Fwd: Xen-4.1.6.1 backport for XSA156

[Stefan Bader <stefan.bader@canonical.com>]

[-- Attachment #1.1: Type: text/plain, Size: 2590 bytes --]


Hi Jan, hi Andrew,

I am currently trying to backport the changes of XSA156 back to Xen-4.1.x and I
am struggling with the VMX side. I did see the backports made for 4.2 and 3.4 on
the security mailing list but I am not sure the 3.4 backport is not having the
same issues (or similar ones).

Trying to write down my understanding of the changes: For the 3.4 backport there
are only changes to the toggles for debugging and the general trap mask. So if I
understand this right, before the change, TRAP_debug and TRAP_int3 were only
handled in vmexit when a debugger was attached to the domain. Now, only
TRAP_int3 will be toggled and TRAP_debug is always handled.

My testing does (beside other things) involve some verification of ptrace
handling. Which on 4.1.x with the changes, now causes a crash of the HVM guest
in vm_resume (vm_resume_fail error code 7).

I think this is caused by TRAP_debug being handled in vmexit. I don't have the
3.4 code so not sure whether there is anything handling it. In the 4.1.x case
and without changing the vmexit code in xen/arch/x86/hvm/vmx/vmx.c it would be a
certain crash as no domain debugging is done. The problem seems to be that I do
inject (as the 4.2 patch does) an exception. Though 4.1.x does not, yet, have
the changes from "xen: Define new struct hvm_trap and cleanup vmx exception", so
I only have either hvm_inject_exception or vmx_inject_hw_exception. The former
ends up calling the latter. What I think is the problem (which svm does not
have) is the debug/int3 handling in the function below. This seems to convert
the exception unconditionally into a software exception that has an opcode
associated. Would you also think this is the issue? And if yes, is there any
sane way you can think of to prevent this without having to resort to pulling in
large hunks of rewrite?

Regards,
Stefan

vmx_inject_hw_exception(
  ...
    switch ( trap )
    {
    case TRAP_debug:
        type = X86_EVENTTYPE_SW_EXCEPTION;
        if ( guest_cpu_user_regs()->eflags & X86_EFLAGS_TF )
        {
            __restore_debug_registers(curr);
            write_debugreg(6, read_debugreg(6) | 0x4000);
        }
        if ( cpu_has_monitor_trap_flag )
            break;
    case TRAP_int3:
        if ( curr->domain->debugger_attached )
        {
            /* Debug/Int3: Trap to debugger. */
            domain_pause_for_debugger();
            return;
        }

        type = X86_EVENTTYPE_SW_EXCEPTION;
        __vmwrite(VM_ENTRY_INSTRUCTION_LEN, 1); /* int3 */
  ...
}






[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel