projects / xen.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 0bf9f8d) | patch
x86/PV: check GDT/LDT limits during emulation
authorJan Beulich <jbeulich@suse.com>
Thu, 31 Oct 2019 15:08:16 +0000 (16:08 +0100)
committerJan Beulich <jbeulich@suse.com>
Thu, 31 Oct 2019 15:08:16 +0000 (16:08 +0100)
commit93021cbe880a8013691a48d0febef8ed7d3e3ebd
tree9fc2a5739aaa61a03a42dde31df2329c82215018tree | snapshot
parent0bf9f8d3e399a0e1d2b717f71b4776172446184bcommit | diff
x86/PV: check GDT/LDT limits during emulation

Accesses beyond the LDT limit originating from emulation would trigger
the ASSERT() in pv_map_ldt_shadow_page(). On production builds such
accesses would cause an attempt to promote the touched page (offset from
the present LDT base address) to a segment descriptor one. If this
happens to succeed, guest user mode would be able to elevate its
privileges to that of the guest kernel. This is particularly easy when
there's no LDT at all, in which case the LDT base stored internally to
Xen is simply zero.

Also adjust the ASSERT() that was triggering: It was off by one to
begin with, and for production builds we also better use
ASSERT_UNREACHABLE() instead with suitable recovery code afterwards.

This is XSA-298.

Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
xen/arch/x86/pv/emul-gate-op.c diff | blob | history
xen/arch/x86/pv/emulate.c diff | blob | history
xen/arch/x86/pv/mm.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.