ static int pt_long_reg_read(struct pt_dev *ptdev, return 0; } -/* read Command register */ -static int pt_cmd_reg_read(struct pt_dev *ptdev, - struct pt_reg_tbl *cfg_entry, - uint16_t *value, uint16_t valid_mask) -{ - struct pt_reg_info_tbl *reg = cfg_entry->reg; - uint16_t valid_emu_mask = 0; - uint16_t emu_mask = reg->emu_mask; - - if ( ptdev->is_virtfn ) - emu_mask |= PCI_COMMAND_MEMORY; - if ( pt_is_iomul(ptdev) ) - emu_mask |= PCI_COMMAND_IO; - - /* emulate word register */ - valid_emu_mask = emu_mask & valid_mask; - *value = PT_MERGE_VALUE(*value, cfg_entry->data, ~valid_emu_mask); - - return 0; -} - /* read BAR */ static int pt_bar_reg_read(struct pt_dev *ptdev, struct pt_reg_tbl *cfg_entry, @@ -3418,19 +3403,13 @@ static int pt_cmd_reg_write(struct pt_dev *ptdev, uint16_t writable_mask = 0; uint16_t throughable_mask = 0; uint16_t wr_value = *value; - uint16_t emu_mask = reg->emu_mask; - - if ( ptdev->is_virtfn ) - emu_mask |= PCI_COMMAND_MEMORY; - if ( pt_is_iomul(ptdev) ) - emu_mask |= PCI_COMMAND_IO; /* modify emulate register */ writable_mask = ~reg->ro_mask & valid_mask; cfg_entry->data = PT_MERGE_VALUE(*value, cfg_entry->data, writable_mask); /* create value for writing to I/O device register */ - throughable_mask = ~emu_mask & valid_mask; + throughable_mask = ~reg->emu_mask & valid_mask; if (*value & PCI_COMMAND_DISABLE_INTx) { @@ -4211,6 +4190,7 @@ static struct pt_dev * register_real_device(PCIBus *e_bus, struct pt_dev *assigned_device = NULL; struct pci_dev *pci_dev; uint8_t e_device, e_intx; + uint16_t cmd = 0; char *key, *val; int msi_translate, power_mgmt; @@ -4300,7 +4280,7 @@ static struct pt_dev * register_real_device(PCIBus *e_bus, assigned_device->dev.config[i] = pci_read_byte(pci_dev, i); /* Handle real device's MMIO/PIO BARs */ - pt_register_regions(assigned_device); + pt_register_regions(assigned_device, &cmd); /* Setup VGA bios for passthroughed gfx */ if ( setup_vga_pt(assigned_device) < 0 ) @@ -4378,6 +4358,10 @@ static struct pt_dev * register_real_device(PCIBus *e_bus, } out: + if (cmd) + pci_write_word(pci_dev, PCI_COMMAND, + *(uint16_t *)(&assigned_device->dev.config[PCI_COMMAND]) | cmd); + PT_LOG("Real physical device %02x:%02x.%x registered successfuly!\n" "IRQ type = %s\n", r_bus, r_dev, r_func, assigned_device->msi_trans_en? "MSI-INTx":"INTx"); -- generated by git-patchbot for /home/xen/git/qemu-xen-unstable.git _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |