[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Ability to crash a HVM guest by accessing /dev/hpet

On 21.02.2018 15:40, Roger Pau Monné wrote:
> On Wed, Feb 21, 2018 at 03:12:15PM +0100, Stefan Bader wrote:
>> This seems to have been found by us[1] and Citrix[2] recently. To trigger 
>> this
>> one needs to be root in the guest, so it is not super critical but still it
>> seems to be a bit harsh that purely opening /dev/hpet read-only is leading 
>> to a
>> domain crash via xen/arch/x86/hvm/hpet.c@375(hpet_write):
> I'm quite surprised that Linux writes to the registers if the device
> is opened read-only.

[dropping Ian as the email address I got seems no longer valid]

Hi Roger,

it seems that this is the way the hpet character driver is done (not sure that
is all correct). Opening in write mode actually seem to be forbidden and will
return -EINVAL.
This grabs one timer and then calls hpet_timer_set_irq() on that. And this
actually forces level triggered mode...

        timer = devp->hd_timer;

        /* we prefer level triggered mode */
        v = readl(&timer->hpet_config);
        if (!(v & Tn_INT_TYPE_CNF_MASK)) {
                v |= Tn_INT_TYPE_CNF_MASK;
                writel(v, &timer->hpet_config);

>>     case HPET_Tn_CFG(0):
>>     case HPET_Tn_CFG(1):
>>     case HPET_Tn_CFG(2):
>>         tn = HPET_TN(CFG, addr);
>>         h->hpet.timers[tn].config = hpet_fixup_reg(new_val, old_val, 0x3f4e);
>>         if ( timer_level(h, tn) )
>>         {
>>             gdprintk(XENLOG_ERR,
>>                      "HPET: level triggered interrupt not supported now\n");
>>             domain_crash(current->domain);
>>             break;
>>         }
>> The default in Linux seems to be level triggered. I wonder whether there 
>> would
>> be any possible way to make this return as some error instead of blowing up?
> Xen not allowing level-triggered is actually breaking the spec for
> HPET AFAICT, since level triggered interrupts are not an optional
> feature of HPET. Options here would be to just ignore or inject a #GP
> I guess (which will also likely result in the guest crashing).
> The real solution is to implement level triggered interrupts, I can
> take a stab at this.
> Roger.

Attachment: signature.asc
Description: OpenPGP digital signature

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.