[xen stable-4.6] x86/shadow: correct SH_LINEAR mapping detection in sh_guess_wrmap()

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[xen stable-4.6] x86/shadow: correct SH_LINEAR mapping detection in sh_guess_wrmap()

patchbot
commit 9b0c2a223132a07f06f0be8e85da390defe998f5
Author:     Andrew Cooper <[hidden email]>
AuthorDate: Thu Nov 16 12:14:57 2017 +0100
Commit:     Jan Beulich <[hidden email]>
CommitDate: Thu Nov 16 12:14:57 2017 +0100

    x86/shadow: correct SH_LINEAR mapping detection in sh_guess_wrmap()
   
    The fix for XSA-243 / CVE-2017-15592 (c/s bf2b4eadcf379) introduced a change
    in behaviour for sh_guest_wrmap(), where it had to cope with no shadow linear
    mapping being present.
   
    As the name suggests, guest_vtable is a mapping of the guests pagetable, not
    Xen's pagetable, meaning that it isn't the pagetable we need to check for the
    shadow linear slot in.
   
    The practical upshot is that a shadow HVM vcpu which switches into 4-level
    paging mode, with an L4 pagetable that contains a mapping which aliases Xen's
    SH_LINEAR_PT_VIRT_START will fool the safety check for whether a SHADOW_LINEAR
    mapping is present.  As the check passes (when it should have failed), Xen
    subsequently falls over the missing mapping with a pagefault such as:
   
        (XEN) Pagetable walk from ffff8140a0503880:
        (XEN)  L4[0x102] = 000000046c218063 ffffffffffffffff
        (XEN)  L3[0x102] = 000000046c218063 ffffffffffffffff
        (XEN)  L2[0x102] = 000000046c218063 ffffffffffffffff
        (XEN)  L1[0x103] = 0000000000000000 ffffffffffffffff
   
    This is part of XSA-243.
   
    Signed-off-by: Andrew Cooper <[hidden email]>
    Reviewed-by: Tim Deegan <[hidden email]>
---
 xen/arch/x86/mm/shadow/multi.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
index cb8ddde..0242b8e 100644
--- a/xen/arch/x86/mm/shadow/multi.c
+++ b/xen/arch/x86/mm/shadow/multi.c
@@ -4282,11 +4282,18 @@ static int sh_guess_wrmap(struct vcpu *v, unsigned long vaddr, mfn_t gmfn)
 
     /* Carefully look in the shadow linear map for the l1e we expect */
 #if SHADOW_PAGING_LEVELS >= 4
-    /* Is a shadow linear map is installed in the first place? */
-    sl4p  = v->arch.paging.shadow.guest_vtable;
-    sl4p += shadow_l4_table_offset(SH_LINEAR_PT_VIRT_START);
-    if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) )
-        return 0;
+    /*
+     * Non-external guests (i.e. PV) have a SHADOW_LINEAR mapping from the
+     * moment their shadows are created.  External guests (i.e. HVM) may not,
+     * but always have a regular linear mapping, which we can use to observe
+     * whether a SHADOW_LINEAR mapping is present.
+     */
+    if ( paging_mode_external(d) )
+    {
+        sl4p =  __linear_l4_table + l4_linear_offset(SH_LINEAR_PT_VIRT_START);
+        if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) )
+            return 0;
+    }
     sl4p = sh_linear_l4_table(v) + shadow_l4_linear_offset(vaddr);
     if ( !(shadow_l4e_get_flags(*sl4p) & _PAGE_PRESENT) )
         return 0;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.6

_______________________________________________
Xen-changelog mailing list
[hidden email]
https://lists.xenproject.org/xen-changelog