From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: [PATCH 5/6] x86/hvm: Forced Emulation Prefix for debug
	builds of Xen
Date: Tue, 23 Sep 2014 16:03:30 +0100
Message-ID: <1411484611-31027-6-git-send-email-andrew.cooper3@citrix.com>
References: <1411484611-31027-1-git-send-email-andrew.cooper3@citrix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <1411484611-31027-1-git-send-email-andrew.cooper3@citrix.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Xen-devel <xen-devel@lists.xen.org>
Cc: Kevin Tian <kevin.tian@intel.com>, Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>, Andrew Cooper <andrew.cooper3@citrix.com>, Eddie Dong <eddie.dong@intel.com>, Aravind Gopalakrishnan <Aravind.Gopalakrishnan@amd.com>, Jun Nakajima <jun.nakajima@intel.com>, Boris Ostrovsky <boris.ostrovsky@oracle.com>
List-Id: xen-devel@lists.xenproject.org

Analysis of XSAs 105 and 106 show that is possible to force a race condition
which causes any arbitrary instruction to be emulated.

To aid testing, explicitly introduce the Forced Emulation Prefix for debug
builds alone.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Boris Ostrovsky <boris.ostrovsky@oracle.com>
CC: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
CC: Aravind Gopalakrishnan <Aravind.Gopalakrishnan@amd.com>
CC: Jun Nakajima <jun.nakajima@intel.com>
CC: Eddie Dong <eddie.dong@intel.com>
CC: Kevin Tian <kevin.tian@intel.com>
---
 docs/misc/xen-command-line.markdown |   11 +++++++++++
 xen/arch/x86/hvm/hvm.c              |    5 +++++
 xen/arch/x86/hvm/svm/svm.c          |   16 ++++++++++++++++
 xen/arch/x86/hvm/vmx/vmx.c          |   16 ++++++++++++++++
 xen/include/asm-x86/hvm/hvm.h       |    5 +++++
 5 files changed, 53 insertions(+)

diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
index af93e17..389701a 100644
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -682,6 +682,17 @@ Bit 11 - MSR operation logging
 
 Recognized in debug builds of the hypervisor only.
 
+### hvm\_fep
+> `= <boolean>`
+
+> Default: `false`
+
+Allow use of the Forced Emulation Prefix in HVM guests, to allow emulation of
+arbitrary instructions.
+
+This option is intended for development purposes, and is only available in
+debug builds of the hypervisor.
+
 ### hvm\_port80
 > `= <boolean>`
 
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index bb45593..a9b0f9e 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -86,6 +86,11 @@ unsigned long __attribute__ ((__section__ (".bss.page_aligned")))
 static bool_t __initdata opt_hap_enabled = 1;
 boolean_param("hap", opt_hap_enabled);
 
+#ifndef NDEBUG
+bool_t opt_hvm_fep;
+boolean_param("hvm_fep", opt_hvm_fep);
+#endif
+
 static int cpu_callback(
     struct notifier_block *nfb, unsigned long action, void *hcpu)
 {
diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c
index b6beefc..4823c80 100644
--- a/xen/arch/x86/hvm/svm/svm.c
+++ b/xen/arch/x86/hvm/svm/svm.c
@@ -17,6 +17,7 @@
  * Place - Suite 330, Boston, MA 02111-1307 USA.
  */
 
+#include <xen/guest_access.h>
 #include <xen/config.h>
 #include <xen/init.h>
 #include <xen/lib.h>
@@ -2118,6 +2119,21 @@ static void svm_vmexit_ud_intercept(struct cpu_user_regs *regs)
     struct hvm_emulate_ctxt ctxt;
     int rc;
 
+#ifndef NDEBUG
+    if ( opt_hvm_fep )
+    {
+        XEN_GUEST_HANDLE(char) guest_rip = { (char*)regs->eip };
+        char sig[5]; /* ud2; .ascii "xen" */
+
+        if ( (copy_from_guest(sig, guest_rip, sizeof(sig)) == 0) &&
+             (memcmp(sig, "\xf\xbxen", sizeof(sig)) == 0) )
+        {
+            regs->eip += sizeof(sig);
+            regs->eflags &= ~X86_EFLAGS_RF;
+        }
+    }
+#endif
+
     hvm_emulate_prepare(&ctxt, regs);
 
     rc = hvm_emulate_one(&ctxt);
diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index addaa81..fdd05c3 100644
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -16,6 +16,7 @@
  * Place - Suite 330, Boston, MA 02111-1307 USA.
  */
 
+#include <xen/guest_access.h>
 #include <xen/config.h>
 #include <xen/init.h>
 #include <xen/lib.h>
@@ -2499,6 +2500,21 @@ static void vmx_vmexit_ud_intercept(struct cpu_user_regs *regs)
     struct hvm_emulate_ctxt ctxt;
     int rc;
 
+#ifndef NDEBUG
+    if ( opt_hvm_fep )
+    {
+        XEN_GUEST_HANDLE(char) guest_rip = { (char*)regs->eip };
+        char sig[5]; /* ud2; .ascii "xen" */
+
+        if ( (copy_from_guest(sig, guest_rip, sizeof(sig)) == 0) &&
+             (memcmp(sig, "\xf\xbxen", sizeof(sig)) == 0) )
+        {
+            regs->eip += sizeof(sig);
+            regs->eflags &= ~X86_EFLAGS_RF;
+        }
+    }
+#endif
+
     hvm_emulate_prepare(&ctxt, regs);
 
     rc = hvm_emulate_one(&ctxt);
diff --git a/xen/include/asm-x86/hvm/hvm.h b/xen/include/asm-x86/hvm/hvm.h
index 121d053..f9fd663 100644
--- a/xen/include/asm-x86/hvm/hvm.h
+++ b/xen/include/asm-x86/hvm/hvm.h
@@ -514,6 +514,11 @@ bool_t nhvm_vmcx_hap_enabled(struct vcpu *v);
 /* interrupt */
 enum hvm_intblk nhvm_interrupt_blocked(struct vcpu *v);
 
+#ifndef NDEBUG
+/* Permit use of the Forced Emulation Prefix in HVM guests */
+extern bool_t opt_hvm_fep;
+#endif
+
 #endif /* __ASM_X86_HVM_HVM_H__ */
 
 /*
-- 
1.7.10.4