[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 5c83b2: xen: properly gate host writes of mod
|
From: |
GitHub |
|
Subject: |
[Qemu-commits] [qemu/qemu] 5c83b2: xen: properly gate host writes of modified PCI CFG... |
|
Date: |
Tue, 02 Jun 2015 10:00:07 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 5c83b2f5b4b956e91dd6e5711f14df7ab800aefb
https://github.com/qemu/qemu/commit/5c83b2f5b4b956e91dd6e5711f14df7ab800aefb
Author: Jan Beulich <address@hidden>
Date: 2015-06-02 (Tue, 02 Jun 2015)
Changed paths:
M hw/xen/xen_pt.c
M hw/xen/xen_pt.h
M hw/xen/xen_pt_config_init.c
Log Message:
-----------
xen: properly gate host writes of modified PCI CFG contents
The old logic didn't work as intended when an access spanned multiple
fields (for example a 32-bit access to the location of the MSI Message
Data field with the high 16 bits not being covered by any known field).
Remove it and derive which fields not to write to from the accessed
fields' emulation masks: When they're all ones, there's no point in
doing any host write.
This fixes a secondary issue at once: We obviously shouldn't make any
host write attempt when already the host read failed.
This is XSA-128.
Signed-off-by: Jan Beulich <address@hidden>
Reviewed-by: Stefano Stabellini <address@hidden>
Commit: 7611dae8a69f0f1775ba1a9a942961c2aa10d88e
https://github.com/qemu/qemu/commit/7611dae8a69f0f1775ba1a9a942961c2aa10d88e
Author: Jan Beulich <address@hidden>
Date: 2015-06-02 (Tue, 02 Jun 2015)
Changed paths:
M hw/pci/msi.c
M hw/xen/xen_pt_config_init.c
M include/hw/pci/pci_regs.h
Log Message:
-----------
xen: don't allow guest to control MSI mask register
It's being used by the hypervisor. For now simply mimic a device not
capable of masking, and fully emulate any accesses a guest may issue
nevertheless as simple reads/writes without side effects.
This is XSA-129.
Signed-off-by: Jan Beulich <address@hidden>
Reviewed-by: Stefano Stabellini <address@hidden>
Commit: b38ec5ee7a581776bbce0bdaecb397632c3c4791
https://github.com/qemu/qemu/commit/b38ec5ee7a581776bbce0bdaecb397632c3c4791
Author: Jan Beulich <address@hidden>
Date: 2015-06-02 (Tue, 02 Jun 2015)
Changed paths:
M hw/xen/xen_pt.h
M hw/xen/xen_pt_msi.c
Log Message:
-----------
xen/MSI-X: limit error messages
Limit error messages resulting from bad guest behavior to avoid allowing
the guest to cause the control domain's disk to fill.
The first message in pci_msix_write() can simply be deleted, as this
is indeed bad guest behavior, but such out of bounds writes don't
really need to be logged.
The second one is more problematic, as there guest behavior may only
appear to be wrong: For one, the old logic didn't take the mask-all bit
into account. And then this shouldn't depend on host device state (i.e.
the host may have masked the entry without the guest having done so).
Plus these writes shouldn't be dropped even when an entry is unmasked.
Instead, if they can't be made take effect right away, they should take
effect on the next unmasking or enabling operation - the specification
explicitly describes such caching behavior. Until we can validly drop
the message (implementing such caching/latching behavior), issue the
message just once per MSI-X table entry.
Note that the log message in pci_msix_read() similar to the one being
removed here is not an issue: "addr" being of unsigned type, and the
maximum size of the MSI-X table being 32k, entry_nr simply can't be
negative and hence the conditonal guarding issuing of the message will
never be true.
This is XSA-130.
Signed-off-by: Jan Beulich <address@hidden>
Reviewed-by: Stefano Stabellini <address@hidden>
Commit: d1d35cf4ffb6a60a356193397919e83306d0bb74
https://github.com/qemu/qemu/commit/d1d35cf4ffb6a60a356193397919e83306d0bb74
Author: Jan Beulich <address@hidden>
Date: 2015-06-02 (Tue, 02 Jun 2015)
Changed paths:
M hw/xen/xen_pt_config_init.c
Log Message:
-----------
xen/MSI: don't open-code pass-through of enable bit modifications
Without this the actual XSA-131 fix would cause the enable bit to not
get set anymore (due to the write back getting suppressed there based
on the OR of emu_mask, ro_mask, and res_mask).
