[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Bisected Xen-unstable: "Segment register inaccessible for d1v0" when starting HVM guest on intel

> -----Original Message-----
> From: Jan Beulich [mailto:JBeulich@xxxxxxxx]
> Sent: Wednesday, July 02, 2014 5:55 PM
> To: Andrew Cooper
> Cc: Sander Eikelenboom; Wu, Feng; xen-devel@xxxxxxxxxxxxxxxxxxxx
> Subject: Re: [Xen-devel] Bisected Xen-unstable: "Segment register inaccessible
> for d1v0" when starting HVM guest on intel
> >>> On 02.07.14 at 11:44, <andrew.cooper3@xxxxxxxxxx> wrote:
> > On 02/07/14 10:28, Jan Beulich wrote:
> >> This being a PV extension to the base architecture, the hardware
> >> specification is meaningless. What we need to do here is _extend_ what
> >> the hardware has specified for those extra accesses. We have three
> >> options basically:
> >> 1) never do any checking on such accesses
> >> 2) honor CPL and EFLAGS.AC
> >> 3) always do the checking
> >> The first one obviously is bad from a security POV. Since the third one is
> >> more strict than the second and since I assume adding some override is
> >> going to be the simpler change than altering the point in time when the
> >> VMCS gets loaded during context switch (the suggestion of which no one
> >> at all commented on so far), I'd prefer that one, but wouldn't mind
> >> option 2 to be implemented instead.
> >
> > The problem is not the hypervisor check.  We are already deep within an
> > hvm_copy_to_user() which is between a stac()/clac() pair.
> >
> > The issue is that guest_walk_tables() is checking a Xen access using
> > guest page tables as if it were a supervisor access given the current
> > context of the vcpu.
> And I only ever referred to the checking done there; the hypervisor
> access is of no concern here.
> > What can/should Xen do if its emulated access fails with a guest SMAP
> > violations?  It certainly can't/shouldn't inject a pagefault, nor should
> > it actually fail the write.  copy_to_user() is not subject to the guest
> > operating mode and whether we are writing into guest user or supervisor
> > pages.
> Just like copy_to_user() would produce -EFAULT for a hypercall
> when used on a non-present page or a non-canonical address, it
> should (and afaict will with how things are right now) similarly
> produce -EFAULT for an attempted access to a guest-accessible

Do you mean user-accessible here?


> page when the current mode of the guest is supervisor.
> To me it is a logical extension to also fail accesses outside of
> hypercalls or emulation.
> Jan

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.