Re: [Xen-devel] [RFC] x86: possible problem with guest_walk_tables()

["Jan Beulich" <JBeulich@xxxxxxxxxx>]

>>> On 21.03.11 at 13:33, Tim Deegan <Tim.Deegan@xxxxxxxxxx> wrote:
> At 11:45 +0000 on 21 Mar (1300707922), Jan Beulich wrote:
>> The PSE handling doesn't check bits 1...8 (or 1...9 for non-PAE guests)
>> being zero, thus allowing bad (not 2Mb/4Mb aligned) large pages to be
>> handled (afaict potentially allowing the guest to access foreign memory).
> 
> I don't think this allows access to foreign memory, since these
> pagetables are in GFN-space. 

Yes, if this is really only GFN space, then it would "just" result in
bad translations getting installed, possibly conflicting with others
(e.g. in cache attributes).

>> Below is a possible fix, but unfortunately it doesn't work for
>> GUEST_PAGING_LEVELS == 2, since _PAGE_INVALID_BITS is zero
>> there.
> 
> What does real hardware do in this case?  IIRC 32-bit non-PAE doesn't
> have an "invlid bit set" error code to use in pagefaults.
> /me supposes he had better check...

The bits are marked reserved (minus the PSE-36 feature), and the
manual doesn't make any distinction between the various paging
modes when it comes to error code bits other than bit 4. I therefore
think that on newer CPUs you would see bit 3 set in this case (minus
errata). Hence I think forcing a page fault in this case would be
correct.

Leaving aside the non-PAE case, does the fix presented look
reasonable?

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel