[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.7] arm64: handle guest-generated EL1 asynchronous abort
commit a2d232da5b97360c4c6bf01396c792b82ffa1813 Author: Wei Chen <Wei.Chen@xxxxxxx> AuthorDate: Tue Nov 29 16:08:57 2016 +0100 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Tue Nov 29 16:08:57 2016 +0100 arm64: handle guest-generated EL1 asynchronous abort In current code, when the hypervisor receives an asynchronous abort from a guest, the hypervisor will do panic, the host will be down. We have to prevent such security issue, so, in this patch we crash the guest, when the hypervisor receives an asynchronous abort from the guest. This is part of XSA-201. Signed-off-by: Wei Chen <Wei.Chen@xxxxxxx> Reviewed-by: Stefano Stabellini <sstabellini@xxxxxxxxxx> Reviewed-by: Steve Capper <steve.capper@xxxxxxx> Reviewed-by: Julien Grall <Julien.Grall@xxxxxxx> master commit: 2cf7d2bafb9b68add1710b8c3f7ecad58e53a9db master date: 2016-11-29 15:57:52 +0100 --- xen/arch/arm/arm64/entry.S | 18 ++++++++++++------ xen/arch/arm/traps.c | 15 +++++++++++++++ 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/xen/arch/arm/arm64/entry.S b/xen/arch/arm/arm64/entry.S index 9cda8f1..0ed0073 100644 --- a/xen/arch/arm/arm64/entry.S +++ b/xen/arch/arm/arm64/entry.S @@ -204,9 +204,12 @@ guest_fiq_invalid: entry hyp=0, compat=0 invalid BAD_FIQ -guest_error_invalid: +guest_error: entry hyp=0, compat=0 - invalid BAD_ERROR + msr daifclr, #2 + mov x0, sp + bl do_trap_guest_error + exit hyp=0, compat=0 guest_sync_compat: entry hyp=0, compat=1 @@ -225,9 +228,12 @@ guest_fiq_invalid_compat: entry hyp=0, compat=1 invalid BAD_FIQ -guest_error_invalid_compat: +guest_error_compat: entry hyp=0, compat=1 - invalid BAD_ERROR + msr daifclr, #2 + mov x0, sp + bl do_trap_guest_error + exit hyp=0, compat=1 ENTRY(return_to_new_vcpu32) exit hyp=0, compat=1 @@ -286,12 +292,12 @@ ENTRY(hyp_traps_vector) ventry guest_sync // Synchronous 64-bit EL0/EL1 ventry guest_irq // IRQ 64-bit EL0/EL1 ventry guest_fiq_invalid // FIQ 64-bit EL0/EL1 - ventry guest_error_invalid // Error 64-bit EL0/EL1 + ventry guest_error // Error 64-bit EL0/EL1 ventry guest_sync_compat // Synchronous 32-bit EL0/EL1 ventry guest_irq_compat // IRQ 32-bit EL0/EL1 ventry guest_fiq_invalid_compat // FIQ 32-bit EL0/EL1 - ventry guest_error_invalid_compat // Error 32-bit EL0/EL1 + ventry guest_error_compat // Error 32-bit EL0/EL1 /* * struct vcpu *__context_switch(struct vcpu *prev, struct vcpu *next) diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c index aa3e3c2..b9cfdae 100644 --- a/xen/arch/arm/traps.c +++ b/xen/arch/arm/traps.c @@ -2645,6 +2645,21 @@ asmlinkage void do_trap_hypervisor(struct cpu_user_regs *regs) } } +asmlinkage void do_trap_guest_error(struct cpu_user_regs *regs) +{ + enter_hypervisor_head(regs); + + /* + * Currently, to ensure hypervisor safety, when we received a + * guest-generated vSerror/vAbort, we just crash the guest to protect + * the hypervisor. In future we can better handle this by injecting + * a vSerror/vAbort to the guest. + */ + gdprintk(XENLOG_WARNING, "Guest(Dom-%u) will be crashed by vSError\n", + current->domain->domain_id); + domain_crash_synchronous(); +} + asmlinkage void do_trap_irq(struct cpu_user_regs *regs) { enter_hypervisor_head(regs); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.7 _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx https://lists.xenproject.org/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |