dgit.raspbian.org Git - xen.git/commit

author	Jan Beulich <jbeulich@suse.com>
	Tue, 10 Nov 2015 11:03:08 +0000 (12:03 +0100)
committer	Jan Beulich <jbeulich@suse.com>
	Tue, 10 Nov 2015 11:03:08 +0000 (12:03 +0100)
commit	bd2239d9fa975a1ee5bcd27c218ae042cd0a57bc
tree	ffa690e27ad6b17ed135a41c08fc34e219e381ba	tree \| snapshot
parent	22a1fbb575df3a3a7726cdeb5ddf19cc8f60827c	commit \| diff

x86/HVM: always intercept #AC and #DB

Both being benign exceptions, and both being possible to get triggered
by exception delivery, this is required to prevent a guest from locking
up a CPU (resulting from no other VM exits occurring once getting into
such a loop).

The specific scenarios:

1) #AC may be raised during exception delivery if the handler is set to
be a ring-3 one by a 32-bit guest, and the stack is misaligned.

This is CVE-2015-5307 / XSA-156.

Reported-by: Benjamin Serebrin <serebrin@google.com>
2) #DB may be raised during exception delivery when a breakpoint got
placed on a data structure involved in delivering the exception. This
can result in an endless loop when a 64-bit guest uses a non-zero IST
for the vector 1 IDT entry, but even without use of IST the time it
takes until a contributory fault would get raised (results depending
on the handler) may be quite long.

This is CVE-2015-8104 / XSA-156.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>

xen/arch/x86/hvm/svm/svm.c		diff \| blob \| history
xen/arch/x86/hvm/vmx/vmx.c		diff \| blob \| history
xen/include/asm-x86/hvm/hvm.h		diff \| blob \| history