[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v2 2/2] x86/hvm: Don't intercept #UD exceptions in general
On 01/27/2016 02:13 PM, Andrew Cooper wrote: c/s 0f1cb96e "x86 hvm: Allow cross-vendor migration" caused HVM domains to unconditionally intercept #UD exceptions. While cross-vendor migration is cool as a demo, it is extremely niche. Intercepting #UD allows userspace code in a multi-vcpu guest to execute arbitrary instructions in the x86 emulator by having one thread execute a ud2a instruction, and having a second thread rewrite the instruction before the emulator performs an instruction fetch. XSAs 105, 106 and 110 are all examples where guest userspace can use bugs in the x86 emulator to compromise security of the domain, either by privilege escalation or causing a crash. c/s 2d67a7a4 "x86: synchronize PCI config space access decoding" introduced (amongst other things) a per-domain vendor, based on the guests cpuid policy. Use the per-guest vendor to enable #UD interception only when a domain is configured for a vendor different to the current hardware. (#UD interception is also enabled if hvm_fep is specified on the Xen command line. This is a debug-only option whose entire purpose is for testing the x86 emulator.) As a result, the overwhelming majority of usecases now have #UD interception disabled, removing an attack surface for malicious guest userspace. Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Reviewed-by: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx> _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |