[Pkg-xen-changes] [xen] 05/10: x86/HVM: properly bound x2APIC MSR range

Bastian Blank waldi at moszumanska.debian.org
Fri Oct 17 13:35:10 UTC 2014 

This is an automated email from the git hooks/post-receive script.

waldi pushed a commit to branch develop
in repository xen.

commit 1dd58bd5087cd48a4f5bd6dde2e6116ba95ee677
Author: Jan Beulich <jbeulich at suse.com>
Date:   Wed Oct 1 14:59:00 2014 +0200

    x86/HVM: properly bound x2APIC MSR range
    
    While the write path change appears to be purely cosmetic (but still
    gets done here for consistency), the read side mistake permitted
    accesses beyond the virtual APIC page.
    
    Note that while this isn't fully in line with the specification
    (digesting MSRs 0x800-0xBFF for the x2APIC), this is the minimal
    possible fix addressing the security issue and getting x2APIC related
    code into a consistent shape (elsewhere a 256 rather than 1024 wide
    window is being used too). This will be dealt with subsequently.
    
    This is CVE-2014-7188 / XSA-108.
    
    Signed-off-by: Jan Beulich <jbeulich at suse.com>
    master commit: 61fdda7acf3de11f3d50d50e5b4f4ecfac7e0d04
    master date: 2014-10-01 14:54:47 +0200
---
 xen/arch/x86/hvm/hvm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index be1a2d3..3289604 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3022,7 +3022,7 @@ int hvm_msr_read_intercept(unsigned int msr, uint64_t *msr_content)
         *msr_content = vcpu_vlapic(v)->hw.apic_base_msr;
         break;
 
-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
+    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
         if ( hvm_x2apic_msr_read(v, msr, msr_content) )
             goto gp_fault;
         break;
@@ -3148,7 +3148,7 @@ int hvm_msr_write_intercept(unsigned int msr, uint64_t msr_content)
         vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content);
         break;
 
-    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff:
+    case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff:
         if ( hvm_x2apic_msr_write(v, msr, msr_content) )
             goto gp_fault;
         break;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-xen/xen.git

More information about the Pkg-xen-changes mailing list