|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Bisected Xen-unstable: "Segment register inaccessible for d1v0" when starting HVM guest on intel
> -----Original Message----- > From: Jan Beulich [mailto:JBeulich@xxxxxxxx] > Sent: Wednesday, July 02, 2014 5:55 PM > To: Andrew Cooper > Cc: Sander Eikelenboom; Wu, Feng; xen-devel@xxxxxxxxxxxxxxxxxxxx > Subject: Re: [Xen-devel] Bisected Xen-unstable: "Segment register inaccessible > for d1v0" when starting HVM guest on intel > > >>> On 02.07.14 at 11:44, <andrew.cooper3@xxxxxxxxxx> wrote: > > On 02/07/14 10:28, Jan Beulich wrote: > >> This being a PV extension to the base architecture, the hardware > >> specification is meaningless. What we need to do here is _extend_ what > >> the hardware has specified for those extra accesses. We have three > >> options basically: > >> 1) never do any checking on such accesses > >> 2) honor CPL and EFLAGS.AC > >> 3) always do the checking > >> The first one obviously is bad from a security POV. Since the third one is > >> more strict than the second and since I assume adding some override is > >> going to be the simpler change than altering the point in time when the > >> VMCS gets loaded during context switch (the suggestion of which no one > >> at all commented on so far), I'd prefer that one, but wouldn't mind > >> option 2 to be implemented instead. > > > > The problem is not the hypervisor check. We are already deep within an > > hvm_copy_to_user() which is between a stac()/clac() pair. > > > > The issue is that guest_walk_tables() is checking a Xen access using > > guest page tables as if it were a supervisor access given the current > > context of the vcpu. > > And I only ever referred to the checking done there; the hypervisor > access is of no concern here. > > > What can/should Xen do if its emulated access fails with a guest SMAP > > violations? It certainly can't/shouldn't inject a pagefault, nor should > > it actually fail the write. copy_to_user() is not subject to the guest > > operating mode and whether we are writing into guest user or supervisor > > pages. > > Just like copy_to_user() would produce -EFAULT for a hypercall > when used on a non-present page or a non-canonical address, it > should (and afaict will with how things are right now) similarly > produce -EFAULT for an attempted access to a guest-accessible Do you mean user-accessible here? Thanks, Feng > page when the current mode of the guest is supervisor. > > To me it is a logical extension to also fail accesses outside of > hypercalls or emulation. > > Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |