search for: dr7

From: Tom Lendacky <thomas.lendacky at amd.com> Add code to handle #VC exceptions on DR7 register reads and writes. This is needed early because show_regs() reads DR7 to print it out. Under SEV-ES there is currently no support for saving/restoring the DRx registers, but software expects to be able to write to the DR7 register. For now, cache the value written to DR7 and return it on r...

On Tue, Apr 28, 2020 at 05:17:04PM +0200, Joerg Roedel wrote: > +static enum es_result vc_handle_dr7_write(struct ghcb *ghcb, > + struct es_em_ctxt *ctxt) > +{ > + struct sev_es_runtime_data *data = this_cpu_read(runtime_data); > + long val, *reg = vc_insn_get_rm(ctxt); > + enum es_result ret; > + > + if (!reg) > + return ES_DECODE_FAILED; > + > + val = *reg; &...

...eption_type(vcpu->arch.exception.nr) == EXCPT_FAULT) + __kvm_set_rflags(vcpu, kvm_get_rflags(vcpu) | + X86_EFLAGS_RF); + + if (vcpu->arch.exception.nr == DB_VECTOR) { + /* + * This code assumes that nSVM doesn't use + * check_nested_events(). If it does, the + * DR6/DR7 changes should happen before L1 + * gets a #VMEXIT for an intercepted #DB in + * L2. (Under VMX, on the other hand, the + * DR6/DR7 changes should not happen in the + * event of a VM-exit to L1 for an intercepted + * #DB in L2.) + */ + kvm_deliver_exception_payload(vcpu); + i...

Hi, I''m trying to verify that the Xen I''m running is patched against the all the known published bugs. I''m running Fedora 7, which means I''m running Xen 3.1.2. I''ve checked the changelog in the Fedora package, and I can verify that all the bugs I''ve found are fixed except for one. http://www.securityfocus.com/bid/27219

This patch is needed for a guest domain debugger to support hardware watchpoint. Signed-off-by: Kouya Shimura <kouya@jp.fujitsu.com> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel

...cpu->arch.exception.injected = true; + + if (exception_type(vcpu->arch.exception.nr) == EXCPT_FAULT) + __kvm_set_rflags(vcpu, kvm_get_rflags(vcpu) | + X86_EFLAGS_RF); + + if (vcpu->arch.exception.nr == DB_VECTOR) { + kvm_deliver_exception_payload(vcpu); + if (vcpu->arch.dr7 & DR7_GD) { + vcpu->arch.dr7 &= ~DR7_GD; + kvm_update_dr7(vcpu); + } + } + + kvm_x86_ops.queue_exception(vcpu); + return true; + } + + return false; +} + static void inject_pending_event(struct kvm_vcpu *vcpu, bool *req_immediate_exit) { int r; @@ -7821,29 +7851,8 @@ stati...

...] PFIFO_CACHE_ERROR - C1] [d5] [drm]1] [drm] PFIFO_CACHE_ERROR - Ch 5] [8] [drm]5] [drm] PFIFO_CACHE_ERROR - Ch 9] [dr2] [drm8] [drm] PFIFO_CACHE_ERROR - Ch 2] [dr6] [drm2] [drm] PFIFO_CACHE_ERROR - Ch 6] [dr9] [d6] [drm] PFIFO_CACHE_ERROR - Ch 0] [d3] [drm]9] [drm] PFIFO_CACHE_ERROR - Ch 33] [dr7] [drm3] [drm] PFIFO_CACHE_ERROR - Ch 37] [dr1] [drm]7] [drm] PFIFO_CACHE_ERROR - Ch 31] [drm4] [drm]1] [drm] PFIFO_CACHE_ERROR - C5] [dr8] [drm]4] [drm] PFIFO_CACHE_ERROR - 8] [dr2] [drm8] [drm] PFIFO_CAC Feb 6 06:32:18 selene kernel: RROR - Ch2] [d6] [drm2] [drm] PFIFO_CACHE_ERROR - 6] [d9] [...

00fffe0ff0 DR7: 0000000000000400 > > Call Trace: > > ? preempt_count_add+0x58/0xb0 > > ? _raw_spin_lock_irqsave+0x36/0x70 > > ? _raw_spin_unlock_irqrestore+0x1a/0x40 > > ? __wake_up+0x70/0x190 > > virtnet_set_features+0x90/0xf0 [virtio_net] > > __netdev_update_featu...

00fffe0ff0 DR7: 0000000000000400 > > Call Trace: > > ? preempt_count_add+0x58/0xb0 > > ? _raw_spin_lock_irqsave+0x36/0x70 > > ? _raw_spin_unlock_irqrestore+0x1a/0x40 > > ? __wake_up+0x70/0x190 > > virtnet_set_features+0x90/0xf0 [virtio_net] > > __netdev_update_featu...

...LE kernel: [ 32.126904] CR2: 00007ff893775000 CR3: 00= 000000bcfb6000 CR4: 0000000000002660 Aug 21 09:08:49 BUBBLE kernel: [ 32.126907] DR0: 0000000000000000 DR1: 00= 00000000000000 DR2: 0000000000000000 Aug 21 09:08:49 BUBBLE kernel: [ 32.126911] DR3: 0000000000000000 DR6: 00= 000000ffff0ff0 DR7: 0000000000000400 Aug 21 09:08:49 BUBBLE kernel: [ 32.126915] Process Xorg (pid: 1723=2C th= readinfo ffff880002a06000=2C task ffff8800bce58000) Aug 21 09:08:49 BUBBLE kernel: [ 32.126917]=20 Aug 21 09:08:49 BUBBLE kernel: [ 32.126924] RSP <00007fff2738f110> Aug 21 09:08:49 BUBBLE kern...

