[Xen-devel] Ability to crash a HVM guest by accessing /dev/hpet

[Stefan Bader <stefan.bader@xxxxxxxxxxxxx>]

This seems to have been found by us[1] and Citrix[2] recently. To trigger this
one needs to be root in the guest, so it is not super critical but still it
seems to be a bit harsh that purely opening /dev/hpet read-only is leading to a
domain crash via xen/arch/x86/hvm/hpet.c@375(hpet_write):

    case HPET_Tn_CFG(0):
    case HPET_Tn_CFG(1):
    case HPET_Tn_CFG(2):
        tn = HPET_TN(CFG, addr);

        h->hpet.timers[tn].config = hpet_fixup_reg(new_val, old_val, 0x3f4e);

        if ( timer_level(h, tn) )
        {
            gdprintk(XENLOG_ERR,
                     "HPET: level triggered interrupt not supported now\n");
            domain_crash(current->domain);
            break;
        }

The default in Linux seems to be level triggered. I wonder whether there would
be any possible way to make this return as some error instead of blowing up?

-Stefan

[1] https://bugs.launchpad.net/bugs/1741409
[2]
https://bugs.xenserver.org/browse/XSO-809?focusedCommentId=16484&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel