From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: Re: [PATCH] x86/HVM: only kill guest when unknown VM exit occurred in guest kernel mode Date: Thu, 30 Oct 2014 14:57:14 +0000 Message-ID: <545251CA.1040907@citrix.com> References: <54525C990200007800043915@mail.emea.novell.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7205341315589836791==" Return-path: Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XjrAo-0006MV-Sb for xen-devel@lists.xenproject.org; Thu, 30 Oct 2014 14:58:03 +0000 In-Reply-To: <54525C990200007800043915@mail.emea.novell.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Jan Beulich , xen-devel Cc: Kevin Tian , suravee.suthikulpanit@amd.com, Eddie Dong , Aravind Gopalakrishnan , Jun Nakajima , Boris Ostrovsky List-Id: xen-devel@lists.xenproject.org --===============7205341315589836791== Content-Type: multipart/alternative; boundary="------------010605050205020902020303" --------------010605050205020902020303 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable On 30/10/14 14:43, Jan Beulich wrote: > A recent KVM change by Nadav Amit pointed out= > that unconditional VM exits (like VMX'es ones for the INVEPT, INVVPID, > and XSETBV instructions) may result from guest user mode activity (in > the example cases, e.g. prior to a privilege level check being done). > Consequently convert the unconditional domain_crash() to a conditional > one (when guest is in kernel mode) with the alternative of injecting > #UD (when in user mode). > > This is meant to be a precaution against in-guest security issues > introduced when any such VM exit becomes possible (on newer hardware) > without the hypervisor immediately being aware of it. There are no such= > unhandled VM exits currently (and hence this is not an active security > issue), but old (no longer security maintained) versions exhibit issues= > in the cases given as examples above. > > Suggested-by: Tim Deegan > Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper The gdprintk() in vmx.c is not true for some entries via the exit_and_crash label, but it is probably worth deferring fixing it to a separate patch. > > --- a/xen/arch/x86/hvm/svm/svm.c > +++ b/xen/arch/x86/hvm/svm/svm.c > @@ -2680,7 +2680,11 @@ void svm_vmexit_handler(struct cpu_user_ > "exitinfo1 =3D %#"PRIx64", exitinfo2 =3D %#"PRIx64"\n= ", > exit_reason,=20 > (u64)vmcb->exitinfo1, (u64)vmcb->exitinfo2); > - domain_crash(v->domain); > + if ( vmcb_get_cpl(vmcb) ) > + hvm_inject_hw_exception(TRAP_invalid_op, > + HVM_DELIVER_NO_ERROR_CODE); > + else > + domain_crash(v->domain); > break; > } > =20 > --- a/xen/arch/x86/hvm/vmx/vmx.c > +++ b/xen/arch/x86/hvm/vmx/vmx.c > @@ -3157,8 +3157,19 @@ void vmx_vmexit_handler(struct cpu_user_ > /* fall through */ > default: > exit_and_crash: > - gdprintk(XENLOG_ERR, "Bad vmexit (reason %#lx)\n", exit_reason= ); > - domain_crash(v->domain); > + { > + struct segment_register ss; > + > + gdprintk(XENLOG_WARNING, "Bad vmexit (reason %#lx)\n", > + exit_reason); > + > + vmx_get_segment_register(v, x86_seg_ss, &ss); > + if ( ss.attr.fields.dpl ) > + hvm_inject_hw_exception(TRAP_invalid_op, > + HVM_DELIVER_NO_ERROR_CODE); > + else > + domain_crash(v->domain); > + } > break; > } > =20 > > > > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-devel --------------010605050205020902020303 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit
On 30/10/14 14:43, Jan Beulich wrote:
A recent KVM change by Nadav Amit <namit@cs.technion.ac.il> pointed out
that unconditional VM exits (like VMX'es ones for the INVEPT, INVVPID,
and XSETBV instructions) may result from guest user mode activity (in
the example cases, e.g. prior to a privilege level check being done).
Consequently convert the unconditional domain_crash() to a conditional
one (when guest is in kernel mode) with the alternative of injecting
#UD (when in user mode).

This is meant to be a precaution against in-guest security issues
introduced when any such VM exit becomes possible (on newer hardware)
without the hypervisor immediately being aware of it. There are no such
unhandled VM exits currently (and hence this is not an active security
issue), but old (no longer security maintained) versions exhibit issues
in the cases given as examples above.

Suggested-by: Tim Deegan <tim@xen.org>
Signed-off-by: Jan Beulich <jbeulich@suse.com>

Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

The gdprintk() in vmx.c is not true for some entries via the exit_and_crash label, but it is probably worth deferring fixing it to a separate patch.


--- a/xen/arch/x86/hvm/svm/svm.c
+++ b/xen/arch/x86/hvm/svm/svm.c
@@ -2680,7 +2680,11 @@ void svm_vmexit_handler(struct cpu_user_
                  "exitinfo1 = %#"PRIx64", exitinfo2 = %#"PRIx64"\n",
                  exit_reason, 
                  (u64)vmcb->exitinfo1, (u64)vmcb->exitinfo2);
-        domain_crash(v->domain);
+        if ( vmcb_get_cpl(vmcb) )
+            hvm_inject_hw_exception(TRAP_invalid_op,
+                                    HVM_DELIVER_NO_ERROR_CODE);
+        else
+            domain_crash(v->domain);
         break;
     }
 
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -3157,8 +3157,19 @@ void vmx_vmexit_handler(struct cpu_user_
     /* fall through */
     default:
     exit_and_crash:
-        gdprintk(XENLOG_ERR, "Bad vmexit (reason %#lx)\n", exit_reason);
-        domain_crash(v->domain);
+        {
+            struct segment_register ss;
+
+            gdprintk(XENLOG_WARNING, "Bad vmexit (reason %#lx)\n",
+                     exit_reason);
+
+            vmx_get_segment_register(v, x86_seg_ss, &ss);
+            if ( ss.attr.fields.dpl )
+                hvm_inject_hw_exception(TRAP_invalid_op,
+                                        HVM_DELIVER_NO_ERROR_CODE);
+            else
+                domain_crash(v->domain);
+        }
         break;
     }
 






_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

--------------010605050205020902020303-- --===============7205341315589836791== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============7205341315589836791==--