From: "Jan Beulich" <JBeulich@suse.com>
To: "xen-devel" <xen-devel@lists.xenproject.org>
Cc: George Dunlap <George.Dunlap@eu.citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Wei Liu <wei.liu2@citrix.com>,
Roger Pau Monne <roger.pau@citrix.com>
Subject: [Xen-devel] [PATCH 5/9] x86/HVM: refuse CR3 loads with reserved (upper) bits set
Date: Thu, 02 May 2019 06:20:58 -0600 [thread overview]
Message-ID: <5CCAE0AA020000780022B30A@prv1-mh.provo.novell.com> (raw)
Message-ID: <20190502122058.TMNMSiSUpRmx6o7MYB4z8lrdqAqvIQWNT44SvjnDoDY@z> (raw)
In-Reply-To: <5CCAD5ED020000780022B2A2@prv1-mh.provo.novell.com>
While bits 11 and below are, it not used for other purposes, reserved
but ignored, bits beyond physical address width are supposed to raise
exceptions (at least in the non-nested case; I'm not convinced the
current nested SVM/VMX behavior of raising #GP(0) here is correct, but
that's not the subject of this change).
Introduce currd as a local variable, and replace other v->domain
instances at the same time.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -1003,6 +1003,13 @@ static int hvm_load_cpu_ctxt(struct doma
return -EINVAL;
}
+ if ( ctxt.cr3 & ~((1UL << d->arch.cpuid->extd.maxphysaddr) - 1) )
+ {
+ printk(XENLOG_G_ERR "HVM%d restore: bad CR3 %#" PRIx64 "\n",
+ d->domain_id, ctxt.cr3);
+ return X86EMUL_EXCEPTION;
+ }
+
if ( (ctxt.flags & ~XEN_X86_FPU_INITIALISED) != 0 )
{
gprintk(XENLOG_ERR, "bad flags value in CPU context: %#x\n",
@@ -2284,10 +2291,19 @@ int hvm_set_cr0(unsigned long value, boo
int hvm_set_cr3(unsigned long value, bool noflush, bool may_defer)
{
struct vcpu *v = current;
+ struct domain *currd = v->domain;
struct page_info *page;
unsigned long old = v->arch.hvm.guest_cr[3];
- if ( may_defer && unlikely(v->domain->arch.monitor.write_ctrlreg_enabled &
+ if ( value & ~((1UL << currd->arch.cpuid->extd.maxphysaddr) - 1) )
+ {
+ HVM_DBG_LOG(DBG_LEVEL_1,
+ "Attempt to set reserved CR3 bit(s): %lx",
+ value);
+ return X86EMUL_EXCEPTION;
+ }
+
+ if ( may_defer && unlikely(currd->arch.monitor.write_ctrlreg_enabled &
monitor_ctrlreg_bitmask(VM_EVENT_X86_CR3)) )
{
ASSERT(v->arch.vm_event);
@@ -2303,13 +2319,12 @@ int hvm_set_cr3(unsigned long value, boo
}
}
- if ( hvm_paging_enabled(v) && !paging_mode_hap(v->domain) &&
+ if ( hvm_paging_enabled(v) && !paging_mode_hap(currd) &&
(value != v->arch.hvm.guest_cr[3]) )
{
/* Shadow-mode CR3 change. Check PDBR and update refcounts. */
HVM_DBG_LOG(DBG_LEVEL_VMMU, "CR3 value = %lx", value);
- page = get_page_from_gfn(v->domain, value >> PAGE_SHIFT,
- NULL, P2M_ALLOC);
+ page = get_page_from_gfn(currd, value >> PAGE_SHIFT, NULL, P2M_ALLOC);
if ( !page )
goto bad_cr3;
@@ -2325,7 +2340,7 @@ int hvm_set_cr3(unsigned long value, boo
bad_cr3:
gdprintk(XENLOG_ERR, "Invalid CR3\n");
- domain_crash(v->domain);
+ domain_crash(currd);
return X86EMUL_UNHANDLEABLE;
}
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
next prev parent reply other threads:[~2019-05-02 12:21 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-02 11:35 [PATCH 0/9] XSA-292 follow-up Jan Beulich
2019-05-02 11:35 ` [Xen-devel] " Jan Beulich
2019-05-02 12:18 ` [PATCH 1/9] x86: adjust cr3_pcid() return type Jan Beulich
2019-05-02 12:18 ` [Xen-devel] " Jan Beulich
2019-05-02 12:19 ` [PATCH 2/9] x86: limit the amount of TLB flushing in switch_cr3_cr4() Jan Beulich
2019-05-02 12:19 ` [Xen-devel] " Jan Beulich
2019-05-02 12:19 ` [PATCH 3/9] x86/mm: honor opt_pcid also for 32-bit PV domains Jan Beulich
2019-05-02 12:19 ` [Xen-devel] " Jan Beulich
2019-05-02 12:20 ` [PATCH 4/9] x86/HVM: move NOFLUSH handling out of hvm_set_cr3() Jan Beulich
2019-05-02 12:20 ` [Xen-devel] " Jan Beulich
2019-05-02 13:07 ` Paul Durrant
2019-05-02 13:07 ` [Xen-devel] " Paul Durrant
2019-05-02 13:23 ` Jan Beulich
2019-05-02 13:23 ` [Xen-devel] " Jan Beulich
2019-05-02 13:25 ` Paul Durrant
2019-05-02 13:25 ` [Xen-devel] " Paul Durrant
2019-05-02 12:20 ` Jan Beulich [this message]
2019-05-02 12:20 ` [Xen-devel] [PATCH 5/9] x86/HVM: refuse CR3 loads with reserved (upper) bits set Jan Beulich
2019-05-02 12:21 ` [PATCH 6/9] x86/HVM: relax shadow mode check in hvm_set_cr3() Jan Beulich
2019-05-02 12:21 ` [Xen-devel] " Jan Beulich
2019-05-02 12:21 ` [PATCH 7/9] x86/HVM: cosmetics to hvm_set_cr3() Jan Beulich
2019-05-02 12:21 ` [Xen-devel] " Jan Beulich
2019-05-02 12:22 ` [PATCH 8/9] x86/CPUID: drop INVPCID dependency on PCID Jan Beulich
2019-05-02 12:22 ` [Xen-devel] " Jan Beulich
2019-05-02 12:22 ` [PATCH 9/9] x86: PCID is unused when !PV Jan Beulich
2019-05-02 12:22 ` [Xen-devel] " Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5CCAE0AA020000780022B30A@prv1-mh.provo.novell.com \
--to=jbeulich@suse.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=roger.pau@citrix.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).