Xen project Mailing List

[Xen-devel] [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat

From: "Liu, Jinsong" <jinsong.liu@xxxxxxxxx>

Date: Wed, 16 Oct 2013 18:33:40 +0000

Accept-language: en-US

Cc: Keir Fraser <keir@xxxxxxx>, "suravee.suthikulpanit@xxxxxxx" <suravee.suthikulpanit@xxxxxxx>, Tim Deegan <tim@xxxxxxx>, "zhenzhong.duan@xxxxxxxxxx" <zhenzhong.duan@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, "Auld, Will" <will.auld@xxxxxxxxx>, "Nakajima, Jun" <jun.nakajima@xxxxxxxxx>, "sherry.hurwitz@xxxxxxx" <sherry.hurwitz@xxxxxxx>

Delivery-date: Wed, 16 Oct 2013 18:34:17 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Thread-index: Ac7KnjvAnTP26Z/9RsyiAOjBphd31Q==

Thread-topic: [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat

From 9ec2ca512979e99a229d333038f849a2d5a7fde5 Mon Sep 17 00:00:00 2001 From: Liu Jinsong <jinsong.liu@xxxxxxxxx> Date: Thu, 17 Oct 2013 04:00:49 +0800 Subject: [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat Recently Oracle developers found a Xen security issue as DOS affecting, named as XSA-60. Please refer http://xenbits.xen.org/xsa/advisory-60.html Basically it involves how to handle guest cr0.cd setting, which under some environment it consumes much time resulting in DOS-like behavior. This is a preparing patch for fixing XSA-60. Later patch will fix XSA-60 via PAT under Intel EPT case, which depends on cpu_has_vmx_pat. Signed-off-by: Liu Jinsong <jinsong.liu@xxxxxxxxx> --- xen/arch/x86/hvm/vmx/vmcs.c | 4 ++-- xen/arch/x86/hvm/vmx/vmx.c | 10 +++++++--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c index 6526504..6916c6d 100644 --- a/xen/arch/x86/hvm/vmx/vmcs.c +++ b/xen/arch/x86/hvm/vmx/vmcs.c @@ -921,7 +921,7 @@ static int construct_vmcs(struct vcpu *v) vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_CS, MSR_TYPE_R | MSR_TYPE_W); vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_ESP, MSR_TYPE_R | MSR_TYPE_W); vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_EIP, MSR_TYPE_R | MSR_TYPE_W); - if ( cpu_has_vmx_pat && paging_mode_hap(d) ) + if ( paging_mode_hap(d) ) vmx_disable_intercept_for_msr(v, MSR_IA32_CR_PAT, MSR_TYPE_R | MSR_TYPE_W); } @@ -1063,7 +1063,7 @@ static int construct_vmcs(struct vcpu *v) __vmwrite(EPT_POINTER, ept_get_eptp(ept)); } - if ( cpu_has_vmx_pat && paging_mode_hap(d) ) + if ( paging_mode_hap(d) ) { u64 host_pat, guest_pat; diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c index 9ca8632..b59bf59 100644 --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -908,7 +908,7 @@ static unsigned long vmx_get_shadow_gs_base(struct vcpu *v) static int vmx_set_guest_pat(struct vcpu *v, u64 gpat) { - if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) ) + if ( !paging_mode_hap(v->domain) ) return 0; vmx_vmcs_enter(v); @@ -919,7 +919,7 @@ static int vmx_set_guest_pat(struct vcpu *v, u64 gpat) static int vmx_get_guest_pat(struct vcpu *v, u64 *gpat) { - if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) ) + if ( !paging_mode_hap(v->domain) ) return 0; vmx_vmcs_enter(v); @@ -1591,7 +1591,11 @@ const struct hvm_function_table * __init start_vmx(void) return NULL; } - if ( cpu_has_vmx_ept ) + /* + * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security hole + * which refer to http://xenbits.xen.org/xsa/advisory-60.html + */ + if ( cpu_has_vmx_ept && cpu_has_vmx_pat ) { vmx_function_table.hap_supported = 1; -- 1.7.1

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.