[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.6] x86/traps: Fix handling of #DB exceptions in hypervisor context
commit 3b9667632d52995bdf576e627bc8ea994d6941ee Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> AuthorDate: Tue May 8 18:28:03 2018 +0100 Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> CommitDate: Tue May 8 18:28:03 2018 +0100 x86/traps: Fix handling of #DB exceptions in hypervisor context The WARN_ON() can be triggered by guest activities, and emits a full stack trace without rate limiting. Swap it out for a ratelimited printk with just enough information to work out what is going on. Not all #DB exceptions are traps, so blindly continuing is not a safe action to take. We don't let PV guests select these settings in the real %dr7 to begin with, but for added safety against unexpected situations, detect the fault cases and crash in an obvious manner. This is part of XSA-260 / CVE-2018-8897. Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> --- xen/arch/x86/traps.c | 44 ++++++++++++++++++++++++++++++++++++-------- 1 file changed, 36 insertions(+), 8 deletions(-) diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c index b00149c756..eab5a3f23f 100644 --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -3716,16 +3716,44 @@ void do_debug(struct cpu_user_regs *regs) regs->eflags &= ~X86_EFLAGS_TF; } } - else + + /* + * Check for fault conditions. General Detect, and instruction + * breakpoints are faults rather than traps, at which point attempting + * to ignore and continue will result in a livelock. + */ + if ( dr6 & DR_GENERAL_DETECT ) { - /* - * We ignore watchpoints when they trigger within Xen. This may - * happen when a buffer is passed to us which previously had a - * watchpoint set on it. No need to bump EIP; the only faulting - * trap is an instruction breakpoint, which can't happen to us. - */ - WARN_ON(!search_exception_table(regs->eip)); + printk(XENLOG_ERR "Hit General Detect in Xen context\n"); + fatal_trap(regs); + } + + if ( dr6 & (DR_TRAP3 | DR_TRAP2 | DR_TRAP1 | DR_TRAP0) ) + { + unsigned int bp, dr7 = read_debugreg(7) >> DR_CONTROL_SHIFT; + + for ( bp = 0; bp < 4; ++bp ) + { + if ( (dr6 & (1u << bp)) && /* Breakpoint triggered? */ + ((dr7 & (3u << (bp * DR_CONTROL_SIZE))) == 0) /* Insn? */ ) + { + printk(XENLOG_ERR + "Hit instruction breakpoint in Xen context\n"); + fatal_trap(regs); + } + } } + + /* + * Whatever caused this #DB should be a trap. Note it and continue. + * Guests can trigger this in certain corner cases, so ensure the + * message is ratelimited. + */ + gprintk(XENLOG_WARNING, + "Hit #DB in Xen context: %04x:%p [%ps], stk %04x:%p, dr6 %lx\n", + regs->cs, _p(regs->rip), _p(regs->rip), + regs->ss, _p(regs->rsp), dr6); + goto out; } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.6 _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |