Xen project Mailing List

Re: [Xen-devel] Ability to crash a HVM guest by accessing /dev/hpet

To: Roger Pau Monné <roger.pau@xxxxxxxxxx>

From: Stefan Bader <stefan.bader@xxxxxxxxxxxxx>

Date: Wed, 21 Feb 2018 15:57:36 +0100

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>

Delivery-date: Wed, 21 Feb 2018 14:58:15 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 21.02.2018 15:40, Roger Pau Monné wrote: > On Wed, Feb 21, 2018 at 03:12:15PM +0100, Stefan Bader wrote: >> This seems to have been found by us[1] and Citrix[2] recently. To trigger >> this >> one needs to be root in the guest, so it is not super critical but still it >> seems to be a bit harsh that purely opening /dev/hpet read-only is leading >> to a >> domain crash via xen/arch/x86/hvm/hpet.c@375(hpet_write): > > I'm quite surprised that Linux writes to the registers if the device > is opened read-only. [dropping Ian as the email address I got seems no longer valid] Hi Roger, it seems that this is the way the hpet character driver is done (not sure that is all correct). Opening in write mode actually seem to be forbidden and will return -EINVAL. This grabs one timer and then calls hpet_timer_set_irq() on that. And this actually forces level triggered mode... timer = devp->hd_timer; /* we prefer level triggered mode */ v = readl(&timer->hpet_config); if (!(v & Tn_INT_TYPE_CNF_MASK)) { v |= Tn_INT_TYPE_CNF_MASK; writel(v, &timer->hpet_config); } spin_unlock_irq(&hpet_lock); -Stefan > >> >> case HPET_Tn_CFG(0): >> case HPET_Tn_CFG(1): >> case HPET_Tn_CFG(2): >> tn = HPET_TN(CFG, addr); >> >> h->hpet.timers[tn].config = hpet_fixup_reg(new_val, old_val, 0x3f4e); >> >> if ( timer_level(h, tn) ) >> { >> gdprintk(XENLOG_ERR, >> "HPET: level triggered interrupt not supported now\n"); >> domain_crash(current->domain); >> break; >> } >> >> The default in Linux seems to be level triggered. I wonder whether there >> would >> be any possible way to make this return as some error instead of blowing up? > > Xen not allowing level-triggered is actually breaking the spec for > HPET AFAICT, since level triggered interrupts are not an optional > feature of HPET. Options here would be to just ignore or inject a #GP > I guess (which will also likely result in the guest crashing). > > The real solution is to implement level triggered interrupts, I can > take a stab at this. > > Roger. >

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.