[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH v3 0/12] xen: arm: reenable support for 32-bit userspace running in 64-bit guest.

To: xen-devel <xen-devel@xxxxxxxxxxxxx>
From: Ian Campbell <ian.campbell@xxxxxxxxxx>
Date: Wed, 25 Mar 2015 14:22:19 +0000
Cc: Julien Grall <julien.grall@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Stefano Stabellini <stefano.stabellini@xxxxxxxxxx>
Delivery-date: Wed, 25 Mar 2015 14:31:17 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

XSA-102/CVE-2014-5147[0] concerned a crash when trapping from 32-bit
userspace in a 64-bit guest. Part of that security patch was c0020e09970
"xen: arm: Handle traps from 32-bit userspace on 64-bit kernel as undef
fix" which turned the exploitable crash into a #undef to the guest (so
as to kill the process but not the host) as a workaround for the issue.

However while this prevented the exploit it did not make 32-bit
userspaces which were prone to triggering the issue actually work.

This series consists of some patches which I originally wrote for
XSA-102 to fix the issue properly before it was determined that those
fixes were too invasive by far for a security update. At the end of the
series is a new patch which removes the XSA-102 workaround since all
problematic traps should now be handled.

Since these were originally intended to be the security fix they have
had a fair bit of scrutiny already in private . However since there is
now a risk of reintroducing XSA-102 I would appreciate a pretty thorough
second pair of eyes on it this time around.

I've tested this with a local utility which tries to access the various
cp and system registers from both 32- and 64-bit processes and checks
that they either work or give the expected traps. Since this tool is
effectively an exploit for XSA-102 I'm not sharing here but if you ask
nicely and appear to be wearing the correct colour hat I might share it
with you (it's not terribly impressive, so don't get too excited).

Since last time I've implemented Julien's review feedback including:
      * added the GUEST_BUG_ON patch to the end to replace the BUG_ONs
        due to invalid h/w state, which gets more useful debug if that
        occurs.
      * handled CNTP_CVAL_EL0.

Ian.

[0] http://xenbits.xen.org/xsa/advisory-102.html




_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- [Xen-devel] [PATCH 04/12] xen: arm: Factor out psr_mode_is_user
  - From: Ian Campbell
- [Xen-devel] [PATCH 06/12] xen: arm: correctly handle vtimer traps from userspace
  - From: Ian Campbell
- [Xen-devel] [PATCH 01/12] xen: arm: Correct PMXEV cp register definitions
  - From: Ian Campbell
- [Xen-devel] [PATCH 03/12] xen: arm: Use ARMv8 names for CNTHCTL_EL2 bits
  - From: Ian Campbell
- [Xen-devel] [PATCH 05/12] xen: arm: Handle 32-bit EL0 on 64-bit EL1 when advancing PC after trap
  - From: Ian Campbell
- [Xen-devel] [PATCH 07/12] xen: arm: Handle CP15 register traps from userspace
  - From: Ian Campbell
- [Xen-devel] [PATCH 10/12] xen: arm: handle remaining traps from userspace
  - From: Ian Campbell
- [Xen-devel] [PATCH 08/12] xen: arm: Handle CP14 32-bit register accesses from userspace
  - From: Ian Campbell
- [Xen-devel] [PATCH 09/12] xen: arm: correctly handle sysreg accesses from userspace
  - From: Ian Campbell
- [Xen-devel] [PATCH 12/12] xen: arm: Dump guest state when invalid trap state is detected
  - From: Ian Campbell

Prev by Date: [Xen-devel] [PATCH 07/12] xen: arm: Handle CP15 register traps from userspace
Next by Date: [Xen-devel] [PATCH 05/12] xen: arm: Handle 32-bit EL0 on 64-bit EL1 when advancing PC after trap
Previous by thread: [Xen-devel] [PATCH OSSTEST] ts-host-install: Arrange for ssh logins to have no corefile size limit
Next by thread: [Xen-devel] [PATCH 12/12] xen: arm: Dump guest state when invalid trap state is detected
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.