[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH V2 2/2] x86/altp2m: Fixed domain crash with INVALID_ALTP2M EPTP index

vcpu_altp2m(v).p2midx can become INVALID_ALTP2M with normal
usage (in altp2m_vcpu_reset()), which can then result in that
value being __vmwritten() in EPTP_INDEX by vmx_vcpu_update_eptp().
The value can then end up being __vmread() in vmx_vmexit_handler()
which then calls BUG_ON(idx >= MAX_ALTP2M). Since MAX_ALTP2M is
currently 10 and INVALID_ALTP2M is #defined as 0xffff, the
domain will always crash in this case.

Signed-off-by: Razvan Cojocaru <rcojocaru@xxxxxxxxxxxxxxx>

Cc: Jun Nakajima <jun.nakajima@xxxxxxxxx>
Cc: Kevin Tian <kevin.tian@xxxxxxxxx>
Cc: Jan Beulich <jbeulich@xxxxxxxx>
Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Cc: Tamas K Lengyel <tamas@xxxxxxxxxxxxx>
 xen/arch/x86/hvm/vmx/vmx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index 9707514..c7f3925 100644
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -3592,7 +3592,7 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs)
-        if ( idx != vcpu_altp2m(v).p2midx )
+        if ( idx != INVALID_ALTP2M && idx != vcpu_altp2m(v).p2midx )
             BUG_ON(idx >= MAX_ALTP2M);

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.