ia64/xen-unstable

diff xen/arch/x86/traps.c @ 8783:5caf1de3f268

Apply stricter checking to RDMSR/WRMSR emulations.
In particular, MSRs that domain0 may write to must now
be 'white listed': default policy is to ignore the write.

This will prevent SYSCALL/SYSENTER instructions from
crashign Xen, by preventing the target MSRs from being
overwritten by domain 0.

Signed-off-by: Keir Fraser <keir@xensource.com>
author kaf24@firebug.cl.cam.ac.uk
date Tue Feb 07 15:56:39 2006 +0100 (2006-02-07)
parents 6f7c5439a6c4
children 01fa38f79207
line diff
     1.1 --- a/xen/arch/x86/traps.c	Tue Feb 07 13:57:40 2006 +0000
     1.2 +++ b/xen/arch/x86/traps.c	Tue Feb 07 15:56:39 2006 +0100
     1.3 @@ -670,6 +670,7 @@ static int emulate_privileged_op(struct 
     1.4      unsigned long *reg, eip = regs->eip, res;
     1.5      u8 opcode, modrm_reg = 0, modrm_rm = 0, rep_prefix = 0;
     1.6      unsigned int port, i, op_bytes = 4, data;
     1.7 +    u32 l, h;
     1.8  
     1.9      /* Legacy prefixes. */
    1.10      for ( i = 0; i < 8; i++ )
    1.11 @@ -974,31 +975,67 @@ static int emulate_privileged_op(struct 
    1.12          break;
    1.13  
    1.14      case 0x30: /* WRMSR */
    1.15 -        /* Ignore the instruction if unprivileged. */
    1.16 -        if ( !IS_PRIV(v->domain) )
    1.17 +        switch ( regs->ecx )
    1.18          {
    1.19 -            u32 l, h;
    1.20 +#ifdef CONFIG_X86_64
    1.21 +        case MSR_FS_BASE:
    1.22 +            if ( wrmsr_user(MSR_FS_BASE, regs->eax, regs->edx) )
    1.23 +                goto fail;
    1.24 +            v->arch.guest_context.fs_base =
    1.25 +                ((u64)regs->edx << 32) | regs->eax;
    1.26 +            break;
    1.27 +        case MSR_GS_BASE:
    1.28 +            if ( wrmsr_user(MSR_GS_BASE, regs->eax, regs->edx) )
    1.29 +                goto fail;
    1.30 +            v->arch.guest_context.gs_base_kernel =
    1.31 +                ((u64)regs->edx << 32) | regs->eax;
    1.32 +            break;
    1.33 +        case MSR_SHADOW_GS_BASE:
    1.34 +            if ( wrmsr_user(MSR_SHADOW_GS_BASE, regs->eax, regs->edx) )
    1.35 +                goto fail;
    1.36 +            v->arch.guest_context.gs_base_user =
    1.37 +                ((u64)regs->edx << 32) | regs->eax;
    1.38 +            break;
    1.39 +#endif
    1.40 +        default:
    1.41              if ( (rdmsr_user(regs->ecx, l, h) != 0) ||
    1.42                   (regs->ecx != MSR_EFER) ||
    1.43                   (regs->eax != l) || (regs->edx != h) )
    1.44 -                DPRINTK("Non-priv domain attempted WRMSR %p from "
    1.45 +                DPRINTK("Domain attempted WRMSR %p from "
    1.46                          "%08x:%08x to %08lx:%08lx.\n",
    1.47                          _p(regs->ecx), h, l, (long)regs->edx, (long)regs->eax);
    1.48 +            break;
    1.49          }
    1.50 -        else if ( wrmsr_user(regs->ecx, regs->eax, regs->edx) )
    1.51 -            goto fail;
    1.52          break;
    1.53  
    1.54      case 0x32: /* RDMSR */
    1.55 -        if ( !IS_PRIV(v->domain) )
    1.56 +        switch ( regs->ecx )
    1.57          {
    1.58 -            if ( regs->ecx != MSR_EFER )
    1.59 -                DPRINTK("Non-priv domain attempted RDMSR %p.\n",
    1.60 -                        _p(regs->ecx));
    1.61 +#ifdef CONFIG_X86_64
    1.62 +        case MSR_FS_BASE:
    1.63 +            regs->eax = v->arch.guest_context.fs_base & 0xFFFFFFFFUL;
    1.64 +            regs->edx = v->arch.guest_context.fs_base >> 32;
    1.65 +            break;
    1.66 +        case MSR_GS_BASE:
    1.67 +            regs->eax = v->arch.guest_context.gs_base_kernel & 0xFFFFFFFFUL;
    1.68 +            regs->edx = v->arch.guest_context.gs_base_kernel >> 32;
    1.69 +            break;
    1.70 +        case MSR_SHADOW_GS_BASE:
    1.71 +            regs->eax = v->arch.guest_context.gs_base_user & 0xFFFFFFFFUL;
    1.72 +            regs->edx = v->arch.guest_context.gs_base_user >> 32;
    1.73 +            break;
    1.74 +#endif
    1.75 +        case MSR_EFER:
    1.76 +            if ( rdmsr_user(regs->ecx, regs->eax, regs->edx) )
    1.77 +                goto fail;
    1.78 +            break;
    1.79 +        default:
    1.80 +            DPRINTK("Domain attempted RDMSR %p.\n", _p(regs->ecx));
    1.81 +            /* Everyone can read the MSR space. */
    1.82 +            if ( rdmsr_user(regs->ecx, regs->eax, regs->edx) )
    1.83 +                goto fail;
    1.84 +            break;
    1.85          }
    1.86 -        /* Everyone can read the MSR space. */
    1.87 -        if ( rdmsr_user(regs->ecx, regs->eax, regs->edx) )
    1.88 -            goto fail;
    1.89          break;
    1.90  
    1.91      default: