x86/hvm: Forced Emulation Prefix for debug builds of Xen

Analysis of XSAs 105 and 106 show that is possible to force a race condition
which causes any arbitrary instruction to be emulated.

To aid testing, explicitly introduce the Forced Emulation Prefix for debug
builds alone.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown
index af93e17ba6ee6ec3924ebf8a1776da94cb8bf724..389701a3471b6f5a2d18e7b87034d7bd051cc89f 100644 (file)
--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -682,6 +682,17 @@ Bit 11 - MSR operation logging
 
 Recognized in debug builds of the hypervisor only.
 
+### hvm\_fep
+> `= <boolean>`
+
+> Default: `false`
+
+Allow use of the Forced Emulation Prefix in HVM guests, to allow emulation of
+arbitrary instructions.
+
+This option is intended for development purposes, and is only available in
+debug builds of the hypervisor.
+
 ### hvm\_port80
 > `= <boolean>`
 

diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index 5c7e0a46d04f2bbbfc0564049efc6cc5ab507fbc..34f28d0fcd423adadc6b87c78b2f90619fbf17dd 100644 (file)
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -86,6 +86,11 @@ unsigned long __attribute__ ((__section__ (".bss.page_aligned")))
 static bool_t __initdata opt_hap_enabled = 1;
 boolean_param("hap", opt_hap_enabled);
 
+#ifndef opt_hvm_fep
+bool_t opt_hvm_fep;
+boolean_param("hvm_fep", opt_hvm_fep);
+#endif
+
 static int cpu_callback(
     struct notifier_block *nfb, unsigned long action, void *hcpu)
 {

diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c
index 5d404cea6e3911513142814f88f8624c7c482e76..30af10d8e220328f8daad794ef72bf5299250b77 100644 (file)
--- a/xen/arch/x86/hvm/svm/svm.c
+++ b/xen/arch/x86/hvm/svm/svm.c
@@ -2069,6 +2069,19 @@ static void svm_vmexit_ud_intercept(struct cpu_user_regs *regs)
     struct hvm_emulate_ctxt ctxt;
     int rc;
 
+    if ( opt_hvm_fep )
+    {
+        char sig[5]; /* ud2; .ascii "xen" */
+
+        if ( (hvm_fetch_from_guest_virt_nofault(
+                  sig, regs->eip, sizeof(sig), 0) == HVMCOPY_okay) &&
+             (memcmp(sig, "\xf\xbxen", sizeof(sig)) == 0) )
+        {
+            regs->eip += sizeof(sig);
+            regs->eflags &= ~X86_EFLAGS_RF;
+        }
+    }
+
     hvm_emulate_prepare(&ctxt, regs);
 
     rc = hvm_emulate_one(&ctxt);

diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index 84119edce9cf8c7b3dbc0d16b403f4164f3493f9..923f0082ecfd82b7ca3c92a18c47361235e57c77 100644 (file)
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -2499,6 +2499,19 @@ static void vmx_vmexit_ud_intercept(struct cpu_user_regs *regs)
     struct hvm_emulate_ctxt ctxt;
     int rc;
 
+    if ( opt_hvm_fep )
+    {
+        char sig[5]; /* ud2; .ascii "xen" */
+
+        if ( (hvm_fetch_from_guest_virt_nofault(
+                  sig, regs->eip, sizeof(sig), 0) == HVMCOPY_okay) &&
+             (memcmp(sig, "\xf\xbxen", sizeof(sig)) == 0) )
+        {
+            regs->eip += sizeof(sig);
+            regs->eflags &= ~X86_EFLAGS_RF;
+        }
+    }
+
     hvm_emulate_prepare(&ctxt, regs);
 
     rc = hvm_emulate_one(&ctxt);

diff --git a/xen/include/asm-x86/hvm/hvm.h b/xen/include/asm-x86/hvm/hvm.h
index 3e66276bbef1f1473a56bbd0d66447c3a7893c1a..c0fbc8bd16ee577981945055d3394f3276d51fb6 100644 (file)
--- a/xen/include/asm-x86/hvm/hvm.h
+++ b/xen/include/asm-x86/hvm/hvm.h
@@ -517,6 +517,13 @@ bool_t nhvm_vmcx_hap_enabled(struct vcpu *v);
 /* interrupt */
 enum hvm_intblk nhvm_interrupt_blocked(struct vcpu *v);
 
+#ifndef NDEBUG
+/* Permit use of the Forced Emulation Prefix in HVM guests */
+extern bool_t opt_hvm_fep;
+#else
+#define opt_hvm_fep 0
+#endif
+
 #endif /* __ASM_X86_HVM_HVM_H__ */
 
 /*