[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.7] x86/cpu: Fix IST handling during PCPU bringup

commit c10dc54d41695a074c90b8afed950bd63884de0b
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Thu Oct 12 15:30:21 2017 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Oct 12 15:30:21 2017 +0200

    x86/cpu: Fix IST handling during PCPU bringup
    
    Clear IST references in newly allocated IDTs.  Nothing good will come of
    having them set before the TSS is suitably constructed (although the chances
    of the CPU surviving such an IST interrupt/exception is extremely slim).
    
    Uniformly set the IST references after the TSS is in place.  This fixes an
    issue on AMD hardware, where onlining a PCPU while PCPU0 is in HVM context
    will cause IST_NONE to be copied into the new IDT, making that PCPU 
vulnerable
    to privilege escalation from PV guests until it subsequently schedules an 
HVM
    guest.
    
    This is XSA-244.
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    master commit: cc08c73c8c1f5ba5ed0f8274548db6725e1c3157
    master date: 2017-10-12 14:50:31 +0200
---
 xen/arch/x86/cpu/common.c | 5 +++++
 xen/arch/x86/smpboot.c    | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/xen/arch/x86/cpu/common.c b/xen/arch/x86/cpu/common.c
index e8698d7..168cfdf 100644
--- a/xen/arch/x86/cpu/common.c
+++ b/xen/arch/x86/cpu/common.c
@@ -617,6 +617,7 @@ void __init early_cpu_init(void)
  * - Sets up TSS with stack pointers, including ISTs
  * - Inserts TSS selector into regular and compat GDTs
  * - Loads GDT, IDT, TR then null LDT
+ * - Sets up IST references in the IDT
  */
 void load_system_tables(void)
 {
@@ -663,6 +664,10 @@ void load_system_tables(void)
        asm volatile ("lidt %0"  : : "m"  (idtr) );
        asm volatile ("ltr  %w0" : : "rm" (TSS_ENTRY << 3) );
        asm volatile ("lldt %w0" : : "rm" (0) );
+
+       set_ist(&idt_tables[cpu][TRAP_double_fault],  IST_DF);
+       set_ist(&idt_tables[cpu][TRAP_nmi],           IST_NMI);
+       set_ist(&idt_tables[cpu][TRAP_machine_check], IST_MCE);
 }
 
 /*
diff --git a/xen/arch/x86/smpboot.c b/xen/arch/x86/smpboot.c
index 1c02681..f9e4ee8 100644
--- a/xen/arch/x86/smpboot.c
+++ b/xen/arch/x86/smpboot.c
@@ -715,6 +715,9 @@ static int cpu_smpboot_alloc(unsigned int cpu)
     if ( idt_tables[cpu] == NULL )
         goto oom;
     memcpy(idt_tables[cpu], idt_table, IDT_ENTRIES * sizeof(idt_entry_t));
+    set_ist(&idt_tables[cpu][TRAP_double_fault],  IST_NONE);
+    set_ist(&idt_tables[cpu][TRAP_nmi],           IST_NONE);
+    set_ist(&idt_tables[cpu][TRAP_machine_check], IST_NONE);
 
     for ( stub_page = 0, i = cpu & ~(STUBS_PER_PAGE - 1);
           i < nr_cpu_ids && i <= (cpu | (STUBS_PER_PAGE - 1)); ++i )
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.7

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.