[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat



On 17/10/13 10:58, Jan Beulich wrote:
>>>> On 16.10.13 at 20:33, "Liu, Jinsong" <jinsong.liu@xxxxxxxxx> wrote:
>> From 9ec2ca512979e99a229d333038f849a2d5a7fde5 Mon Sep 17 00:00:00 2001
>> From: Liu Jinsong <jinsong.liu@xxxxxxxxx>
>> Date: Thu, 17 Oct 2013 04:00:49 +0800
>> Subject: [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat
>>
>> Recently Oracle developers found a Xen security issue as DOS affecting,
>> named as XSA-60. Please refer http://xenbits.xen.org/xsa/advisory-60.html 
>> Basically it involves how to handle guest cr0.cd setting, which under
>> some environment it consumes much time resulting in DOS-like behavior.
>>
>> This is a preparing patch for fixing XSA-60. Later patch will fix XSA-60
>> via PAT under Intel EPT case, which depends on cpu_has_vmx_pat.
>>
>> Signed-off-by: Liu Jinsong <jinsong.liu@xxxxxxxxx>
> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>

Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

>
>> ---
>>  xen/arch/x86/hvm/vmx/vmcs.c |    4 ++--
>>  xen/arch/x86/hvm/vmx/vmx.c  |   10 +++++++---
>>  2 files changed, 9 insertions(+), 5 deletions(-)
>>
>> diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c
>> index 6526504..6916c6d 100644
>> --- a/xen/arch/x86/hvm/vmx/vmcs.c
>> +++ b/xen/arch/x86/hvm/vmx/vmcs.c
>> @@ -921,7 +921,7 @@ static int construct_vmcs(struct vcpu *v)
>>          vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_CS, MSR_TYPE_R | 
>> MSR_TYPE_W);
>>          vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_ESP, MSR_TYPE_R 
>> | MSR_TYPE_W);
>>          vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_EIP, MSR_TYPE_R 
>> | MSR_TYPE_W);
>> -        if ( cpu_has_vmx_pat && paging_mode_hap(d) )
>> +        if ( paging_mode_hap(d) )
>>              vmx_disable_intercept_for_msr(v, MSR_IA32_CR_PAT, MSR_TYPE_R | 
>> MSR_TYPE_W);
>>      }
>>  
>> @@ -1063,7 +1063,7 @@ static int construct_vmcs(struct vcpu *v)
>>          __vmwrite(EPT_POINTER, ept_get_eptp(ept));
>>      }
>>  
>> -    if ( cpu_has_vmx_pat && paging_mode_hap(d) )
>> +    if ( paging_mode_hap(d) )
>>      {
>>          u64 host_pat, guest_pat;
>>  
>> diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
>> index 9ca8632..b59bf59 100644
>> --- a/xen/arch/x86/hvm/vmx/vmx.c
>> +++ b/xen/arch/x86/hvm/vmx/vmx.c
>> @@ -908,7 +908,7 @@ static unsigned long vmx_get_shadow_gs_base(struct vcpu 
>> *v)
>>  
>>  static int vmx_set_guest_pat(struct vcpu *v, u64 gpat)
>>  {
>> -    if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) )
>> +    if ( !paging_mode_hap(v->domain) )
>>          return 0;
>>  
>>      vmx_vmcs_enter(v);
>> @@ -919,7 +919,7 @@ static int vmx_set_guest_pat(struct vcpu *v, u64 gpat)
>>  
>>  static int vmx_get_guest_pat(struct vcpu *v, u64 *gpat)
>>  {
>> -    if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) )
>> +    if ( !paging_mode_hap(v->domain) )
>>          return 0;
>>  
>>      vmx_vmcs_enter(v);
>> @@ -1591,7 +1591,11 @@ const struct hvm_function_table * __init 
>> start_vmx(void)
>>          return NULL;
>>      }
>>  
>> -    if ( cpu_has_vmx_ept )
>> +    /*
>> +     * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security hole
>> +     * which refer to http://xenbits.xen.org/xsa/advisory-60.html 
>> +     */
>> +    if ( cpu_has_vmx_ept && cpu_has_vmx_pat )
>>      {
>>          vmx_function_table.hap_supported = 1;
>>  
>> -- 
>> 1.7.1
>
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxx
> http://lists.xen.org/xen-devel


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.