[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat
From 9ec2ca512979e99a229d333038f849a2d5a7fde5 Mon Sep 17 00:00:00 2001 From: Liu Jinsong <jinsong.liu@xxxxxxxxx> Date: Thu, 17 Oct 2013 04:00:49 +0800 Subject: [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat Recently Oracle developers found a Xen security issue as DOS affecting, named as XSA-60. Please refer http://xenbits.xen.org/xsa/advisory-60.html Basically it involves how to handle guest cr0.cd setting, which under some environment it consumes much time resulting in DOS-like behavior. This is a preparing patch for fixing XSA-60. Later patch will fix XSA-60 via PAT under Intel EPT case, which depends on cpu_has_vmx_pat. Signed-off-by: Liu Jinsong <jinsong.liu@xxxxxxxxx> --- xen/arch/x86/hvm/vmx/vmcs.c | 4 ++-- xen/arch/x86/hvm/vmx/vmx.c | 10 +++++++--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c index 6526504..6916c6d 100644 --- a/xen/arch/x86/hvm/vmx/vmcs.c +++ b/xen/arch/x86/hvm/vmx/vmcs.c @@ -921,7 +921,7 @@ static int construct_vmcs(struct vcpu *v) vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_CS, MSR_TYPE_R | MSR_TYPE_W); vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_ESP, MSR_TYPE_R | MSR_TYPE_W); vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_EIP, MSR_TYPE_R | MSR_TYPE_W); - if ( cpu_has_vmx_pat && paging_mode_hap(d) ) + if ( paging_mode_hap(d) ) vmx_disable_intercept_for_msr(v, MSR_IA32_CR_PAT, MSR_TYPE_R | MSR_TYPE_W); } @@ -1063,7 +1063,7 @@ static int construct_vmcs(struct vcpu *v) __vmwrite(EPT_POINTER, ept_get_eptp(ept)); } - if ( cpu_has_vmx_pat && paging_mode_hap(d) ) + if ( paging_mode_hap(d) ) { u64 host_pat, guest_pat; diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c index 9ca8632..b59bf59 100644 --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -908,7 +908,7 @@ static unsigned long vmx_get_shadow_gs_base(struct vcpu *v) static int vmx_set_guest_pat(struct vcpu *v, u64 gpat) { - if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) ) + if ( !paging_mode_hap(v->domain) ) return 0; vmx_vmcs_enter(v); @@ -919,7 +919,7 @@ static int vmx_set_guest_pat(struct vcpu *v, u64 gpat) static int vmx_get_guest_pat(struct vcpu *v, u64 *gpat) { - if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) ) + if ( !paging_mode_hap(v->domain) ) return 0; vmx_vmcs_enter(v); @@ -1591,7 +1591,11 @@ const struct hvm_function_table * __init start_vmx(void) return NULL; } - if ( cpu_has_vmx_ept ) + /* + * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security hole + * which refer to http://xenbits.xen.org/xsa/advisory-60.html + */ + if ( cpu_has_vmx_ept && cpu_has_vmx_pat ) { vmx_function_table.hap_supported = 1; -- 1.7.1 Attachment:
0001-XSA-60-security-hole-disable-EPT-when-cpu_has_vmx_pa.patch _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |