[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] x86/svm: Fix svm_update_guest_efer() for domains using shadow paging



> From: Andrew Cooper [mailto:andrew.cooper3@xxxxxxxxxx]
> Sent: Saturday, October 6, 2018 1:02 AM
> 
> When using shadow paging, EFER.NX is a Xen controlled bit, and is required
> by
> the shadow pagefault handler to distinguish instruction fetches from data
> accesses.
> 
> This can be observed by a guest which has NX and SMEP clear but SMAP
> active by
> attempting to execute code on a user mapping.  The first attempt to build
> the
> target shadow will #PF so is handled by the shadow code, but when walking
> the
> the guest pagetables, the lack of PFEC_insn_fetch being signalled causes the
> shadow code to mistake the instruction fetch for a data fetch, and believe
> that it is a real guest fault.  As a result, the guest receives #PF[-d-srP]
> for an action which should complete successfully.
> 
> The suspicious-looking gymnastics with LME is actually a subtle corner case
> with shadow paging.  When dropping out of Long Mode, a guests choice of
> LME
> and Xen's choice of CR0.PG cause hardware to operate in Long Mode, but
> the
> shadow code to operate in 2-on-3 mode.
> 
> In addition to describing this corner case in the SVM side, extend the
> comment
> for the same fix on the VT-x side.  (I have a suspicion that I've just worked
> out why VT-x doesn't tolerate LMA != LME when Unrestricted Guest is clear.)
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Reviewed-by: Kevin Tian <kevin.tian@xxxxxxxxx>
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.