| Message ID | 20250311212248.3630583-1-andrew.cooper3@citrix.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | x86/IDT: Fix IDT generation for INT $0x80 | expand |
On 11/03/2025 9:22 pm, Andrew Cooper wrote: > When PV is enabled, entry_int80 needs to be DPL3, not DPL0. > > This causes the XSA-259 PoC to fail with: > > --- Xen Test Framework --- > Environment: PV 64bit (Long mode 4 levels) > XSA-259 PoC > Error: Unexpected fault 0x800d0802, #GP[IDT[256]] > Test result: ERROR > > (Clearly I have a bug in XTF's rendering of the error code too.) Fixes: 3da2149cf4dc ("x86/IDT: Generate bsp_idt[] at build time") Adjusted locally. ~Andrew > Reported-by: Luca Fancellu <luca.fancellu@arm.com> > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> > --- > CC: Jan Beulich <JBeulich@suse.com> > CC: Roger Pau Monné <roger.pau@citrix.com> > CC: Luca Fancellu <luca.fancellu@arm.com> > --- > xen/arch/x86/include/asm/gen-idt.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/xen/arch/x86/include/asm/gen-idt.h b/xen/arch/x86/include/asm/gen-idt.h > index 9c8810edf9d7..d1da73248c1c 100644 > --- a/xen/arch/x86/include/asm/gen-idt.h > +++ b/xen/arch/x86/include/asm/gen-idt.h > @@ -77,7 +77,7 @@ GEN16(6); > GEN16(7); > > #ifdef CONFIG_PV > -GEN(0x80, entry_int80, DPL0, manual); > +GEN(0x80, entry_int80, DPL3, manual); > #else > GEN(0x80, entry_0x80, DPL0, autogen); > #endif
Hi Andrew, > On 11 Mar 2025, at 21:22, Andrew Cooper <andrew.cooper3@citrix.com> wrote: > > When PV is enabled, entry_int80 needs to be DPL3, not DPL0. > > This causes the XSA-259 PoC to fail with: > > --- Xen Test Framework --- > Environment: PV 64bit (Long mode 4 levels) > XSA-259 PoC > Error: Unexpected fault 0x800d0802, #GP[IDT[256]] > Test result: ERROR > > (Clearly I have a bug in XTF's rendering of the error code too.) > > Reported-by: Luca Fancellu <luca.fancellu@arm.com> > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> I’ve runned XTF on this one and I confirm it solves the issue: Tested-by: Luca Fancellu <luca.fancellu@arm.com>
On 11/03/2025 9:27 pm, Andrew Cooper wrote: > On 11/03/2025 9:22 pm, Andrew Cooper wrote: >> When PV is enabled, entry_int80 needs to be DPL3, not DPL0. >> >> This causes the XSA-259 PoC to fail with: >> >> --- Xen Test Framework --- >> Environment: PV 64bit (Long mode 4 levels) >> XSA-259 PoC >> Error: Unexpected fault 0x800d0802, #GP[IDT[256]] >> Test result: ERROR >> >> (Clearly I have a bug in XTF's rendering of the error code too.) Nope, it's a QEMU bug. Under QEMU, we get: --- Xen Test Framework --- Environment: PV 64bit (Long mode 4 levels) XSA-259 PoC (XEN) [ 3.982447] *** #GP/IDT ec 00000802 (XEN) [ 3.982668] *** #GP/IDT ec 00000802, not permitted (XEN) [ 3.982849] *** #GP inject ec 00000802 Error: Unexpected fault 0x800d0802, #GP[IDT[256]] Test result: ERROR On real hardware: (d1) --- Xen Test Framework --- (d1) Environment: PV 64bit (Long mode 4 levels) (d1) XSA-259 PoC (XEN) *** #GP/IDT ec 00000402 (XEN) *** #GP/IDT ec 00000402, not permitted (XEN) *** #GP inject ec 00000402 (d1) Success: Not vulnerable to XSA-259 (d1) Test result: SUCCESS So it's by chance that Luca's testing even picked up this failure. The XSA-259 PoC can't distinguish between the #GP INT emulation path and the INT80 fastpath's error path which injects #GP. ~Andrew
On 11/03/2025 11:36 pm, Andrew Cooper wrote: > On 11/03/2025 9:27 pm, Andrew Cooper wrote: >> On 11/03/2025 9:22 pm, Andrew Cooper wrote: >>> When PV is enabled, entry_int80 needs to be DPL3, not DPL0. >>> >>> This causes the XSA-259 PoC to fail with: >>> >>> --- Xen Test Framework --- >>> Environment: PV 64bit (Long mode 4 levels) >>> XSA-259 PoC >>> Error: Unexpected fault 0x800d0802, #GP[IDT[256]] >>> Test result: ERROR >>> >>> (Clearly I have a bug in XTF's rendering of the error code too.) > Nope, it's a QEMU bug. Under QEMU, we get: > > --- Xen Test Framework --- > Environment: PV 64bit (Long mode 4 levels) > XSA-259 PoC > (XEN) [ 3.982447] *** #GP/IDT ec 00000802 > (XEN) [ 3.982668] *** #GP/IDT ec 00000802, not permitted > (XEN) [ 3.982849] *** #GP inject ec 00000802 > Error: Unexpected fault 0x800d0802, #GP[IDT[256]] > Test result: ERROR > > > On real hardware: > > (d1) --- Xen Test Framework --- > (d1) Environment: PV 64bit (Long mode 4 levels) > (d1) XSA-259 PoC > (XEN) *** #GP/IDT ec 00000402 > (XEN) *** #GP/IDT ec 00000402, not permitted > (XEN) *** #GP inject ec 00000402 > (d1) Success: Not vulnerable to XSA-259 > (d1) Test result: SUCCESS > > So it's by chance that Luca's testing even picked up this failure. The > XSA-259 PoC can't distinguish between the #GP INT emulation path and the > INT80 fastpath's error path which injects #GP. And a patch submitted. https://lore.kernel.org/qemu-devel/20250312000603.3666083-1-andrew.cooper3@citrix.com/T/#u ~Andrew
On 11.03.2025 22:27, Andrew Cooper wrote: > On 11/03/2025 9:22 pm, Andrew Cooper wrote: >> When PV is enabled, entry_int80 needs to be DPL3, not DPL0. >> >> This causes the XSA-259 PoC to fail with: >> >> --- Xen Test Framework --- >> Environment: PV 64bit (Long mode 4 levels) >> XSA-259 PoC >> Error: Unexpected fault 0x800d0802, #GP[IDT[256]] >> Test result: ERROR >> >> (Clearly I have a bug in XTF's rendering of the error code too.) > > Fixes: 3da2149cf4dc ("x86/IDT: Generate bsp_idt[] at build time") Reviewed-by: Jan Beulich <jbeulich@suse.com> Jan
diff --git a/xen/arch/x86/include/asm/gen-idt.h b/xen/arch/x86/include/asm/gen-idt.h index 9c8810edf9d7..d1da73248c1c 100644 --- a/xen/arch/x86/include/asm/gen-idt.h +++ b/xen/arch/x86/include/asm/gen-idt.h @@ -77,7 +77,7 @@ GEN16(6); GEN16(7); #ifdef CONFIG_PV -GEN(0x80, entry_int80, DPL0, manual); +GEN(0x80, entry_int80, DPL3, manual); #else GEN(0x80, entry_0x80, DPL0, autogen); #endif
When PV is enabled, entry_int80 needs to be DPL3, not DPL0. This causes the XSA-259 PoC to fail with: --- Xen Test Framework --- Environment: PV 64bit (Long mode 4 levels) XSA-259 PoC Error: Unexpected fault 0x800d0802, #GP[IDT[256]] Test result: ERROR (Clearly I have a bug in XTF's rendering of the error code too.) Reported-by: Luca Fancellu <luca.fancellu@arm.com> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> --- CC: Jan Beulich <JBeulich@suse.com> CC: Roger Pau Monné <roger.pau@citrix.com> CC: Luca Fancellu <luca.fancellu@arm.com> --- xen/arch/x86/include/asm/gen-idt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)