This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-changelog] [xen-4.0-testing] x86-64: don't crash Xen upon direct pv

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-4.0-testing] x86-64: don't crash Xen upon direct pv guest access to GDT/LDT mapping area
From: "Xen patchbot-4.0-testing" <patchbot-4.0-testing@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 30 Nov 2010 20:20:13 -0800
Delivery-date: Tue, 30 Nov 2010 20:20:24 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Keir Fraser <keir@xxxxxxx>
# Date 1291041961 0
# Node ID 2901cbe2eccc41ebd552bf6c829c8f0c46ba396c
# Parent  b6d75c255bf69bb5bd1a4b01d4ac583077409001
x86-64: don't crash Xen upon direct pv guest access to GDT/LDT mapping area

handle_gdt_ldt_mapping_fault() is intended to deal with indirect
accesses (i.e. those caused by descriptor loads) to the GDT/LDT
mapping area only. While for 32-bit segment limits indeed prevent the
function being entered for direct accesses (i.e. a #GP fault will be
raised even before the address translation gets done, on 64-bit even
user mode accesses would lead to control reaching the BUG_ON() at the
beginning of that function.

Fortunately the fix is simple: Since the guest kernel runs in ring 3,
any guest direct access will have the "user mode" bit set, whereas
descriptor loads always do the translations to access the actual
descriptors as kernel mode ones.

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxxxx>

Further, relax the BUG_ON() in handle_gdt_ldt_mapping_fault() to a
check-and-bail. This avoids any problems in future, if we don't
execute x86_64 guest kernels in ring 3 (e.g., because we use a
lightweight HVM container).

Signed-off-by: Keir Fraser <keir@xxxxxxx>
xen-unstable changeset:   22448:5cd9612db2bb
xen-unstable date:        Mon Nov 29 14:34:32 2010 +0000
 xen/arch/x86/traps.c |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

diff -r b6d75c255bf6 -r 2901cbe2eccc xen/arch/x86/traps.c
--- a/xen/arch/x86/traps.c      Mon Nov 22 19:18:10 2010 +0000
+++ b/xen/arch/x86/traps.c      Mon Nov 29 14:46:01 2010 +0000
@@ -1051,8 +1051,14 @@ static int handle_gdt_ldt_mapping_fault(
     unsigned int is_ldt_area = (offset >> (GDT_LDT_VCPU_VA_SHIFT-1)) & 1;
     unsigned int vcpu_area   = (offset >> GDT_LDT_VCPU_VA_SHIFT);
-    /* Should never fault in another vcpu's area. */
-    BUG_ON(vcpu_area != curr->vcpu_id);
+    /*
+     * If the fault is in another vcpu's area, it cannot be due to
+     * a GDT/LDT descriptor load. Thus we can reasonably exit immediately, and
+     * indeed we have to since map_ldt_shadow_page() works correctly only on
+     * accesses to a vcpu's own area.
+     */
+    if ( vcpu_area != curr->vcpu_id )
+        return 0;
     /* Byte offset within the gdt/ldt sub-area. */
     offset &= (1UL << (GDT_LDT_VCPU_VA_SHIFT-1)) - 1UL;
@@ -1223,7 +1229,7 @@ static int fixup_page_fault(unsigned lon
     if ( unlikely(IN_HYPERVISOR_RANGE(addr)) )
-        if ( !(regs->error_code & PFEC_reserved_bit) &&
+        if ( !(regs->error_code & (PFEC_user_mode | PFEC_reserved_bit)) &&
              (addr >= GDT_LDT_VIRT_START) && (addr < GDT_LDT_VIRT_END) )
             return handle_gdt_ldt_mapping_fault(
                 addr - GDT_LDT_VIRT_START, regs);

Xen-changelog mailing list

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-4.0-testing] x86-64: don't crash Xen upon direct pv guest access to GDT/LDT mapping area, Xen patchbot-4.0-testing <=