[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.6] x86/shadow: correct SH_LINEAR mapping detection in sh_guess_wrmap()

commit 9b0c2a223132a07f06f0be8e85da390defe998f5
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Thu Nov 16 12:14:57 2017 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Nov 16 12:14:57 2017 +0100

    x86/shadow: correct SH_LINEAR mapping detection in sh_guess_wrmap()
    
    The fix for XSA-243 / CVE-2017-15592 (c/s bf2b4eadcf379) introduced a change
    in behaviour for sh_guest_wrmap(), where it had to cope with no shadow 
linear
    mapping being present.
    
    As the name suggests, guest_vtable is a mapping of the guests pagetable, not
    Xen's pagetable, meaning that it isn't the pagetable we need to check for 
the
    shadow linear slot in.
    
    The practical upshot is that a shadow HVM vcpu which switches into 4-level
    paging mode, with an L4 pagetable that contains a mapping which aliases 
Xen's
    SH_LINEAR_PT_VIRT_START will fool the safety check for whether a 
SHADOW_LINEAR
    mapping is present.  As the check passes (when it should have failed), Xen
    subsequently falls over the missing mapping with a pagefault such as:
    
        (XEN) Pagetable walk from ffff8140a0503880:
        (XEN)  L4[0x102] = 000000046c218063 ffffffffffffffff
        (XEN)  L3[0x102] = 000000046c218063 ffffffffffffffff
        (XEN)  L2[0x102] = 000000046c218063 ffffffffffffffff
        (XEN)  L1[0x103] = 0000000000000000 ffffffffffffffff
    
    This is part of XSA-243.
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Tim Deegan <tim@xxxxxxx>
---
 xen/arch/x86/mm/shadow/multi.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
index cb8ddde..0242b8e 100644
--- a/xen/arch/x86/mm/shadow/multi.c
+++ b/xen/arch/x86/mm/shadow/multi.c
@@ -4282,11 +4282,18 @@ static int sh_guess_wrmap(struct vcpu *v, unsigned long 
vaddr, mfn_t gmfn)
 
     /* Carefully look in the shadow linear map for the l1e we expect */
 #if SHADOW_PAGING_LEVELS >= 4
-    /* Is a shadow linear map is installed in the first place? */
-    sl4p  = v->arch.paging.shadow.guest_vtable;
-    sl4p += shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START);
-    if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) )
-        return 0;
+    /*
+     * Non-external guests (i.e. PV) have a SHADOW_LINEAR mapping from the
+     * moment their shadows are created.  External guests (i.e. HVM) may not,
+     * but always have a regular linear mapping, which we can use to observe
+     * whether a SHADOW_LINEAR mapping is present.
+     */
+    if ( paging_mode_external(d) )
+    {
+        sl4p =  __linear_l4_table + l4_linear_offset(SH_LINEAR_PT_VIRT_START);
+        if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) )
+            return 0;
+    }
     sl4p = sh_linear_l4_table(v) + shadow_l4_linear_offset(vaddr);
     if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) )
         return 0;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.6

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.