[Pkg-xen-devel] Xen-4.1.x backport of XSA156

Stefan Bader stefan.bader at canonical.com
Mon Nov 23 10:46:30 UTC 2015 

Hi Bastian, Ian,

while I was working on the recent batch of security updates I noticed that the
obvious backport of the related patch caused an HVM guest to be crashed as soon
as a user inside that guest tried to ptrace a child process.

While talking to Jan, I realized that in 4.2 the inject exception code subtly
changed in a way that treats TRAP_debug as a HW event (that is triggered by no
opcode) while before it was always treated as SW event.

I believe Debian might be affected by the same as you also have a 4.1.x version
in some stable, so I thought I share the backport I did. Jan was suggesting a
slightly different coding which should do the same but I wanted to keep my
variant because I had done regression testing already and did not unnecessarily
change code.

Jan's proposal:

@@ -1364,7 +1358,6 @@ void vmx_inject_hw_exception(int trap, i
     switch ( trap )
     {
     case TRAP_debug:
-        type = X86_EVENTTYPE_SW_EXCEPTION;
         if ( guest_cpu_user_regs()->eflags & X86_EFLAGS_TF )
         {
             __restore_debug_registers(curr);
@@ -1379,9 +1372,11 @@ void vmx_inject_hw_exception(int trap, i
             domain_pause_for_debugger();
             return;
         }
-
-        type = X86_EVENTTYPE_SW_EXCEPTION;
-        __vmwrite(VM_ENTRY_INSTRUCTION_LEN, 1); /* int3 */
+        if ( trap == TRAP_int3 )
+        {
+            type = X86_EVENTTYPE_SW_EXCEPTION;
+            __vmwrite(VM_ENTRY_INSTRUCTION_LEN, 1);
+        }
     }

     if ( unlikely(intr_info & INTR_INFO_VALID_MASK) &&

Attached is the patch I am using.

-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xsa156-4.2.patch
Type: text/x-diff
Size: 6644 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20151123/1f8ee1ee/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20151123/1f8ee1ee/attachment.sig>

More information about the Pkg-xen-devel mailing list