da53445dea
recursive pagetable for 32-bit PV guests (XSA-185) 57d1563d-x86-32on64-don-t-allow-recursive-page-tables-from-L3.patch - bsc#995789 - VUL-0: CVE-2016-7093: xen: x86: Mishandling of instruction pointer truncation during emulation (XSA-186) 57d15679-x86-emulate-Correct-boundary-interactions-of-emulated-insns.patch 57d18642-hvm-fep-Allow-test-insns-crossing-1-0-boundary.patch - bsc#995792 - VUL-0: CVE-2016-7094: xen: x86 HVM: Overflow of sh_ctxt->seg_reg[] (XSA-187) 57d1569a-x86-shadow-Avoid-overflowing-sh_ctxt-seg_reg.patch 57d18642-x86-segment-Bounds-check-accesses-to-emulation-ctxt-seg_reg.patch - bsc#991934 - xen hypervisor crash in csched_acct 57c96df3-credit1-fix-a-race-when-picking-initial-pCPU.patch - Upstream patches from Jan 57c4412b-x86-HVM-add-guarding-logic-for-VMX-specific-code.patch 57c57f73-libxc-correct-max_pfn-calculation-for-saving-domain.patch 57c805bf-x86-levelling-restrict-non-architectural-OSXSAVE-handling.patch 57c805c1-x86-levelling-pass-vcpu-to-ctxt_switch_levelling.patch 57c805c3-x86-levelling-provide-architectural-OSXSAVE-handling.patch 57c82be2-x86-32on64-adjust-call-gate-emulation.patch 57c96e2c-x86-correct-PT_NOTE-file-position.patch 57cfed43-VMX-correct-feature-checks-for-MPX-and-XSAVES.patch - bsc#989679 - [pvusb feature] USB device not found when 'virsh detach-device guest usb.xml' 57c93e52-fix-error-in-libxl_device_usbdev_list.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=450
147 lines
5.2 KiB
Diff
147 lines
5.2 KiB
Diff
# Commit 68eb1a4d92be58e26bd11d02b8e0317bd56294ac
|
|
# Date 2016-09-07 12:34:43 +0200
|
|
# Author Jan Beulich <jbeulich@suse.com>
|
|
# Committer Jan Beulich <jbeulich@suse.com>
|
|
VMX: correct feature checks for MPX and XSAVES
|
|
|
|
Their VMCS fields aren't tied to the respective base CPU feature flags
|
|
but instead to VMX specific ones.
|
|
|
|
Note that while the VMCS GUEST_BNDCFGS field exists if either of the
|
|
two respective features is available, MPX continues to get exposed to
|
|
guests only with both features present.
|
|
|
|
Also add the so far missing handling of
|
|
- GUEST_BNDCFGS in construct_vmcs()
|
|
- MSR_IA32_BNDCFGS in vmx_msr_{read,write}_intercept()
|
|
and mirror the extra correctness checks during MSR write to
|
|
vmx_load_msr().
|
|
|
|
Reported-by: "Rockosov, Dmitry" <dmitry.rockosov@intel.com>
|
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
Tested-by: "Rockosov, Dmitry" <dmitry.rockosov@intel.com>
|
|
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
|
|
--- a/xen/arch/x86/cpuid.c
|
|
+++ b/xen/arch/x86/cpuid.c
|
|
@@ -168,8 +168,7 @@ static void __init calculate_hvm_feature
|
|
*/
|
|
if ( cpu_has_vmx )
|
|
{
|
|
- if ( !(vmx_vmexit_control & VM_EXIT_CLEAR_BNDCFGS) ||
|
|
- !(vmx_vmentry_control & VM_ENTRY_LOAD_BNDCFGS) )
|
|
+ if ( !cpu_has_vmx_mpx )
|
|
__clear_bit(X86_FEATURE_MPX, hvm_featureset);
|
|
|
|
if ( !cpu_has_vmx_xsaves )
|
|
--- a/xen/arch/x86/hvm/vmx/vmcs.c
|
|
+++ b/xen/arch/x86/hvm/vmx/vmcs.c
|
|
@@ -1281,6 +1281,8 @@ static int construct_vmcs(struct vcpu *v
|
|
__vmwrite(HOST_PAT, host_pat);
|
|
__vmwrite(GUEST_PAT, guest_pat);
|
|
}
|
|
+ if ( cpu_has_vmx_mpx )
|
|
+ __vmwrite(GUEST_BNDCFGS, 0);
|
|
if ( cpu_has_vmx_xsaves )
|
|
__vmwrite(XSS_EXIT_BITMAP, 0);
|
|
|
|
--- a/xen/arch/x86/hvm/vmx/vmx.c
|
|
+++ b/xen/arch/x86/hvm/vmx/vmx.c
|
|
