 Home |
Products |
Support |
Community |
News |
xen-devel
[Xen-devel] Unsigned bug in rdmsr_hypervisor_regs/wrmsr_hypervisor_regs
| To: | xen-devel@xxxxxxxxxxxxxxxxxxx |
|---|---|
| Subject: | [Xen-devel] Unsigned bug in rdmsr_hypervisor_regs/wrmsr_hypervisor_regs |
| From: | "Robert Phillips" <rsp.vi.xen@xxxxxxxxx> |
| Date: | Thu, 27 Sep 2007 10:21:27 -0400 |
| Delivery-date: | Thu, 27 Sep 2007 07:22:07 -0700 |
| Dkim-signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=eD2aKxm/b+aVO+mPorxe4PRoiJP11xf/eDujsyhls/A=; b=N+wvzLgvJfYGkc0Y7QC9V8QKTGxLeMzJP7Jxi9BpLkOz5865En0IZt0eT/aBxypIFrZPQpMTBSLdfzB66+Yp2mOotItuxDBoy8cz6ASvzSMrk3JgWAEICCXRUNT4lR0r4eLvLltzHqPXR/wpR4y7qSMTVVAYHjZl7fNj8MIaSGo= |
| Domainkey-signature: | a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=h+W2Q7naRZqWj+Yjto569Rw7M789v5PDzSxxKMpJbMdQfvMYw1uvFFPD0XifpuTT9zqKedy+u4dXdpBEw5zyT0LzAxaisVClRuwGovpUb7OozALIJ9N7zcrBkw/FXEaDxbOs+aImGWcTFgAFg7T9LC8GM+5EyU9UEJs4ZmqfjzI= |
| Envelope-to: | www-data@xxxxxxxxxxxxxxxxxx |
| List-help: | <mailto:xen-devel-request@lists.xensource.com?subject=help> |
| List-id: | Xen developer discussion <xen-devel.lists.xensource.com> |
| List-post: | <mailto:xen-devel@lists.xensource.com> |
| List-subscribe: | <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe> |
| List-unsubscribe: | <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe> |
| Sender: | xen-devel-bounces@xxxxxxxxxxxxxxxxxxx |
|
The code, below, in rdmsr_hypervisor_regs (in xen/arch/x86/traps.c) looks wrong. (The same code is in wrmsr_hypervisor_regs.) int rdmsr_hypervisor_regs( uint32_t idx, uint32_t *eax, uint32_t *edx) { idx -= 0x40000000; if ( idx > 0 ) return 0; ... The intent, apparently, is that the function should return zero if the original idx exceeds 0x40000000. However because idx is unsigned the function will always return zero unless the original idx is precisely 0x40000000. The effect is that reading or writing any unexpected MSR will cause the guest to get a GPF. (The intended effect is, I think, reading any MSR less than 0x40000001 should simply return 0 and writing any such MSR should bug. Injecting a GPF should only happen with MSRs greater than 0x40000000.) Replacing the test with if ( (int32_t)idx > 0 ) seems to cause problems of its own. If this change is wrong, what is a proper fix? -- rsp -- -------------------------------------------------------------------- Robert S. Phillips Virtual Iron Software rphillips@xxxxxxxxxxxxxxx Tower 1, Floor 2 978-849-1220 900 Chelmsford Street Lowell, MA 01851 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [Xen-devel] [PATCH][TOOLS] ioemu: Build fixes for BSD and bug fixes from BSD, Keir Fraser |
|---|---|
| Next by Date: | Re: [Xen-devel] [PATCH][RFC] making "xm dump-core" paralell, John Levon |
| Previous by Thread: | [Xen-devel] Can't unbind PCI sound card, Tech Writer |
| Next by Thread: | Re: [Xen-devel] Unsigned bug in rdmsr_hypervisor_regs/wrmsr_hypervisor_regs, Keir Fraser |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