...V-ES guests anyway, but if it is supported the #DB > > exception would happen in the #VC handler and not on the original > > instruction. > > As in, the guest can't debug itself? Or the host can't debug the guest? Both, the guest can't debug itself because writes to DR7 never make it to the hardware DR7 register. And the host obviously can't debug the guest because it has no access to its unencrypted memory and register state. Regards, Joerg

...007-5907[0]: | Xen 3.1.1 does not prevent modification of the CR4 TSC from | applications, which allows pv guests to cause a denial of service | (crash). CVE-2007-5906[1]: | Xen 3.1.1 allows virtual guest system users to cause a | denial of service (hypervisor crash) by using a debug | register (DR7) to set certain breakpoints. If you fix this vulnerability please also include the CVE id in your changelog entry. A patch for these issues is linked on the mitre website. The xen version in etch is also affected. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-200...

...000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000001b2e423000 CR3: 000000005d734000 CR4: 00000000003506f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 000000000000003b DR6: 00000000ffff0ff0 DR7: 0000000000000400 > Call Trace: > <TASK> > vhost_transport_send_pkt+0x268/0x520 drivers/vhost/vsock.c:288 > virtio_transport_send_pkt_info+0x54c/0x820 net/vmw_vsock/virtio_transport_common.c:250 > virtio_transport_connect+0xb1/0xf0 net/vmw_vsock/virtio_transport_common.c:81...

...ue_exception_event( first=1, record={context={flags=00000000,eax=00002000,ebx=40110dc4,ecx=404260f0,edx=40426174,esi=00456000,edi=00000000,ebp=40616e68,eip=00760dcd,esp=40616e48,eflags=00010206,cs=0023,ds=002b,es=002b,fs=008f,gs=0000,dr0=00000000,dr1=00000000,dr2=00000000,dr3=00000000,dr6=00000000,dr7=00000000,float={00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000}},rec={code=c0000005,flags=0,re...

...00007f7fd38488e0(0000) GS:ffff88022dcc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000022309f000 CR4: 00000000000427e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process qemu-system-x86 (pid: 4257, threadinfo ffff880221720000, task ffff880222bd5640) Stack: ffff880221721d08 ffffffff810ac5c5 ffff88022431dc00 0000000000000086 0000000000000080 ffff880223e2a900 ffff8802208f6ca8 0000000000000000 ffff880221721d48 ffffffff810ac8fe 0000000000000...

...00007f7fd38488e0(0000) GS:ffff88022dcc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000022309f000 CR4: 00000000000427e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process qemu-system-x86 (pid: 4257, threadinfo ffff880221720000, task ffff880222bd5640) Stack: ffff880221721d08 ffffffff810ac5c5 ffff88022431dc00 0000000000000086 0000000000000080 ffff880223e2a900 ffff8802208f6ca8 0000000000000000 ffff880221721d48 ffffffff810ac8fe 0000000000000...

...0000000000000 [ 4.211379] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4.211379] CR2: ffffffffffffffe8 CR3: 000000002820e001 CR4: 00000000001606e0 [ 4.211379] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4.211379] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 4.211379] Call Trace: [ 4.211379] ? vsock_find_connected_socket+0x6c/0xe0 [ 4.211379] virtio_transport_recv_pkt+0x15f/0x740 [ 4.211379] ? detach_buf+0x1b5/0x210 [ 4.211379] virtio_transport_rx_work+0xb7/0x140 [ 4.211379] process_one_work+0x1ef/0x480 [ 4...

...0000000000000 [ 4.211379] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4.211379] CR2: ffffffffffffffe8 CR3: 000000002820e001 CR4: 00000000001606e0 [ 4.211379] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4.211379] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 4.211379] Call Trace: [ 4.211379] ? vsock_find_connected_socket+0x6c/0xe0 [ 4.211379] virtio_transport_recv_pkt+0x15f/0x740 [ 4.211379] ? detach_buf+0x1b5/0x210 [ 4.211379] virtio_transport_rx_work+0xb7/0x140 [ 4.211379] process_one_work+0x1ef/0x480 [ 4...

...0000000030 GS - 0000000000000030, SS - 0000000000000030 CR0 - 0000000080010033, CR2 - 0000000000000000, CR3 - 000000001FC01000 CR4 - 0000000000000668, CR8 - 0000000000000000 DR0 - 0000000000000000, DR1 - 0000000000000000, DR2 - 0000000000000000 DR3 - 0000000000000000, DR6 - 00000000FFFF0FF0, DR7 - 0000000000000400 GDTR - 000000001FBEEA98 0000000000000047, LDTR - 0000000000000000 IDTR - 000000001F6A9018 0000000000000FFF, TR - 0000000000000000 FXSAVE_STATE - 000000001FF13310 select help: !!!! X64 Exception Type - 0D(#GP - General Protection) CPU Apic ID - 00000000 !!!! ExceptionData - 0...

...28200000(0000) knlGS:0000000000000000 <4>CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b <4>CR2: 000000004d000001 CR3: 00000003ee2dd000 CR4: 00000000001427e0 <4>DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 <4>DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 <4>Process qemu-kvm (pid: 23490, threadinfo ffff8806c0044000, task ffff8803ee039540) <4>Stack: <4> 0000000000000402 00000000000001fc ffff88038d4ca000 00000000000001fc <4><d> ffff880028216840 00000000000001fc 0000000100000000 000000000000002a <4>...