From: Keir Fraser <keir@xen.org>
To: Jan Beulich <JBeulich@suse.com>, xen-devel <xen-devel@lists.xen.org>
Subject: Re: [PATCH] x86-64: don't allow non-canonical addresses to be set for any callback
Date: Mon, 18 Jun 2012 15:05:58 +0100 [thread overview]
Message-ID: <CC04F456.431CD%keir@xen.org> (raw)
In-Reply-To: <4FD881530200007800089ACB@nat28.tlf.novell.com>
On 13/06/2012 11:02, "Jan Beulich" <JBeulich@suse.com> wrote:
> Rather than deferring the detection of these to the point where they
> get actually used (the fix for XSA-7, 25480:76eaf5966c05, causing a #GP
> to be raised by IRET, which invokes the guest's [fragile] fail-safe
> callback), don't even allow such to be set.
>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
> --- a/xen/arch/x86/domain.c
> +++ b/xen/arch/x86/domain.c
> @@ -736,6 +736,14 @@ int arch_set_info_guest(
> {
> if ( !compat )
> {
> +#ifdef __x86_64__
> + if ( !is_canonical_address(c.nat->user_regs.eip) ||
> + !is_canonical_address(c.nat->event_callback_eip) ||
> + !is_canonical_address(c.nat->syscall_callback_eip) ||
> + !is_canonical_address(c.nat->failsafe_callback_eip) )
> + return -EINVAL;
> +#endif
> +
> fixup_guest_stack_selector(d, c.nat->user_regs.ss);
> fixup_guest_stack_selector(d, c.nat->kernel_ss);
> fixup_guest_code_selector(d, c.nat->user_regs.cs);
> @@ -745,7 +753,11 @@ int arch_set_info_guest(
> #endif
>
> for ( i = 0; i < 256; i++ )
> + {
> + if ( !is_canonical_address(c.nat->trap_ctxt[i].address) )
> + return -EINVAL;
> fixup_guest_code_selector(d, c.nat->trap_ctxt[i].cs);
> + }
>
> /* LDT safety checks. */
> if ( ((c.nat->ldt_base & (PAGE_SIZE-1)) != 0) ||
> --- a/xen/arch/x86/domctl.c
> +++ b/xen/arch/x86/domctl.c
> @@ -1033,6 +1033,9 @@ long arch_do_domctl(
> #ifdef __x86_64__
> if ( !is_hvm_domain(d) )
> {
> + if ( !is_canonical_address(evc->sysenter_callback_eip) ||
> + !is_canonical_address(evc->syscall32_callback_eip) )
> + goto ext_vcpucontext_out;
> fixup_guest_code_selector(d, evc->sysenter_callback_cs);
> v->arch.pv_vcpu.sysenter_callback_cs =
> evc->sysenter_callback_cs;
> --- a/xen/arch/x86/traps.c
> +++ b/xen/arch/x86/traps.c
> @@ -3581,6 +3581,9 @@ long register_guest_nmi_callback(unsigne
> struct domain *d = v->domain;
> struct trap_info *t = &v->arch.pv_vcpu.trap_ctxt[TRAP_nmi];
>
> + if ( !is_canonical_address(address) )
> + return -EINVAL;
> +
> t->vector = TRAP_nmi;
> t->flags = 0;
> t->cs = (is_pv_32on64_domain(d) ?
> @@ -3708,6 +3711,9 @@ long do_set_trap_table(XEN_GUEST_HANDLE(
> if ( cur.address == 0 )
> break;
>
> + if ( !is_canonical_address(cur.address) )
> + return -EINVAL;
> +
> fixup_guest_code_selector(curr->domain, cur.cs);
>
> memcpy(&dst[cur.vector], &cur, sizeof(cur));
>
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
prev parent reply other threads:[~2012-06-18 14:05 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-13 10:02 [PATCH] x86-64: don't allow non-canonical addresses to be set for any callback Jan Beulich
2012-06-13 10:51 ` David Vrabel
2012-06-13 11:20 ` Jan Beulich
2012-06-18 14:05 ` Keir Fraser [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CC04F456.431CD%keir@xen.org \
--to=keir@xen.org \
--cc=JBeulich@suse.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.