|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] x86/svm: Fix svm_update_guest_efer() for domains using shadow paging
> From: Andrew Cooper [mailto:andrew.cooper3@xxxxxxxxxx] > Sent: Saturday, October 6, 2018 1:02 AM > > When using shadow paging, EFER.NX is a Xen controlled bit, and is required > by > the shadow pagefault handler to distinguish instruction fetches from data > accesses. > > This can be observed by a guest which has NX and SMEP clear but SMAP > active by > attempting to execute code on a user mapping. The first attempt to build > the > target shadow will #PF so is handled by the shadow code, but when walking > the > the guest pagetables, the lack of PFEC_insn_fetch being signalled causes the > shadow code to mistake the instruction fetch for a data fetch, and believe > that it is a real guest fault. As a result, the guest receives #PF[-d-srP] > for an action which should complete successfully. > > The suspicious-looking gymnastics with LME is actually a subtle corner case > with shadow paging. When dropping out of Long Mode, a guests choice of > LME > and Xen's choice of CR0.PG cause hardware to operate in Long Mode, but > the > shadow code to operate in 2-on-3 mode. > > In addition to describing this corner case in the SVM side, extend the > comment > for the same fix on the VT-x side. (I have a suspicion that I've just worked > out why VT-x doesn't tolerate LMA != LME when Unrestricted Guest is clear.) > > Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Reviewed-by: Kevin Tian <kevin.tian@xxxxxxxxx> _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |