xenbits.xensource.com Git - people/royger/xen.git/commit

author	Tim Deegan <tim@xen.org>
	Mon, 14 Mar 2016 11:05:48 +0000 (11:05 +0000)
committer	Andrew Cooper <andrew.cooper3@citrix.com>
	Wed, 20 Apr 2016 17:01:01 +0000 (18:01 +0100)
commit	8b17648339ba801c4c7937b5f13dd25068e54e60
tree	f608c4557288b0c7357388a3d91d67f45db4a9f0	tree
parent	4e4689e74d012b737bbca820cfe52c689c7d9cef	commit \| diff

x86: limit GFNs to 32 bits for shadowed superpages.

Superpage shadows store the shadowed GFN in the backpointer field,
which for non-BIGMEM builds is 32 bits wide. Shadowing a superpage
mapping of a guest-physical address above 2^44 would lead to the GFN
being truncated there, and a crash when we come to remove the shadow
from the hash table.

Track the valid width of a GFN for each guest, including reporting it
through CPUID, and enforce it in the shadow pagetables. Set the
maximum witth to 32 for guests where this truncation could occur.

This is XSA-173.

Reported-by: Ling Liu <liuling-it@360.cn>
Signed-off-by: Tim Deegan <tim@xen.org>
Signed-off-by: Jan Beulich <jbeulich@suse.com>

xen/arch/x86/cpu/common.c		diff \| blob \| blame \| history
xen/arch/x86/hvm/hvm.c		diff \| blob \| blame \| history
xen/arch/x86/mm/guest_walk.c		diff \| blob \| blame \| history
xen/arch/x86/mm/hap/hap.c		diff \| blob \| blame \| history
xen/arch/x86/mm/p2m.c		diff \| blob \| blame \| history
xen/arch/x86/mm/shadow/common.c		diff \| blob \| blame \| history
xen/arch/x86/mm/shadow/multi.c		diff \| blob \| blame \| history
xen/include/asm-x86/domain.h		diff \| blob \| blame \| history
xen/include/asm-x86/guest_pt.h		diff \| blob \| blame \| history
xen/include/asm-x86/processor.h		diff \| blob \| blame \| history
xen/include/asm-x86/x86_64/page.h		diff \| blob \| blame \| history