xenbits.xensource.com Git - xen.git/commit

author	Andrew Cooper <andrew.cooper3@citrix.com>
	Tue, 26 Sep 2023 19:15:50 +0000 (20:15 +0100)
committer	Roger Pau Monne <roger.pau@citrix.com>
	Fri, 29 Sep 2023 13:57:09 +0000 (15:57 +0200)
commit	4a4daf6bddbe8a741329df5cc8768f7dec664aed
tree	e4578a6ef1055b44d1f1d60cf6cf19415ccc3d7a	tree
parent	1f0d217f054b4b9f2d2990dc8721488ca550c5a4	commit \| diff

x86/pv: Correct the auditing of guest breakpoint addresses

The use of access_ok() is buggy, because it permits access to the compat
translation area. 64bit PV guests don't use the XLAT area, but on AMD
hardware, the DBEXT feature allows a breakpoint to match up to a 4G aligned
region, allowing the breakpoint to reach outside of the XLAT area.

Prior to c/s cda16c1bb223 ("x86: mirror compat argument translation area for
32-bit PV"), the live GDT was within 4G of the XLAT area.

All together, this allowed a malicious 64bit PV guest on AMD hardware to place
a breakpoint over the live GDT, and trigger a #DB livelock (CVE-2015-8104).

Introduce breakpoint_addr_ok() and explain why __addr_ok() happens to be an
appropriate check in this case.

For Xen 4.14 and later, this is a latent bug because the XLAT area has moved
to be on its own with nothing interesting adjacent. For Xen 4.13 and older on
AMD hardware, this fixes a PV-trigger-able DoS.

This is part of XSA-444 / CVE-2023-34328.

Fixes: 65e355490817 ("x86/PV: support data breakpoint extension registers")
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
(cherry picked from commit dc9d9aa62ddeb14abd5672690d30789829f58f7e)

xen/arch/x86/pv/misc-hypercalls.c		diff \| blob \| blame \| history
xen/include/asm-x86/debugreg.h		diff \| blob \| blame \| history