|
 |
c0fc120 |
x86/HVM: properly bound x2APIC MSR range
|
|
|
c0fc120 |
|
|
|
c0fc120 |
While the write path change appears to be purely cosmetic (but still
|
|
|
c0fc120 |
gets done here for consistency), the read side mistake permitted
|
|
|
c0fc120 |
accesses beyond the virtual APIC page.
|
|
|
c0fc120 |
|
|
|
c0fc120 |
Note that while this isn't fully in line with the specification
|
|
|
c0fc120 |
(digesting MSRs 0x800-0xBFF for the x2APIC), this is the minimal
|
|
|
c0fc120 |
possible fix addressing the security issue and getting x2APIC related
|
|
|
c0fc120 |
code into a consistent shape (elsewhere a 256 rather than 1024 wide
|
|
|
c0fc120 |
window is being used too). This will be dealt with subsequently.
|
|
|
c0fc120 |
|
|
|
c0fc120 |
This is XSA-108.
|
|
|
c0fc120 |
|
|
|
c0fc120 |
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
|
c0fc120 |
|
|
|
c0fc120 |
--- a/xen/arch/x86/hvm/hvm.c
|
|
|
c0fc120 |
+++ b/xen/arch/x86/hvm/hvm.c
|
|
|
c0fc120 |
@@ -4380,7 +4380,7 @@ int hvm_msr_read_intercept(unsigned int
|
|
|
c0fc120 |
*msr_content = vcpu_vlapic(v)->hw.apic_base_msr;
|
|
|
c0fc120 |
break;
|
|
|
c0fc120 |
|
|
|
c0fc120 |
- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
|
|
|
c0fc120 |
+ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
|
|
|
c0fc120 |
if ( hvm_x2apic_msr_read(v, msr, msr_content) )
|
|
|
c0fc120 |
goto gp_fault;
|
|
|
c0fc120 |
break;
|
|
|
c0fc120 |
@@ -4506,7 +4506,7 @@ int hvm_msr_write_intercept(unsigned int
|
|
|
c0fc120 |
vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content);
|
|
|
c0fc120 |
break;
|
|
|
c0fc120 |
|
|
|
c0fc120 |
- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
|
|
|
c0fc120 |
+ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
|
|
|
c0fc120 |
if ( hvm_x2apic_msr_write(v, msr, msr_content) )
|
|
|
c0fc120 |
goto gp_fault;
|
|
|
c0fc120 |
break;
|