This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-devel] Unsigned bug in rdmsr_hypervisor_regs/wrmsr_hypervisor_regs

To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-devel] Unsigned bug in rdmsr_hypervisor_regs/wrmsr_hypervisor_regs
From: "Robert Phillips" <rsp.vi.xen@xxxxxxxxx>
Date: Thu, 27 Sep 2007 10:21:27 -0400
Delivery-date: Thu, 27 Sep 2007 07:22:07 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=eD2aKxm/b+aVO+mPorxe4PRoiJP11xf/eDujsyhls/A=; b=N+wvzLgvJfYGkc0Y7QC9V8QKTGxLeMzJP7Jxi9BpLkOz5865En0IZt0eT/aBxypIFrZPQpMTBSLdfzB66+Yp2mOotItuxDBoy8cz6ASvzSMrk3JgWAEICCXRUNT4lR0r4eLvLltzHqPXR/wpR4y7qSMTVVAYHjZl7fNj8MIaSGo=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=h+W2Q7naRZqWj+Yjto569Rw7M789v5PDzSxxKMpJbMdQfvMYw1uvFFPD0XifpuTT9zqKedy+u4dXdpBEw5zyT0LzAxaisVClRuwGovpUb7OozALIJ9N7zcrBkw/FXEaDxbOs+aImGWcTFgAFg7T9LC8GM+5EyU9UEJs4ZmqfjzI=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
The code, below, in rdmsr_hypervisor_regs (in xen/arch/x86/traps.c) looks wrong.  (The same code is in wrmsr_hypervisor_regs.)

int rdmsr_hypervisor_regs(
    uint32_t idx, uint32_t *eax, uint32_t *edx)
    idx -= 0x40000000;
    if ( idx > 0 )
        return 0;

The intent, apparently, is that the function should return zero if the original idx exceeds 0x40000000.
However because idx is unsigned the function will always return zero unless the original idx is precisely 0x40000000.

The effect is that reading or writing any unexpected MSR will cause the guest to get a GPF.
(The intended effect is, I think, reading any MSR less than 0x40000001 should simply return 0
and writing any such MSR should bug.  Injecting a GPF should only happen with MSRs greater than 0x40000000.)

Replacing the test with
   if ( (int32_t)idx > 0 )
 seems to cause problems of its own.

If this change is wrong, what is a proper fix?

-- rsp

Robert S. Phillips                          Virtual Iron Software
rphillips@xxxxxxxxxxxxxxx                Tower 1, Floor 2
978-849-1220                                 900 Chelmsford Street
                                                    Lowell, MA 01851
Xen-devel mailing list
<Prev in Thread] Current Thread [Next in Thread>