xcp-1.6-updates/xen-4.1.hg

changeset 23325:a43f5b4b0331

x86/hvm: don't leave emulator in inconsistent state

The fact that handle_mmio(), and thus the instruction emulator, is
being run through twice for emulations that require involvement of the
device model, allows for the second run to see a different guest state
than the first one. Since only the MMIO-specific emulation routines
update the vCPU's io_state, if they get invoked on the second pass,
internal state (and particularly this variable) can be left in a state
making successful emulation of a subsequent MMIO operation impossible.

Consequently, whenever the emulator invocation returns without
requesting a retry of the guest instruction, reset io_state.

[ This is a security issue. XSA#10. -iwj ]

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>

xen-unstable changeset: 25682:ffcb24876b4f
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
author Jan Beulich <jbeulich@suse.com>
date Thu Jul 26 16:56:35 2012 +0100 (2012-07-26)
parents e89be0dedeb4
children c23c84dbd989
files xen/arch/x86/hvm/io.c
line diff
     1.1 --- a/xen/arch/x86/hvm/io.c	Sun Jul 22 16:39:00 2012 +0100
     1.2 +++ b/xen/arch/x86/hvm/io.c	Thu Jul 26 16:56:35 2012 +0100
     1.3 @@ -176,6 +176,8 @@ int handle_mmio(void)
     1.4  
     1.5      rc = hvm_emulate_one(&ctxt);
     1.6  
     1.7 +    if ( rc != X86EMUL_RETRY )
     1.8 +        curr->arch.hvm_vcpu.io_state = HVMIO_none;
     1.9      if ( curr->arch.hvm_vcpu.io_state == HVMIO_awaiting_completion )
    1.10          curr->arch.hvm_vcpu.io_state = HVMIO_handle_mmio_awaiting_completion;
    1.11      else