[2/3] x86/HVM: fail virt-to-linear conversion for insn fetches from non-code segments

Commit Message

Jan Beulich Dec. 3, 2021, 11:22 a.m. UTC

Just like (in protected mode) reads may not go to exec-only segments and
writes may not go to non-writable ones, insn fetches may not access data
segments.

Fixes: 623e83716791 ("hvm: Support hardware task switching")
Signed-off-by: Jan Beulich <jbeulich@suse.com>

Comments

Andrew Cooper Dec. 3, 2021, 11:49 a.m. UTC | #1

On 03/12/2021 11:22, Jan Beulich wrote:
> Just like (in protected mode) reads may not go to exec-only segments and
> writes may not go to non-writable ones, insn fetches may not access data
> segments.
>
> Fixes: 623e83716791 ("hvm: Support hardware task switching")
> Signed-off-by: Jan Beulich <jbeulich@suse.com>

Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

Patch

--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -2551,6 +2551,9 @@  bool hvm_vcpu_virtual_to_linear(
      */
     ASSERT(seg < x86_seg_none);
 
+    /* However, check that insn fetches only ever specify CS. */
+    ASSERT(access_type != hvm_access_insn_fetch || seg == x86_seg_cs);
+
     if ( !(v->arch.hvm.guest_cr[0] & X86_CR0_PE) )
     {
         /*
@@ -2615,10 +2618,17 @@  bool hvm_vcpu_virtual_to_linear(
                 if ( (reg->type & 0xa) == 0x8 )
                     goto out; /* execute-only code segment */
                 break;
+
             case hvm_access_write:
                 if ( (reg->type & 0xa) != 0x2 )
                     goto out; /* not a writable data segment */
                 break;
+
+            case hvm_access_insn_fetch:
+                if ( !(reg->type & 0x8) )
+                    goto out; /* not a code segment */
+                break;
+
             default:
                 break;
             }