[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.12] x86/ept: atomically modify entries in ept_next_level



commit 8faa45e25e8b97570b81b46a6b48bdbc8b489b4f
Author:     Roger Pau Monné <roger.pau@xxxxxxxxxx>
AuthorDate: Tue Jul 7 15:10:14 2020 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Jul 7 15:10:14 2020 +0200

    x86/ept: atomically modify entries in ept_next_level
    
    ept_next_level was passing a live PTE pointer to ept_set_middle_entry,
    which was then modified without taking into account that the PTE could
    be part of a live EPT table. This wasn't a security issue because the
    pages returned by p2m_alloc_ptp are zeroed, so adding such an entry
    before actually initializing it didn't allow a guest to access
    physical memory addresses it wasn't supposed to access.
    
    This is part of XSA-328.
    
    Reported-by: Jan Beulich <jbeulich@xxxxxxxx>
    Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    master commit: bc3d9f95d661372b059a5539ae6cb1e79435bb95
    master date: 2020-07-07 14:37:12 +0200
---
 xen/arch/x86/mm/p2m-ept.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/mm/p2m-ept.c b/xen/arch/x86/mm/p2m-ept.c
index eb42248d56..61fc39bac5 100644
--- a/xen/arch/x86/mm/p2m-ept.c
+++ b/xen/arch/x86/mm/p2m-ept.c
@@ -307,6 +307,8 @@ static int ept_next_level(struct p2m_domain *p2m, bool_t 
read_only,
     ept_entry_t *ept_entry, *next = NULL, e;
     u32 shift, index;
 
+    ASSERT(next_level);
+
     shift = next_level * EPT_TABLE_ORDER;
 
     index = *gfn_remainder >> shift;
@@ -323,16 +325,20 @@ static int ept_next_level(struct p2m_domain *p2m, bool_t 
read_only,
 
     if ( !is_epte_present(&e) )
     {
+        int rc;
+
         if ( e.sa_p2mt == p2m_populate_on_demand )
             return GUEST_TABLE_POD_PAGE;
 
         if ( read_only )
             return GUEST_TABLE_MAP_FAILED;
 
-        next = ept_set_middle_entry(p2m, ept_entry);
+        next = ept_set_middle_entry(p2m, &e);
         if ( !next )
             return GUEST_TABLE_MAP_FAILED;
-        /* e is now stale and hence may not be used anymore below. */
+
+        rc = atomic_write_ept_entry(p2m, ept_entry, e, next_level);
+        ASSERT(rc == 0);
     }
     /* The only time sp would be set here is if we had hit a superpage */
     else if ( is_epte_superpage(&e) )
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.12



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.