Hi Bastian, Ian,
while I was working on the recent batch of security updates I noticed that the
obvious backport of the related patch caused an HVM guest to be crashed as soon
as a user inside that guest tried to ptrace a child process.
While talking to Jan, I realized that in 4.2 the inject exception code subtly
changed in a way that treats TRAP_debug as a HW event (that is triggered by no
opcode) while before it was always treated as SW event.
I believe Debian might be affected by the same as you also have a 4.1.x version
in some stable, so I thought I share the backport I did. Jan was suggesting a
slightly different coding which should do the same but I wanted to keep my
variant because I had done regression testing already and did not unnecessarily
change code.
Jan's proposal:
@@ -1364,7 +1358,6 @@ void vmx_inject_hw_exception(int trap, i
switch ( trap )
{
case TRAP_debug:
- type = X86_EVENTTYPE_SW_EXCEPTION;
if ( guest_cpu_user_regs()->eflags & X86_EFLAGS_TF )
{
__restore_debug_registers(curr);
@@ -1379,9 +1372,11 @@ void vmx_inject_hw_exception(int trap, i
domain_pause_for_debugger();
return;
}
-
- type = X86_EVENTTYPE_SW_EXCEPTION;
- __vmwrite(VM_ENTRY_INSTRUCTION_LEN, 1); /* int3 */
+ if ( trap == TRAP_int3 )
+ {
+ type = X86_EVENTTYPE_SW_EXCEPTION;
+ __vmwrite(VM_ENTRY_INSTRUCTION_LEN, 1);
+ }
}
if ( unlikely(intr_info & INTR_INFO_VALID_MASK) &&
Attached is the patch I am using.
-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xsa156-4.2.patch
Type: text/x-diff
Size: 6644 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20151123/1f8ee1ee/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20151123/1f8ee1ee/attachment.sig>
Thanks Stefan. CCing?security at debian.org?since there doesn't seem to be a BTS entry for these issues yet. Ian. On Mon, 2015-11-23 at 11:46 +0100, Stefan Bader wrote:> Hi Bastian, Ian, > > while I was working on the recent batch of security updates I noticed > that the > obvious backport of the related patch caused an HVM guest to be crashed > as soon > as a user inside that guest tried to ptrace a child process. > > While talking to Jan, I realized that in 4.2 the inject exception code > subtly > changed in a way that treats TRAP_debug as a HW event (that is triggered > by no > opcode) while before it was always treated as SW event. > > I believe Debian might be affected by the same as you also have a 4.1.x > version > in some stable, so I thought I share the backport I did. Jan was > suggesting a > slightly different coding which should do the same but I wanted to keep > my > variant because I had done regression testing already and did not > unnecessarily > change code. > > Jan's proposal: > > @@ -1364,7 +1358,6 @@ void vmx_inject_hw_exception(int trap, i > ?????switch ( trap ) > ?????{ > ?????case TRAP_debug: > -????????type = X86_EVENTTYPE_SW_EXCEPTION; > ?????????if ( guest_cpu_user_regs()->eflags & X86_EFLAGS_TF ) > ?????????{ > ?????????????__restore_debug_registers(curr); > @@ -1379,9 +1372,11 @@ void vmx_inject_hw_exception(int trap, i > ?????????????domain_pause_for_debugger(); > ?????????????return; > ?????????} > - > -????????type = X86_EVENTTYPE_SW_EXCEPTION; > -????????__vmwrite(VM_ENTRY_INSTRUCTION_LEN, 1); /* int3 */ > +????????if ( trap == TRAP_int3 ) > +????????{ > +????????????type = X86_EVENTTYPE_SW_EXCEPTION; > +????????????__vmwrite(VM_ENTRY_INSTRUCTION_LEN, 1); > +????????} > ?????} > > ?????if ( unlikely(intr_info & INTR_INFO_VALID_MASK) && > > Attached is the patch I am using. > > -Stefan