[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH RFC v13 14/20] pvh: Use PV handlers for emulated forced invalid ops, cpuid, and IO

To: "George Dunlap" <george.dunlap@xxxxxxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Thu, 26 Sep 2013 16:52:11 +0100
Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Keir Fraser <keir@xxxxxxx>, Tim Deegan <tim@xxxxxxx>
Delivery-date: Thu, 26 Sep 2013 15:52:07 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 23.09.13 at 18:49, George Dunlap <george.dunlap@xxxxxxxxxxxxx> wrote:
> v13:
>  - Remove unnecessary privilege check in PIO path, update related comment

While this is the correct thing, ...

>      case EXIT_REASON_IO_INSTRUCTION:
> -        exit_qualification = __vmread(EXIT_QUALIFICATION);
> -        if ( exit_qualification & 0x10 )
> +        if ( is_pvh_vcpu(v) )
>          {
> -            /* INS, OUTS */
> -            if ( !handle_mmio() )
> -                hvm_inject_hw_exception(TRAP_gp_fault, 0);
> +            if ( !emulate_privileged_op(regs) )

.. we still shouldn't do this blindly. It is a latent security issue to
do double decoding on an instruction: The hardware decoded it,
and did all guest side checks. If a malicious guest forges the
instruction to be something else by the time
emulate_privileged_op() gets to decode it, we may induce a
guest side security violation. As the decoded information is
available, we ought to use it here.

> +                hvm_inject_hw_exception(TRAP_gp_fault, regs->error_code);
>          }
>          else
>          {
> -            /* IN, OUT */
> -            uint16_t port = (exit_qualification >> 16) & 0xFFFF;
> -            int bytes = (exit_qualification & 0x07) + 1;
> -            int dir = (exit_qualification & 0x08) ? IOREQ_READ : IOREQ_WRITE;
> -            if ( handle_pio(port, bytes, dir) )
> -                update_guest_eip(); /* Safe: IN, OUT */
> +            exit_qualification = __vmread(EXIT_QUALIFICATION);
> +            if ( exit_qualification & 0x10 )
> +            {
> +                /* INS, OUTS */
> +                if ( !handle_mmio() )

With this moved into a !PVH code path, is there any path that can
still actively reach handle_mmio() for a PVH guest? If not, the
check an earlier patch put there propbably ought to become an
ASSERT().

Also, to reduce the cde churn due to this patch, if you added
a "break;" to the end of the if() path above, most of the
indentation only changes here would go away.

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH RFC v13 00/20] Introduce PVH domU support
  - From: George Dunlap
- [Xen-devel] [PATCH RFC v13 14/20] pvh: Use PV handlers for emulated forced invalid ops, cpuid, and IO
  - From: George Dunlap

Prev by Date: Re: [Xen-devel] [PATCH 1/2] xl: neuter vcpu-set --ignore-host.
Next by Date: Re: [Xen-devel] [PATCH v2 1/4] xen/arm: Add macro MB
Previous by thread: [Xen-devel] [PATCH RFC v13 14/20] pvh: Use PV handlers for emulated forced invalid ops, cpuid, and IO
Next by thread: Re: [Xen-devel] [PATCH RFC v13 00/20] Introduce PVH domU support
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.