[xen staging-4.7] x86/traps: Fix handling of #DB exceptions in hypervisor context
Author: Andrew Cooper <[hidden email]>
AuthorDate: Tue May 8 18:23:01 2018 +0100
Commit: Andrew Cooper <[hidden email]>
CommitDate: Tue May 8 18:23:01 2018 +0100
x86/traps: Fix handling of #DB exceptions in hypervisor context
The WARN_ON() can be triggered by guest activities, and emits a full stack
trace without rate limiting. Swap it out for a ratelimited printk with just
enough information to work out what is going on.
Not all #DB exceptions are traps, so blindly continuing is not a safe action
to take. We don't let PV guests select these settings in the real %dr7 to
begin with, but for added safety against unexpected situations, detect the
fault cases and crash in an obvious manner.
This is part of XSA-260 / CVE-2018-8897.
Signed-off-by: Andrew Cooper <[hidden email]>
Reviewed-by: Jan Beulich <[hidden email]>
xen/arch/x86/traps.c | 44 ++++++++++++++++++++++++++++++++++++--------
1 file changed, 36 insertions(+), 8 deletions(-)
diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index a72d33d5f5..0f34b2115d 100644
@@ -3889,16 +3889,44 @@ void do_debug(struct cpu_user_regs *regs)
regs->eflags &= ~X86_EFLAGS_TF;
+ * Check for fault conditions. General Detect, and instruction
+ * breakpoints are faults rather than traps, at which point attempting
+ * to ignore and continue will result in a livelock.
+ if ( dr6 & DR_GENERAL_DETECT )
- * We ignore watchpoints when they trigger within Xen. This may
- * happen when a buffer is passed to us which previously had a
- * watchpoint set on it. No need to bump EIP; the only faulting
- * trap is an instruction breakpoint, which can't happen to us.
+ printk(XENLOG_ERR "Hit General Detect in Xen context\n");
+ if ( dr6 & (DR_TRAP3 | DR_TRAP2 | DR_TRAP1 | DR_TRAP0) )
+ unsigned int bp, dr7 = read_debugreg(7) >> DR_CONTROL_SHIFT;
+ for ( bp = 0; bp < 4; ++bp )
+ if ( (dr6 & (1u << bp)) && /* Breakpoint triggered? */
+ ((dr7 & (3u << (bp * DR_CONTROL_SIZE))) == 0) /* Insn? */ )
+ "Hit instruction breakpoint in Xen context\n");
+ * Whatever caused this #DB should be a trap. Note it and continue.
+ * Guests can trigger this in certain corner cases, so ensure the
+ * message is ratelimited.
+ "Hit #DB in Xen context: %04x:%p [%ps], stk %04x:%p, dr6 %lx\n",
+ regs->cs, _p(regs->rip), _p(regs->rip),
+ regs->ss, _p(regs->rsp), dr6);
generated by git-patchbot for /home/xen/git/xen.git#staging-4.7