|
 |
e58d6e1 |
x86/mm: fully honor PS bits in guest page table walks
|
|
|
e58d6e1 |
|
|
|
e58d6e1 |
In L4 entries it is currently unconditionally reserved (and hence
|
|
|
e58d6e1 |
should, when set, always result in a reserved bit page fault), and is
|
|
|
e58d6e1 |
reserved on hardware not supporting 1Gb pages (and hence should, when
|
|
|
e58d6e1 |
set, similarly cause a reserved bit page fault on such hardware).
|
|
|
e58d6e1 |
|
|
|
e58d6e1 |
This is CVE-2016-4480 / XSA-176.
|
|
|
e58d6e1 |
|
|
|
e58d6e1 |
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
|
|
e58d6e1 |
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
|
e58d6e1 |
Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
|
|
|
e58d6e1 |
|
|
|
e58d6e1 |
--- a/xen/arch/x86/mm/guest_walk.c
|
|
|
e58d6e1 |
+++ b/xen/arch/x86/mm/guest_walk.c
|
|
|
e58d6e1 |
@@ -226,6 +226,11 @@ guest_walk_tables(struct vcpu *v, struct
|
|
|
e58d6e1 |
rc |= _PAGE_PRESENT;
|
|
|
e58d6e1 |
goto out;
|
|
|
e58d6e1 |
}
|
|
|
e58d6e1 |
+ if ( gflags & _PAGE_PSE )
|
|
|
e58d6e1 |
+ {
|
|
|
e58d6e1 |
+ rc |= _PAGE_PSE | _PAGE_INVALID_BIT;
|
|
|
e58d6e1 |
+ goto out;
|
|
|
e58d6e1 |
+ }
|
|
|
e58d6e1 |
rc |= ((gflags & mflags) ^ mflags);
|
|
|
e58d6e1 |
|
|
|
e58d6e1 |
/* Map the l3 table */
|
|
|
e58d6e1 |
@@ -247,7 +252,7 @@ guest_walk_tables(struct vcpu *v, struct
|
|
|
e58d6e1 |
}
|
|
|
e58d6e1 |
rc |= ((gflags & mflags) ^ mflags);
|
|
|
e58d6e1 |
|
|
|
e58d6e1 |
- pse1G = (gflags & _PAGE_PSE) && guest_supports_1G_superpages(v);
|
|
|
e58d6e1 |
+ pse1G = !!(gflags & _PAGE_PSE);
|
|
|
e58d6e1 |
|
|
|
e58d6e1 |
if ( pse1G )
|
|
|
e58d6e1 |
{
|
|
|
e58d6e1 |
@@ -267,6 +272,8 @@ guest_walk_tables(struct vcpu *v, struct
|
|
|
e58d6e1 |
/* _PAGE_PSE_PAT not set: remove _PAGE_PAT from flags. */
|
|
|
e58d6e1 |
flags &= ~_PAGE_PAT;
|
|
|
e58d6e1 |
|
|
|
e58d6e1 |
+ if ( !guest_supports_1G_superpages(v) )
|
|
|
e58d6e1 |
+ rc |= _PAGE_PSE | _PAGE_INVALID_BIT;
|
|
|
e58d6e1 |
if ( gfn_x(start) & GUEST_L3_GFN_MASK & ~0x1 )
|
|
|
e58d6e1 |
rc |= _PAGE_INVALID_BITS;
|
|
|
e58d6e1 |
|