[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Ability to crash a HVM guest by accessing /dev/hpet

This seems to have been found by us[1] and Citrix[2] recently. To trigger this
one needs to be root in the guest, so it is not super critical but still it
seems to be a bit harsh that purely opening /dev/hpet read-only is leading to a
domain crash via xen/arch/x86/hvm/hpet.c@375(hpet_write):

    case HPET_Tn_CFG(0):
    case HPET_Tn_CFG(1):
    case HPET_Tn_CFG(2):
        tn = HPET_TN(CFG, addr);

        h->hpet.timers[tn].config = hpet_fixup_reg(new_val, old_val, 0x3f4e);

        if ( timer_level(h, tn) )
                     "HPET: level triggered interrupt not supported now\n");

The default in Linux seems to be level triggered. I wonder whether there would
be any possible way to make this return as some error instead of blowing up?


[1] https://bugs.launchpad.net/bugs/1741409

Attachment: signature.asc
Description: OpenPGP digital signature

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.