# HG changeset patch
# User kaf24@xxxxxxxxxxxxxxxxxxxx
# Node ID 5caf1de3f2682e91831b09f464c70662658a8e45
# Parent df98f37a88b05ced33ed0915efa576e5b110b60d
Apply stricter checking to RDMSR/WRMSR emulations.
In particular, MSRs that domain0 may write to must now
be 'white listed': default policy is to ignore the write.
This will prevent SYSCALL/SYSENTER instructions from
crashign Xen, by preventing the target MSRs from being
overwritten by domain 0.
Signed-off-by: Keir Fraser <keir@xxxxxxxxxxxxx>
diff -r df98f37a88b0 -r 5caf1de3f268 xen/arch/x86/traps.c
--- a/xen/arch/x86/traps.c Tue Feb 7 13:57:40 2006
+++ b/xen/arch/x86/traps.c Tue Feb 7 14:56:39 2006
@@ -670,6 +670,7 @@
unsigned long *reg, eip = regs->eip, res;
u8 opcode, modrm_reg = 0, modrm_rm = 0, rep_prefix = 0;
unsigned int port, i, op_bytes = 4, data;
+ u32 l, h;
/* Legacy prefixes. */
for ( i = 0; i < 8; i++ )
@@ -974,31 +975,67 @@
break;
case 0x30: /* WRMSR */
- /* Ignore the instruction if unprivileged. */
- if ( !IS_PRIV(v->domain) )
- {
- u32 l, h;
+ switch ( regs->ecx )
+ {
+#ifdef CONFIG_X86_64
+ case MSR_FS_BASE:
+ if ( wrmsr_user(MSR_FS_BASE, regs->eax, regs->edx) )
+ goto fail;
+ v->arch.guest_context.fs_base =
+ ((u64)regs->edx << 32) | regs->eax;
+ break;
+ case MSR_GS_BASE:
+ if ( wrmsr_user(MSR_GS_BASE, regs->eax, regs->edx) )
+ goto fail;
+ v->arch.guest_context.gs_base_kernel =
+ ((u64)regs->edx << 32) | regs->eax;
+ break;
+ case MSR_SHADOW_GS_BASE:
+ if ( wrmsr_user(MSR_SHADOW_GS_BASE, regs->eax, regs->edx) )
+ goto fail;
+ v->arch.guest_context.gs_base_user =
+ ((u64)regs->edx << 32) | regs->eax;
+ break;
+#endif
+ default:
if ( (rdmsr_user(regs->ecx, l, h) != 0) ||
(regs->ecx != MSR_EFER) ||
(regs->eax != l) || (regs->edx != h) )
- DPRINTK("Non-priv domain attempted WRMSR %p from "
+ DPRINTK("Domain attempted WRMSR %p from "
"%08x:%08x to %08lx:%08lx.\n",
_p(regs->ecx), h, l, (long)regs->edx, (long)regs->eax);
- }
- else if ( wrmsr_user(regs->ecx, regs->eax, regs->edx) )
- goto fail;
+ break;
+ }
break;
case 0x32: /* RDMSR */
- if ( !IS_PRIV(v->domain) )
- {
- if ( regs->ecx != MSR_EFER )
- DPRINTK("Non-priv domain attempted RDMSR %p.\n",
- _p(regs->ecx));
- }
- /* Everyone can read the MSR space. */
- if ( rdmsr_user(regs->ecx, regs->eax, regs->edx) )
- goto fail;
+ switch ( regs->ecx )
+ {
+#ifdef CONFIG_X86_64
+ case MSR_FS_BASE:
+ regs->eax = v->arch.guest_context.fs_base & 0xFFFFFFFFUL;
+ regs->edx = v->arch.guest_context.fs_base >> 32;
+ break;
+ case MSR_GS_BASE:
+ regs->eax = v->arch.guest_context.gs_base_kernel & 0xFFFFFFFFUL;
+ regs->edx = v->arch.guest_context.gs_base_kernel >> 32;
+ break;
+ case MSR_SHADOW_GS_BASE:
+ regs->eax = v->arch.guest_context.gs_base_user & 0xFFFFFFFFUL;
+ regs->edx = v->arch.guest_context.gs_base_user >> 32;
+ break;
+#endif
+ case MSR_EFER:
+ if ( rdmsr_user(regs->ecx, regs->eax, regs->edx) )
+ goto fail;
+ break;
+ default:
+ DPRINTK("Domain attempted RDMSR %p.\n", _p(regs->ecx));
+ /* Everyone can read the MSR space. */
+ if ( rdmsr_user(regs->ecx, regs->eax, regs->edx) )
+ goto fail;
+ break;
+ }
break;
default:
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
Home