@@ -786,14 +786,15 @@ static int vmx_load_vmcs_ctxt(struct vcp
|
|
|
|
static unsigned int __init vmx_init_msr(void)
|
|
{
|
|
- return !!cpu_has_mpx + !!cpu_has_xsaves;
|
|
+ return (cpu_has_mpx && cpu_has_vmx_mpx) +
|
|
+ (cpu_has_xsaves && cpu_has_vmx_xsaves);
|
|
}
|
|
|
|
static void vmx_save_msr(struct vcpu *v, struct hvm_msr *ctxt)
|
|
{
|
|
vmx_vmcs_enter(v);
|
|
|
|
- if ( cpu_has_mpx )
|
|
+ if ( cpu_has_mpx && cpu_has_vmx_mpx )
|
|
{
|
|
__vmread(GUEST_BNDCFGS, &ctxt->msr[ctxt->count].val);
|
|
if ( ctxt->msr[ctxt->count].val )
|
|
@@ -802,7 +803,7 @@ static void vmx_save_msr(struct vcpu *v,
|
|
|
|
vmx_vmcs_exit(v);
|
|
|
|
- if ( cpu_has_xsaves )
|
|
+ if ( cpu_has_xsaves && cpu_has_vmx_xsaves )
|
|
{
|
|
ctxt->msr[ctxt->count].val = v->arch.hvm_vcpu.msr_xss;
|
|
if ( ctxt->msr[ctxt->count].val )
|
|
@@ -822,13 +823,15 @@ static int vmx_load_msr(struct vcpu *v,
|
|
switch ( ctxt->msr[i].index )
|
|
{
|
|
case MSR_IA32_BNDCFGS:
|
|
- if ( cpu_has_mpx )
|
|
+ if ( cpu_has_mpx && cpu_has_vmx_mpx &&
|
|
+ is_canonical_address(ctxt->msr[i].val) &&
|
|
+ !(ctxt->msr[i].val & IA32_BNDCFGS_RESERVED) )
|
|
__vmwrite(GUEST_BNDCFGS, ctxt->msr[i].val);
|
|
else if ( ctxt->msr[i].val )
|
|
err = -ENXIO;
|
|
break;
|
|
case MSR_IA32_XSS:
|
|
- if ( cpu_has_xsaves )
|
|
+ if ( cpu_has_xsaves && cpu_has_vmx_xsaves )
|
|
v->arch.hvm_vcpu.msr_xss = ctxt->msr[i].val;
|
|
else
|
|
err = -ENXIO;
|
|
@@ -2640,6 +2643,11 @@ static int vmx_msr_read_intercept(unsign
|
|
case MSR_IA32_DEBUGCTLMSR:
|
|
__vmread(GUEST_IA32_DEBUGCTL, msr_content);
|
|
break;
|
|
+ case MSR_IA32_BNDCFGS:
|
|
+ if ( !cpu_has_mpx || !cpu_has_vmx_mpx )
|
|
+ goto gp_fault;
|
|
+ __vmread(GUEST_BNDCFGS, msr_content);
|
|
+ break;
|
|
case IA32_FEATURE_CONTROL_MSR:
|
|
case MSR_IA32_VMX_BASIC...MSR_IA32_VMX_VMFUNC:
|
|
if ( !nvmx_msr_read_intercept(msr, msr_content) )
|
|
@@ -2866,6 +2874,13 @@ static int vmx_msr_write_intercept(unsig
|
|
|
|
break;
|
|
}
|
|
+ case MSR_IA32_BNDCFGS:
|
|
+ if ( !cpu_has_mpx || !cpu_has_vmx_mpx ||
|
|
+ !is_canonical_address(msr_content) ||
|
|
+ (msr_content & IA32_BNDCFGS_RESERVED) )
|
|
+ goto gp_fault;
|
|
+ __vmwrite(GUEST_BNDCFGS, msr_content);
|
|
+ break;
|
|
case IA32_FEATURE_CONTROL_MSR:
|
|
case MSR_IA32_VMX_BASIC...MSR_IA32_VMX_TRUE_ENTRY_CTLS:
|
|
if ( !nvmx_msr_write_intercept(msr, msr_content) )
|
|
--- a/xen/include/asm-x86/hvm/vmx/vmcs.h
|
|
+++ b/xen/include/asm-x86/hvm/vmx/vmcs.h
|
|
@@ -375,6 +375,9 @@ extern u64 vmx_ept_vpid_cap;
|
|
(vmx_secondary_exec_control & SECONDARY_EXEC_ENABLE_VIRT_EXCEPTIONS)
|
|
#define cpu_has_vmx_pml \
|
|
(vmx_secondary_exec_control & SECONDARY_EXEC_ENABLE_PML)
|
|
+#define cpu_has_vmx_mpx \
|
|
+ ((vmx_vmexit_control & VM_EXIT_CLEAR_BNDCFGS) && \
|
|
+ (vmx_vmentry_control & VM_ENTRY_LOAD_BNDCFGS))
|
|
#define cpu_has_vmx_xsaves \
|
|
(vmx_secondary_exec_control & SECONDARY_EXEC_XSAVES)
|
|
#define cpu_has_vmx_tsc_scaling \
|
|
--- a/xen/include/asm-x86/msr-index.h
|
|
+++ b/xen/include/asm-x86/msr-index.h
|
|
@@ -56,7 +56,10 @@
|
|
#define MSR_IA32_DS_AREA 0x00000600
|
|
#define MSR_IA32_PERF_CAPABILITIES 0x00000345
|
|
|
|
-#define MSR_IA32_BNDCFGS 0x00000D90
|
|
+#define MSR_IA32_BNDCFGS 0x00000d90
|
|
+#define IA32_BNDCFGS_ENABLE 0x00000001
|
|
+#define IA32_BNDCFGS_PRESERVE 0x00000002
|
|
+#define IA32_BNDCFGS_RESERVED 0x00000ffc
|
|
|
|
#define MSR_IA32_XSS 0x00000da0
|
|
|