Xen project Mailing List

Re: [Xen-devel] [PATCH] x86/HVM: only kill guest when unknown VM exit occurred in guest kernel mode

To: Jan Beulich <JBeulich@xxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: "Tian, Kevin" <kevin.tian@xxxxxxxxx>

Date: Fri, 31 Oct 2014 06:59:47 +0000

Accept-language: en-US

Cc: "Dong, Eddie" <eddie.dong@xxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, Aravind Gopalakrishnan <aravind.gopalakrishnan@xxxxxxx>, "Nakajima, Jun" <jun.nakajima@xxxxxxxxx>, "suravee.suthikulpanit@xxxxxxx" <suravee.suthikulpanit@xxxxxxx>

Delivery-date: Fri, 31 Oct 2014 07:02:28 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Thread-index: AQHP9E/pvnLLi+b+QUKlP+j8jC3dVJxJxqTA

Thread-topic: [PATCH] x86/HVM: only kill guest when unknown VM exit occurred in guest kernel mode

> From: Jan Beulich [mailto:JBeulich@xxxxxxxx] > Sent: Thursday, October 30, 2014 10:43 PM > > A recent KVM change by Nadav Amit <namit@xxxxxxxxxxxxxxxxx> pointed out > that unconditional VM exits (like VMX'es ones for the INVEPT, INVVPID, > and XSETBV instructions) may result from guest user mode activity (in > the example cases, e.g. prior to a privilege level check being done). > Consequently convert the unconditional domain_crash() to a conditional > one (when guest is in kernel mode) with the alternative of injecting > #UD (when in user mode). > > This is meant to be a precaution against in-guest security issues > introduced when any such VM exit becomes possible (on newer hardware) > without the hypervisor immediately being aware of it. There are no such > unhandled VM exits currently (and hence this is not an active security > issue), but old (no longer security maintained) versions exhibit issues > in the cases given as examples above. > > Suggested-by: Tim Deegan <tim@xxxxxxx> > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Acked-by: Kevin Tian <kevin.tian@xxxxxxxxx> > > --- a/xen/arch/x86/hvm/svm/svm.c > +++ b/xen/arch/x86/hvm/svm/svm.c > @@ -2680,7 +2680,11 @@ void svm_vmexit_handler(struct cpu_user_ > "exitinfo1 = %#"PRIx64", exitinfo2 = %#"PRIx64"\n", > exit_reason, > (u64)vmcb->exitinfo1, (u64)vmcb->exitinfo2); > - domain_crash(v->domain); > + if ( vmcb_get_cpl(vmcb) ) > + hvm_inject_hw_exception(TRAP_invalid_op, > + > HVM_DELIVER_NO_ERROR_CODE); > + else > + domain_crash(v->domain); > break; > } > > --- a/xen/arch/x86/hvm/vmx/vmx.c > +++ b/xen/arch/x86/hvm/vmx/vmx.c > @@ -3157,8 +3157,19 @@ void vmx_vmexit_handler(struct cpu_user_ > /* fall through */ > default: > exit_and_crash: > - gdprintk(XENLOG_ERR, "Bad vmexit (reason %#lx)\n", exit_reason); > - domain_crash(v->domain); > + { > + struct segment_register ss; > + > + gdprintk(XENLOG_WARNING, "Bad vmexit (reason %#lx)\n", > + exit_reason); > + > + vmx_get_segment_register(v, x86_seg_ss, &ss); > + if ( ss.attr.fields.dpl ) > + hvm_inject_hw_exception(TRAP_invalid_op, > + > HVM_DELIVER_NO_ERROR_CODE); > + else > + domain_crash(v->domain); > + } > break; > } > > > _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.