[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.4] x86/HVM: properly bound x2APIC MSR range
commit c6de14eebd7b414c25094e942f24b2791d7c66c2 Author: Jan Beulich <jbeulich@xxxxxxxx> AuthorDate: Wed Oct 1 14:59:00 2014 +0200 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Wed Oct 1 14:59:00 2014 +0200 x86/HVM: properly bound x2APIC MSR range While the write path change appears to be purely cosmetic (but still gets done here for consistency), the read side mistake permitted accesses beyond the virtual APIC page. Note that while this isn't fully in line with the specification (digesting MSRs 0x800-0xBFF for the x2APIC), this is the minimal possible fix addressing the security issue and getting x2APIC related code into a consistent shape (elsewhere a 256 rather than 1024 wide window is being used too). This will be dealt with subsequently. This is CVE-2014-7188 / XSA-108. Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> master commit: 61fdda7acf3de11f3d50d50e5b4f4ecfac7e0d04 master date: 2014-10-01 14:54:47 +0200 --- xen/arch/x86/hvm/hvm.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index be1a2d3..3289604 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -3022,7 +3022,7 @@ int hvm_msr_read_intercept(unsigned int msr, uint64_t *msr_content) *msr_content = vcpu_vlapic(v)->hw.apic_base_msr; break; - case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: + case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff: if ( hvm_x2apic_msr_read(v, msr, msr_content) ) goto gp_fault; break; @@ -3148,7 +3148,7 @@ int hvm_msr_write_intercept(unsigned int msr, uint64_t msr_content) vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content); break; - case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: + case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff: if ( hvm_x2apic_msr_write(v, msr, msr_content) ) goto gp_fault; break; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.4 _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |