Re: [Xen-devel] Ability to crash a HVM guest by accessing /dev/hpet

[Roger Pau Monné <roger.pau@xxxxxxxxxx>]

On Wed, Feb 21, 2018 at 03:12:15PM +0100, Stefan Bader wrote:
> This seems to have been found by us[1] and Citrix[2] recently. To trigger this
> one needs to be root in the guest, so it is not super critical but still it
> seems to be a bit harsh that purely opening /dev/hpet read-only is leading to 
> a
> domain crash via xen/arch/x86/hvm/hpet.c@375(hpet_write):

I'm quite surprised that Linux writes to the registers if the device
is opened read-only.

> 
>     case HPET_Tn_CFG(0):
>     case HPET_Tn_CFG(1):
>     case HPET_Tn_CFG(2):
>         tn = HPET_TN(CFG, addr);
> 
>         h->hpet.timers[tn].config = hpet_fixup_reg(new_val, old_val, 0x3f4e);
> 
>         if ( timer_level(h, tn) )
>         {
>             gdprintk(XENLOG_ERR,
>                      "HPET: level triggered interrupt not supported now\n");
>             domain_crash(current->domain);
>             break;
>         }
> 
> The default in Linux seems to be level triggered. I wonder whether there would
> be any possible way to make this return as some error instead of blowing up?

Xen not allowing level-triggered is actually breaking the spec for
HPET AFAICT, since level triggered interrupts are not an optional
feature of HPET. Options here would be to just ignore or inject a #GP
I guess (which will also likely result in the guest crashing).

The real solution is to implement level triggered interrupts, I can
take a stab at this.

Roger.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel