[Pkg-xen-devel] Xen-4.1.x backport of XSA156
Ian Campbell
ijc at debian.org
Mon Nov 23 10:57:57 UTC 2015
Thanks Stefan.
CCing security at debian.org since there doesn't seem to be a BTS entry for
these issues yet.
Ian.
On Mon, 2015-11-23 at 11:46 +0100, Stefan Bader wrote:
> Hi Bastian, Ian,
>
> while I was working on the recent batch of security updates I noticed
> that the
> obvious backport of the related patch caused an HVM guest to be crashed
> as soon
> as a user inside that guest tried to ptrace a child process.
>
> While talking to Jan, I realized that in 4.2 the inject exception code
> subtly
> changed in a way that treats TRAP_debug as a HW event (that is triggered
> by no
> opcode) while before it was always treated as SW event.
>
> I believe Debian might be affected by the same as you also have a 4.1.x
> version
> in some stable, so I thought I share the backport I did. Jan was
> suggesting a
> slightly different coding which should do the same but I wanted to keep
> my
> variant because I had done regression testing already and did not
> unnecessarily
> change code.
>
> Jan's proposal:
>
> @@ -1364,7 +1358,6 @@ void vmx_inject_hw_exception(int trap, i
> switch ( trap )
> {
> case TRAP_debug:
> - type = X86_EVENTTYPE_SW_EXCEPTION;
> if ( guest_cpu_user_regs()->eflags & X86_EFLAGS_TF )
> {
> __restore_debug_registers(curr);
> @@ -1379,9 +1372,11 @@ void vmx_inject_hw_exception(int trap, i
> domain_pause_for_debugger();
> return;
> }
> -
> - type = X86_EVENTTYPE_SW_EXCEPTION;
> - __vmwrite(VM_ENTRY_INSTRUCTION_LEN, 1); /* int3 */
> + if ( trap == TRAP_int3 )
> + {
> + type = X86_EVENTTYPE_SW_EXCEPTION;
> + __vmwrite(VM_ENTRY_INSTRUCTION_LEN, 1);
> + }
> }
>
> if ( unlikely(intr_info & INTR_INFO_VALID_MASK) &&
>
> Attached is the patch I am using.
>
> -Stefan
More information about the Pkg-xen-devel
mailing list