From: "Jan Beulich" <JBeulich@suse.com>
To: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Xen-devel <xen-devel@lists.xen.org>
Subject: Re: [PATCH for-4.7 v2 2/2] xen/x86: Introduce a new VMASSIST for architectural behaviour of iopl
Date: Thu, 07 Apr 2016 16:53:53 -0600 [thread overview]
Message-ID: <5706F31102000078000E6043@prv-mh.provo.novell.com> (raw)
In-Reply-To: <5706DF7B.5030002@citrix.com>
>>> On 08.04.16 at 00:30, <andrew.cooper3@citrix.com> wrote:
> On 07/04/2016 22:55, Jan Beulich wrote:
>>>>> On 07.04.16 at 23:39, <andrew.cooper3@citrix.com> wrote:
>>> @@ -1763,7 +1765,8 @@ static void load_segments(struct vcpu *n)
>>> vcpu_info(n, evtchn_upcall_mask) = 1;
>>>
>>> regs->entry_vector |= TRAP_syscall;
>>> - regs->_eflags &= 0xFFFCBEFFUL;
>>> + regs->_eflags &= ~(X86_EFLAGS_AC|X86_EFLAGS_VM|X86_EFLAGS_RF|
>>> + X86_EFLAGS_NT|X86_EFLAGS_IOPL|X86_EFLAGS_TF);
>> Why AC, which didn't get cleared before? Did you just copy
>> the 64-bit variant from below?
>
> Yes,
>
>> Assuming so, with it removed Reviewed-by: Jan Beulich <jbeulich@suse.com>
>
> Why keep the disparity?
Because there's no reason to clear AC for 32-bit guests.
> Looking this up again, architecturally speaking, its wrong. AC does not
> get cleared on a 32 or 64bit task switch; It only gets cleared on a real
> mode task switch.
Not sure what meaning of "task switch" you're implying here -
we're talking about code dealing with certain failures in the
PV context switch path, which has nothing to do with hardware
task switching.
> I presume you are refering to c/s eb97b7dc2b "[XEN] Fix x86/64 bug where
> a guest application can crash the guest OS by setting AC flag in
> RFLAGS.", from 2006? Such a PV VM is already vulnerable from other
> means. I suppose this explains why 32bit PV kernels end up leaking AC
> back into userspace.
Nor do I understand your reference to leaking whatever state
into user space: We're injecting a failsafe callback here, i.e.
guest execution is guaranteed to resume in kernel space.
The difference here mirrors the difference between
compat_create_bounce_frame and create_bounce_frame in
regard to what parts of EFLAGS they clear.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-04-07 22:53 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-07 21:39 [PATCH for-4.7 v2 1/2] xen/x86: Remove the use of vm86_mode() Andrew Cooper
2016-04-07 21:39 ` [PATCH for-4.7 v2 2/2] xen/x86: Introduce a new VMASSIST for architectural behaviour of iopl Andrew Cooper
2016-04-07 21:55 ` Jan Beulich
2016-04-07 22:30 ` Andrew Cooper
2016-04-07 22:53 ` Jan Beulich [this message]
2016-04-07 23:05 ` Andrew Cooper
2016-04-08 9:30 ` [PATCH for-4.7 v3 " Andrew Cooper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5706F31102000078000E6043@prv-mh.provo.novell.com \
--to=jbeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).