Note that the fiddling with the enable bit shouldn't really be done by
qemu, but making this work right (via libxc and the hypervisor) will
require more extensive changes, which can be postponed until after the
security issue got addressed.
This is a preparatory patch for XSA-131.
Signed-off-by: Jan Beulich <address@hidden>
Acked-by: Stefano Stabellini <address@hidden>
Commit: d61bb2482dc0c7426f451f23ba7e2748ae2cc06d
https://github.com/qemu/qemu/commit/d61bb2482dc0c7426f451f23ba7e2748ae2cc06d
Author: Jan Beulich <address@hidden>
Date: 2015-06-02 (Tue, 02 Jun 2015)
Changed paths:
M hw/xen/xen_pt_config_init.c
Log Message:
-----------
xen/pt: consolidate PM capability emu_mask
There's no point in xen_pt_pmcsr_reg_{read,write}() each ORing
PCI_PM_CTRL_STATE_MASK and PCI_PM_CTRL_NO_SOFT_RESET into a local
emu_mask variable - we can have the same effect by setting the field
descriptor's emu_mask member suitably right away. Note that
xen_pt_pmcsr_reg_write() is being retained in order to allow later
patches to be less intrusive.
This is a preparatory patch for XSA-131.
Signed-off-by: Jan Beulich <address@hidden>
Acked-by: Stefano Stabellini <address@hidden>
Acked-by: Ian Campbell <address@hidden>
Commit: c4ff1e68c621928abc680266cad0a451686c403b
https://github.com/qemu/qemu/commit/c4ff1e68c621928abc680266cad0a451686c403b
Author: Jan Beulich <address@hidden>
Date: 2015-06-02 (Tue, 02 Jun 2015)
Changed paths:
M hw/xen/xen_pt_config_init.c
Log Message:
-----------
xen/pt: correctly handle PM status bit
xen_pt_pmcsr_reg_write() needs an adjustment to deal with the RW1C
nature of the not passed through bit 15 (PCI_PM_CTRL_PME_STATUS).
This is a preparatory patch for XSA-131.
Signed-off-by: Jan Beulich <address@hidden>
Reviewed-by: Stefano Stabellini <address@hidden>
Commit: 0e7ef22136955169a0fd03c4e41af95662352733
https://github.com/qemu/qemu/commit/0e7ef22136955169a0fd03c4e41af95662352733
Author: Jan Beulich <address@hidden>
Date: 2015-06-02 (Tue, 02 Jun 2015)
Changed paths:
M hw/xen/xen_pt_config_init.c
Log Message:
-----------
xen/pt: split out calculation of throughable mask in PCI config space handling
This is just to avoid having to adjust that calculation later in
multiple places.
Note that including ->ro_mask in get_throughable_mask()'s calculation
is only an apparent (i.e. benign) behavioral change: For r/o fields it
doesn't matter > whether they get passed through - either the same flag
is also set in emu_mask (then there's no change at all) or the field is
r/o in hardware (and hence a write won't change it anyway).
This is a preparatory patch for XSA-131.
Signed-off-by: Jan Beulich <address@hidden>
Acked-by: Stefano Stabellini <address@hidden>
Reviewed-by: Anthony PERARD <address@hidden>
Commit: 45ebe3916ab16f859ed930e92fbd52d84d5dcdaf
https://github.com/qemu/qemu/commit/45ebe3916ab16f859ed930e92fbd52d84d5dcdaf
Author: Jan Beulich <address@hidden>
Date: 2015-06-02 (Tue, 02 Jun 2015)
Changed paths:
M hw/xen/xen_pt_config_init.c
Log Message:
-----------
xen/pt: mark all PCIe capability bits read-only
xen_pt_emu_reg_pcie[]'s PCI_EXP_DEVCAP needs to cover all bits as read-
only to avoid unintended write-back (just a precaution, the field ought
to be read-only in hardware).
This is a preparatory patch for XSA-131.
Signed-off-by: Jan Beulich <address@hidden>
Reviewed-by: Stefano Stabellini <address@hidden>
Commit: 0ad3393ad032f76e88b4dbd04d36ad84dff75dd6
https://github.com/qemu/qemu/commit/0ad3393ad032f76e88b4dbd04d36ad84dff75dd6
Author: Jan Beulich <address@hidden>
Date: 2015-06-02 (Tue, 02 Jun 2015)
Changed paths:
M hw/xen/xen_pt.h
M hw/xen/xen_pt_config_init.c
Log Message:
-----------
xen/pt: mark reserved bits in PCI config space fields
The adjustments are solely to make the subsequent patches work right
(and hence make the patch set consistent), namely if permissive mode
(introduced by the last patch) gets used (as both reserved registers
and reserved fields must be similarly protected from guest access in
default mode, but the guest should be allowed access to them in
permissive mode).
This is a preparatory patch for XSA-131.
Signed-off-by: Jan Beulich <address@hidden>
Commit: a88a3f887181605f4487a22bdfb7d87ffafde5d9
https://github.com/qemu/qemu/commit/a88a3f887181605f4487a22bdfb7d87ffafde5d9
Author: Jan Beulich <address@hidden>
Date: 2015-06-02 (Tue, 02 Jun 2015)
Changed paths:
M hw/xen/xen_pt_config_init.c
Log Message:
-----------
xen/pt: add a few PCI config space field descriptions
Since the next patch will turn all not explicitly described fields
read-only by default, those fields that have guest writable bits need
to be given explicit descriptors.
This is a preparatory patch for XSA-131.
Signed-off-by: Jan Beulich <address@hidden>
Commit: c25bbf1545a53ac051f9e51d4140e397660c10ae
https://github.com/qemu/qemu/commit/c25bbf1545a53ac051f9e51d4140e397660c10ae
Author: Jan Beulich <address@hidden>
Date: 2015-06-02 (Tue, 02 Jun 2015)
Changed paths:
M hw/xen/xen_pt.c
M hw/xen/xen_pt.h
M hw/xen/xen_pt_config_init.c
Log Message:
-----------
xen/pt: unknown PCI config space fields should be read-only
... by default. Add a per-device "permissive" mode similar to pciback's
to allow restoring previous behavior (and hence break security again,
i.e. should be used only for trusted guests).
This is part of XSA-131.
Signed-off-by: Jan Beulich <address@hidden>
Acked-by: Stefano Stabellini <address@hidden>
Reviewed-by: Anthony PERARD <address@hidden>)
Commit: 42d58e7c6760cb9c55627c28ae538e27dcf2f144
https://github.com/qemu/qemu/commit/42d58e7c6760cb9c55627c28ae538e27dcf2f144
Author: Peter Maydell <address@hidden>
Date: 2015-06-02 (Tue, 02 Jun 2015)
Changed paths:
M hw/pci/msi.c
M hw/xen/xen_pt.c
M hw/xen/xen_pt.h
M hw/xen/xen_pt_config_init.c
M hw/xen/xen_pt_msi.c
M include/hw/pci/pci_regs.h
Log Message:
-----------
Merge remote-tracking branch 'remotes/sstabellini/tags/xen-15-06-02-tag' into
staging
XSA 128 129 130 131
# gpg: Signature made Tue Jun 2 16:46:38 2015 BST using RSA key ID 70E1AE90
# gpg: Good signature from "Stefano Stabellini <address@hidden>"
* remotes/sstabellini/tags/xen-15-06-02-tag:
xen/pt: unknown PCI config space fields should be read-only
xen/pt: add a few PCI config space field descriptions
xen/pt: mark reserved bits in PCI config space fields
xen/pt: mark all PCIe capability bits read-only
xen/pt: split out calculation of throughable mask in PCI config space handling
xen/pt: correctly handle PM status bit
xen/pt: consolidate PM capability emu_mask
xen/MSI: don't open-code pass-through of enable bit modifications
xen/MSI-X: limit error messages
xen: don't allow guest to control MSI mask register
xen: properly gate host writes of modified PCI CFG contents
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/3fc827d59167...42d58e7c6760
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 5c83b2: xen: properly gate host writes of modified PCI CFG...,
GitHub <=