From: Paolo Bonzini <pbonzini@redhat.com> Date: Thu, 8 Apr 2010 10:52:05 -0400 Subject: [xen] arpl on MMIO area crashes the guest Message-id: <1270723925-32730-1-git-send-email-pbonzini@redhat.com> Patchwork-id: 4339 O-Subject: [kernel team] [RHEL5.5.z/5.6 EMBARGOED PATCH v2] CVE-2010-0730: arpl on MMIO area crashes the guest Bugzilla: 572982 CVE: CVE-2010-0730 RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com> RH-Acked-by: Don Dutile <ddutile@redhat.com> RH-Acked-by: Chris Lalancette <clalance@redhat.com> Bugzilla: 572971 Upstream status: c/s 15523 and 15532 in xen-3.1-testing.hg Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=2369823 Due to a mismatch between the opcode decoding table and the implementation of the operand decoder in platform.c, the ARPL instruction would cause the guest to crash if executed on a MMIO area. While this is difficult to exploit from non-root, it is theoretically possible to do so. This patch changes the failure path to inject #UD instead of crashing the domain. The guest kernel will transform the #UD into a SIGILL. Side note: the emulator vulnerabilities found in KVM are not present in RHEL5 Xen because it uses VM86 mode to execute real-mode code on VMX, and small specialized decoders for MMIO operations. The emulator in arch/x86/x86_emulate.c is only used rarely (the shadow paging code uses it) and only to execute kernel-mode code. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> --- arch/x86/hvm/platform.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) Signed-off-by: Jarod Wilson <jarod@redhat.com> diff --git a/arch/x86/hvm/platform.c b/arch/x86/hvm/platform.c index 3d69e9c..86c478d 100644 --- a/arch/x86/hvm/platform.c +++ b/arch/x86/hvm/platform.c @@ -1057,7 +1057,9 @@ void handle_mmio(unsigned long gpa) for ( i = 0; i < inst_len; i++ ) printk(" %02x", inst[i] & 0xFF); printk("\n"); - domain_crash_synchronous(); + + hvm_inject_exception(TRAP_invalid_op, -1, 0); + return; } regs->eip += inst_len; /* advance %eip */