Liu, Jinsong
2013-Oct-16 18:33 UTC
[PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat
From 9ec2ca512979e99a229d333038f849a2d5a7fde5 Mon Sep 17 00:00:00 2001
From: Liu Jinsong <jinsong.liu@intel.com>
Date: Thu, 17 Oct 2013 04:00:49 +0800
Subject: [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat
Recently Oracle developers found a Xen security issue as DOS affecting,
named as XSA-60. Please refer http://xenbits.xen.org/xsa/advisory-60.html
Basically it involves how to handle guest cr0.cd setting, which under
some environment it consumes much time resulting in DOS-like behavior.
This is a preparing patch for fixing XSA-60. Later patch will fix XSA-60
via PAT under Intel EPT case, which depends on cpu_has_vmx_pat.
Signed-off-by: Liu Jinsong <jinsong.liu@intel.com>
---
xen/arch/x86/hvm/vmx/vmcs.c | 4 ++--
xen/arch/x86/hvm/vmx/vmx.c | 10 +++++++---
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c
index 6526504..6916c6d 100644
--- a/xen/arch/x86/hvm/vmx/vmcs.c
+++ b/xen/arch/x86/hvm/vmx/vmcs.c
@@ -921,7 +921,7 @@ static int construct_vmcs(struct vcpu *v)
vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_CS, MSR_TYPE_R |
MSR_TYPE_W);
vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_ESP, MSR_TYPE_R |
MSR_TYPE_W);
vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_EIP, MSR_TYPE_R |
MSR_TYPE_W);
- if ( cpu_has_vmx_pat && paging_mode_hap(d) )
+ if ( paging_mode_hap(d) )
vmx_disable_intercept_for_msr(v, MSR_IA32_CR_PAT, MSR_TYPE_R |
MSR_TYPE_W);
}
@@ -1063,7 +1063,7 @@ static int construct_vmcs(struct vcpu *v)
__vmwrite(EPT_POINTER, ept_get_eptp(ept));
}
- if ( cpu_has_vmx_pat && paging_mode_hap(d) )
+ if ( paging_mode_hap(d) )
{
u64 host_pat, guest_pat;
diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index 9ca8632..b59bf59 100644
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -908,7 +908,7 @@ static unsigned long vmx_get_shadow_gs_base(struct vcpu *v)
static int vmx_set_guest_pat(struct vcpu *v, u64 gpat)
{
- if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) )
+ if ( !paging_mode_hap(v->domain) )
return 0;
vmx_vmcs_enter(v);
@@ -919,7 +919,7 @@ static int vmx_set_guest_pat(struct vcpu *v, u64 gpat)
static int vmx_get_guest_pat(struct vcpu *v, u64 *gpat)
{
- if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) )
+ if ( !paging_mode_hap(v->domain) )
return 0;
vmx_vmcs_enter(v);
@@ -1591,7 +1591,11 @@ const struct hvm_function_table * __init start_vmx(void)
return NULL;
}
- if ( cpu_has_vmx_ept )
+ /*
+ * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security hole
+ * which refer to http://xenbits.xen.org/xsa/advisory-60.html
+ */
+ if ( cpu_has_vmx_ept && cpu_has_vmx_pat )
{
vmx_function_table.hap_supported = 1;
--
1.7.1
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Jan Beulich
2013-Oct-17 09:58 UTC
Re: [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat
>>> On 16.10.13 at 20:33, "Liu, Jinsong" <jinsong.liu@intel.com> wrote: > From 9ec2ca512979e99a229d333038f849a2d5a7fde5 Mon Sep 17 00:00:00 2001 > From: Liu Jinsong <jinsong.liu@intel.com> > Date: Thu, 17 Oct 2013 04:00:49 +0800 > Subject: [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat > > Recently Oracle developers found a Xen security issue as DOS affecting, > named as XSA-60. Please refer http://xenbits.xen.org/xsa/advisory-60.html > Basically it involves how to handle guest cr0.cd setting, which under > some environment it consumes much time resulting in DOS-like behavior. > > This is a preparing patch for fixing XSA-60. Later patch will fix XSA-60 > via PAT under Intel EPT case, which depends on cpu_has_vmx_pat. > > Signed-off-by: Liu Jinsong <jinsong.liu@intel.com>Reviewed-by: Jan Beulich <jbeulich@suse.com>> --- > xen/arch/x86/hvm/vmx/vmcs.c | 4 ++-- > xen/arch/x86/hvm/vmx/vmx.c | 10 +++++++--- > 2 files changed, 9 insertions(+), 5 deletions(-) > > diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c > index 6526504..6916c6d 100644 > --- a/xen/arch/x86/hvm/vmx/vmcs.c > +++ b/xen/arch/x86/hvm/vmx/vmcs.c > @@ -921,7 +921,7 @@ static int construct_vmcs(struct vcpu *v) > vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_CS, MSR_TYPE_R | > MSR_TYPE_W); > vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_ESP, MSR_TYPE_R > | MSR_TYPE_W); > vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_EIP, MSR_TYPE_R > | MSR_TYPE_W); > - if ( cpu_has_vmx_pat && paging_mode_hap(d) ) > + if ( paging_mode_hap(d) ) > vmx_disable_intercept_for_msr(v, MSR_IA32_CR_PAT, MSR_TYPE_R | > MSR_TYPE_W); > } > > @@ -1063,7 +1063,7 @@ static int construct_vmcs(struct vcpu *v) > __vmwrite(EPT_POINTER, ept_get_eptp(ept)); > } > > - if ( cpu_has_vmx_pat && paging_mode_hap(d) ) > + if ( paging_mode_hap(d) ) > { > u64 host_pat, guest_pat; > > diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c > index 9ca8632..b59bf59 100644 > --- a/xen/arch/x86/hvm/vmx/vmx.c > +++ b/xen/arch/x86/hvm/vmx/vmx.c > @@ -908,7 +908,7 @@ static unsigned long vmx_get_shadow_gs_base(struct vcpu > *v) > > static int vmx_set_guest_pat(struct vcpu *v, u64 gpat) > { > - if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) ) > + if ( !paging_mode_hap(v->domain) ) > return 0; > > vmx_vmcs_enter(v); > @@ -919,7 +919,7 @@ static int vmx_set_guest_pat(struct vcpu *v, u64 gpat) > > static int vmx_get_guest_pat(struct vcpu *v, u64 *gpat) > { > - if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) ) > + if ( !paging_mode_hap(v->domain) ) > return 0; > > vmx_vmcs_enter(v); > @@ -1591,7 +1591,11 @@ const struct hvm_function_table * __init > start_vmx(void) > return NULL; > } > > - if ( cpu_has_vmx_ept ) > + /* > + * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security hole > + * which refer to http://xenbits.xen.org/xsa/advisory-60.html > + */ > + if ( cpu_has_vmx_ept && cpu_has_vmx_pat ) > { > vmx_function_table.hap_supported = 1; > > -- > 1.7.1
Andrew Cooper
2013-Oct-17 10:05 UTC
Re: [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat
On 17/10/13 10:58, Jan Beulich wrote:>>>> On 16.10.13 at 20:33, "Liu, Jinsong" <jinsong.liu@intel.com> wrote: >> From 9ec2ca512979e99a229d333038f849a2d5a7fde5 Mon Sep 17 00:00:00 2001 >> From: Liu Jinsong <jinsong.liu@intel.com> >> Date: Thu, 17 Oct 2013 04:00:49 +0800 >> Subject: [PATCH 1/3] XSA-60 security hole: disable EPT when !cpu_has_vmx_pat >> >> Recently Oracle developers found a Xen security issue as DOS affecting, >> named as XSA-60. Please refer http://xenbits.xen.org/xsa/advisory-60.html >> Basically it involves how to handle guest cr0.cd setting, which under >> some environment it consumes much time resulting in DOS-like behavior. >> >> This is a preparing patch for fixing XSA-60. Later patch will fix XSA-60 >> via PAT under Intel EPT case, which depends on cpu_has_vmx_pat. >> >> Signed-off-by: Liu Jinsong <jinsong.liu@intel.com> > Reviewed-by: Jan Beulich <jbeulich@suse.com>Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>> >> --- >> xen/arch/x86/hvm/vmx/vmcs.c | 4 ++-- >> xen/arch/x86/hvm/vmx/vmx.c | 10 +++++++--- >> 2 files changed, 9 insertions(+), 5 deletions(-) >> >> diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c >> index 6526504..6916c6d 100644 >> --- a/xen/arch/x86/hvm/vmx/vmcs.c >> +++ b/xen/arch/x86/hvm/vmx/vmcs.c >> @@ -921,7 +921,7 @@ static int construct_vmcs(struct vcpu *v) >> vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_CS, MSR_TYPE_R | >> MSR_TYPE_W); >> vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_ESP, MSR_TYPE_R >> | MSR_TYPE_W); >> vmx_disable_intercept_for_msr(v, MSR_IA32_SYSENTER_EIP, MSR_TYPE_R >> | MSR_TYPE_W); >> - if ( cpu_has_vmx_pat && paging_mode_hap(d) ) >> + if ( paging_mode_hap(d) ) >> vmx_disable_intercept_for_msr(v, MSR_IA32_CR_PAT, MSR_TYPE_R | >> MSR_TYPE_W); >> } >> >> @@ -1063,7 +1063,7 @@ static int construct_vmcs(struct vcpu *v) >> __vmwrite(EPT_POINTER, ept_get_eptp(ept)); >> } >> >> - if ( cpu_has_vmx_pat && paging_mode_hap(d) ) >> + if ( paging_mode_hap(d) ) >> { >> u64 host_pat, guest_pat; >> >> diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c >> index 9ca8632..b59bf59 100644 >> --- a/xen/arch/x86/hvm/vmx/vmx.c >> +++ b/xen/arch/x86/hvm/vmx/vmx.c >> @@ -908,7 +908,7 @@ static unsigned long vmx_get_shadow_gs_base(struct vcpu >> *v) >> >> static int vmx_set_guest_pat(struct vcpu *v, u64 gpat) >> { >> - if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) ) >> + if ( !paging_mode_hap(v->domain) ) >> return 0; >> >> vmx_vmcs_enter(v); >> @@ -919,7 +919,7 @@ static int vmx_set_guest_pat(struct vcpu *v, u64 gpat) >> >> static int vmx_get_guest_pat(struct vcpu *v, u64 *gpat) >> { >> - if ( !cpu_has_vmx_pat || !paging_mode_hap(v->domain) ) >> + if ( !paging_mode_hap(v->domain) ) >> return 0; >> >> vmx_vmcs_enter(v); >> @@ -1591,7 +1591,11 @@ const struct hvm_function_table * __init >> start_vmx(void) >> return NULL; >> } >> >> - if ( cpu_has_vmx_ept ) >> + /* >> + * Do not enable EPT when (!cpu_has_vmx_pat), to prevent security hole >> + * which refer to http://xenbits.xen.org/xsa/advisory-60.html >> + */ >> + if ( cpu_has_vmx_ept && cpu_has_vmx_pat ) >> { >> vmx_function_table.hap_supported = 1; >> >> -- >> 1.7.1 > > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-devel