[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v1 2/6] x86: Temporary disable SMAP to legally access user pages in kernel mode



>>> On 15.04.14 at 15:01, <feng.wu@xxxxxxxxx> wrote:
> --- a/xen/arch/x86/clear_page.S
> +++ b/xen/arch/x86/clear_page.S
> @@ -1,9 +1,11 @@
>  #include <xen/config.h>
>  #include <asm/page.h>
> +#include <asm/asm_defns.h>
>  
>  #define ptr_reg %rdi
>  
>  ENTRY(clear_page_sse2)
> +        ASM_STAC
>          mov     $PAGE_SIZE/16, %ecx
>          xor     %eax,%eax
>  
> @@ -15,5 +17,6 @@ ENTRY(clear_page_sse2)
>          lea     16(ptr_reg), ptr_reg
>          jnz     0b
>  
> +        ASM_CLAC
>          sfence
>          ret

Wrong code being modified - this isn't used to clear guest memory (or
else we have a security problem). If there are pages having the U bit
set, then I guess you need to first go and clean those up.

> --- a/xen/arch/x86/x86_64/compat/entry.S
> +++ b/xen/arch/x86/x86_64/compat/entry.S
> @@ -265,6 +265,7 @@ ENTRY(compat_int80_direct_trap)
>  /* On return only %rbx and %rdx are guaranteed non-clobbered.            */
>  compat_create_bounce_frame:
>          ASSERT_INTERRUPTS_ENABLED
> +        ASM_STAC
>          mov   %fs,%edi
>          testb $2,UREGS_cs+8(%rsp)
>          jz    1f
> @@ -336,6 +337,7 @@ __UNLIKELY_END(compat_bounce_null_selector)
>          movl  %eax,UREGS_cs+8(%rsp)
>          movl  TRAPBOUNCE_eip(%rdx),%eax
>          movl  %eax,UREGS_rip+8(%rsp)
> +        ASM_CLAC
>          ret

These and the similar changes to xen/arch/x86/x86_64/entry.S seem
pretty pointless without also  adding ASM_CLAC to the exception and
interrupt entry points.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.