Xen project Mailing List

[Xen-devel] [PATCH 2/3] XSA-60 security hole: remove the problematic vmx_set_uc_mode logic

From: "Liu, Jinsong" <jinsong.liu@xxxxxxxxx>

Date: Wed, 16 Oct 2013 18:36:05 +0000

Accept-language: en-US

Cc: Keir Fraser <keir@xxxxxxx>, "suravee.suthikulpanit@xxxxxxx" <suravee.suthikulpanit@xxxxxxx>, Tim Deegan <tim@xxxxxxx>, "zhenzhong.duan@xxxxxxxxxx" <zhenzhong.duan@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, "Auld, Will" <will.auld@xxxxxxxxx>, "Nakajima, Jun" <jun.nakajima@xxxxxxxxx>, "sherry.hurwitz@xxxxxxx" <sherry.hurwitz@xxxxxxx>

Delivery-date: Wed, 16 Oct 2013 18:36:38 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Thread-index: Ac7KnpIUm9Jc9IOuSOmjARMxwgkZHA==

Thread-topic: [PATCH 2/3] XSA-60 security hole: remove the problematic vmx_set_uc_mode logic

From 2a0dc13d14d63af67d12f181655dcc04783da83a Mon Sep 17 00:00:00 2001 From: Liu Jinsong <jinsong.liu@xxxxxxxxx> Date: Thu, 17 Oct 2013 04:45:11 +0800 Subject: [PATCH 2/3] XSA-60 security hole: remove the problematic vmx_set_uc_mode logic XSA-60 security hole comes from the problematic vmx_set_uc_mode. This patch remove vmx_set_uc_mode logic, which will be replaced by PAT approach at later patch. Signed-off-by: Liu Jinsong <jinsong.liu@xxxxxxxxx> --- xen/arch/x86/hvm/hvm.c | 2 - xen/arch/x86/hvm/mtrr.c | 3 - xen/arch/x86/hvm/vmx/vmx.c | 9 --- xen/arch/x86/mm/p2m-ept.c | 120 ----------------------------------------- xen/include/asm-x86/hvm/hvm.h | 1 - 5 files changed, 0 insertions(+), 135 deletions(-) diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index de81e45..688a943 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -1619,8 +1619,6 @@ static void hvm_set_uc_mode(struct vcpu *v, bool_t is_in_uc_mode) { v->domain->arch.hvm_domain.is_in_uc_mode = is_in_uc_mode; shadow_blow_tables_per_domain(v->domain); - if ( hvm_funcs.set_uc_mode ) - return hvm_funcs.set_uc_mode(v); } int hvm_mov_to_cr(unsigned int cr, unsigned int gpr) diff --git a/xen/arch/x86/hvm/mtrr.c b/xen/arch/x86/hvm/mtrr.c index ef51a8d..4ff1e55 100644 --- a/xen/arch/x86/hvm/mtrr.c +++ b/xen/arch/x86/hvm/mtrr.c @@ -696,9 +696,6 @@ uint8_t epte_get_entry_emt(struct domain *d, unsigned long gfn, mfn_t mfn, if ( !v->domain->arch.hvm_domain.params[HVM_PARAM_IDENT_PT] ) return MTRR_TYPE_WRBACK; - if ( (v == current) && v->domain->arch.hvm_domain.is_in_uc_mode ) - return MTRR_TYPE_UNCACHABLE; - if ( !mfn_valid(mfn_x(mfn)) ) return MTRR_TYPE_UNCACHABLE; diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c index b59bf59..6dedb29 100644 --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -1392,14 +1392,6 @@ static int vmx_event_pending(struct vcpu *v) return intr_info & INTR_INFO_VALID_MASK; } -static void vmx_set_uc_mode(struct vcpu *v) -{ - if ( paging_mode_hap(v->domain) ) - ept_change_entry_emt_with_range( - v->domain, 0, p2m_get_hostp2m(v->domain)->max_mapped_pfn); - hvm_asid_flush_vcpu(v); -} - static void vmx_set_info_guest(struct vcpu *v) { unsigned long intr_shadow; @@ -1558,7 +1550,6 @@ static struct hvm_function_table __initdata vmx_function_table = { .msr_read_intercept = vmx_msr_read_intercept, .msr_write_intercept = vmx_msr_write_intercept, .invlpg_intercept = vmx_invlpg_intercept, - .set_uc_mode = vmx_set_uc_mode, .set_info_guest = vmx_set_info_guest, .set_rdtsc_exiting = vmx_set_rdtsc_exiting, .nhvm_vcpu_initialise = nvmx_vcpu_initialise, diff --git a/xen/arch/x86/mm/p2m-ept.c b/xen/arch/x86/mm/p2m-ept.c index 595c6e7..92d9e2d 100644 --- a/xen/arch/x86/mm/p2m-ept.c +++ b/xen/arch/x86/mm/p2m-ept.c @@ -587,44 +587,6 @@ out: return mfn; } -/* WARNING: Only caller doesn't care about PoD pages. So this function will - * always return 0 for PoD pages, not populate them. If that becomes necessary, - * pass a p2m_query_t type along to distinguish. */ -static ept_entry_t ept_get_entry_content(struct p2m_domain *p2m, - unsigned long gfn, int *level) -{ - ept_entry_t *table = map_domain_page(pagetable_get_pfn(p2m_get_pagetable(p2m))); - unsigned long gfn_remainder = gfn; - ept_entry_t *ept_entry; - ept_entry_t content = { .epte = 0 }; - u32 index; - int i; - int ret=0; - struct ept_data *ept = &p2m->ept; - - /* This pfn is higher than the highest the p2m map currently holds */ - if ( gfn > p2m->max_mapped_pfn ) - goto out; - - for ( i = ept_get_wl(ept); i > 0; i-- ) - { - ret = ept_next_level(p2m, 1, &table, &gfn_remainder, i); - if ( !ret || ret == GUEST_TABLE_POD_PAGE ) - goto out; - else if ( ret == GUEST_TABLE_SUPER_PAGE ) - break; - } - - index = gfn_remainder >> (i * EPT_TABLE_ORDER); - ept_entry = table + index; - content = *ept_entry; - *level = i; - - out: - unmap_domain_page(table); - return content; -} - void ept_walk_table(struct domain *d, unsigned long gfn) { struct p2m_domain *p2m = p2m_get_hostp2m(d); @@ -677,88 +639,6 @@ out: } /* - * To test if the new emt type is the same with old, - * return 1 to not to reset ept entry. - */ -static int need_modify_ept_entry(struct p2m_domain *p2m, unsigned long gfn, - mfn_t mfn, uint8_t o_ipat, uint8_t o_emt, - p2m_type_t p2mt) -{ - uint8_t ipat; - uint8_t emt; - bool_t direct_mmio = (p2mt == p2m_mmio_direct); - - emt = epte_get_entry_emt(p2m->domain, gfn, mfn, &ipat, direct_mmio); - - if ( (emt == o_emt) && (ipat == o_ipat) ) - return 0; - - return 1; -} - -void ept_change_entry_emt_with_range(struct domain *d, - unsigned long start_gfn, - unsigned long end_gfn) -{ - unsigned long gfn; - ept_entry_t e; - mfn_t mfn; - int order = 0; - struct p2m_domain *p2m = p2m_get_hostp2m(d); - int rc; - - p2m_lock(p2m); - for ( gfn = start_gfn; gfn <= end_gfn; gfn++ ) - { - int level = 0; - uint64_t trunk = 0; - - e = ept_get_entry_content(p2m, gfn, &level); - if ( !is_epte_present(&e) || !p2m_has_emt(e.sa_p2mt) ) - continue; - - order = 0; - mfn = _mfn(e.mfn); - - if ( is_epte_superpage(&e) ) - { - while ( level ) - { - trunk = (1UL << (level * EPT_TABLE_ORDER)) - 1; - if ( !(gfn & trunk) && (gfn + trunk <= end_gfn) ) - { - /* gfn assigned with 2M or 1G, and the end covers more than - * the super page areas. - * Set emt for super page. - */ - order = level * EPT_TABLE_ORDER; - if ( need_modify_ept_entry(p2m, gfn, mfn, - e.ipat, e.emt, e.sa_p2mt) ) - { - rc = ept_set_entry(p2m, gfn, mfn, order, - e.sa_p2mt, e.access); - ASSERT(rc); - } - gfn += trunk; - break; - } - level--; - } - } - else /* gfn assigned with 4k */ - { - if ( need_modify_ept_entry(p2m, gfn, mfn, - e.ipat, e.emt, e.sa_p2mt) ) - { - rc = ept_set_entry(p2m, gfn, mfn, order, e.sa_p2mt, e.access); - ASSERT(rc); - } - } - } - p2m_unlock(p2m); -} - -/* * Walk the whole p2m table, changing any entries of the old type * to the new type. This is used in hardware-assisted paging to * quickly enable or diable log-dirty tracking diff --git a/xen/include/asm-x86/hvm/hvm.h b/xen/include/asm-x86/hvm/hvm.h index 3376418..8dd2b40 100644 --- a/xen/include/asm-x86/hvm/hvm.h +++ b/xen/include/asm-x86/hvm/hvm.h @@ -156,7 +156,6 @@ struct hvm_function_table { int (*msr_read_intercept)(unsigned int msr, uint64_t *msr_content); int (*msr_write_intercept)(unsigned int msr, uint64_t msr_content); void (*invlpg_intercept)(unsigned long vaddr); - void (*set_uc_mode)(struct vcpu *v); void (*set_info_guest)(struct vcpu *v); void (*set_rdtsc_exiting)(struct vcpu *v, bool_t); -- 1.7.1

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.