| Message ID | 20161213121620.22745-4-haozhong.zhang@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 13/12/16 12:16, Haozhong Zhang wrote: > Check whether the operand of L1 vmxon is a valid VMXON region address > and whether the VMXON region at that address contains a valid revision > ID. > > Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
On Tue, Dec 13, 2016 at 08:16:20PM +0800, Haozhong Zhang wrote: > Check whether the operand of L1 vmxon is a valid VMXON region address > and whether the VMXON region at that address contains a valid revision > ID. > > Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Thank you finding these and fixing them!
> From: Zhang, Haozhong > Sent: Tuesday, December 13, 2016 8:16 PM > > Check whether the operand of L1 vmxon is a valid VMXON region address > and whether the VMXON region at that address contains a valid revision > ID. > > Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com> Acked-by: Kevin Tian <kevin.tian@intel.com>
diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c index b60d7f0..7cee307 100644 --- a/xen/arch/x86/hvm/vmx/vvmx.c +++ b/xen/arch/x86/hvm/vmx/vvmx.c @@ -1390,6 +1390,7 @@ int nvmx_handle_vmxon(struct cpu_user_regs *regs) struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v); struct vmx_inst_decoded decode; unsigned long gpa = 0; + uint32_t nvmcs_revid; int rc; rc = decode_vmx_inst(regs, &decode, &gpa, 1); @@ -1404,6 +1405,21 @@ int nvmx_handle_vmxon(struct cpu_user_regs *regs) return X86EMUL_OKAY; } + if ( (gpa & ~PAGE_MASK) || (gpa >> v->domain->arch.paging.gfn_bits) ) + { + vmreturn(regs, VMFAIL_INVALID); + return X86EMUL_OKAY; + } + + rc = hvm_copy_from_guest_phys(&nvmcs_revid, gpa, sizeof(nvmcs_revid)); + if ( rc != HVMCOPY_okay || + (nvmcs_revid & ~VMX_BASIC_REVISION_MASK) || + ((nvmcs_revid ^ vmx_basic_msr) & VMX_BASIC_REVISION_MASK) ) + { + vmreturn(regs, VMFAIL_INVALID); + return X86EMUL_OKAY; + } + nvmx->vmxon_region_pa = gpa; /*
Check whether the operand of L1 vmxon is a valid VMXON region address and whether the VMXON region at that address contains a valid revision ID. Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com> --- xen/arch/x86/hvm/vmx/vvmx.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)