CVE-2013-4551
http://xenbits.xen.org/xsa/advisory-75.html
Host crash due to guest VMX instruction execution
Permission checks on the emulation paths (intended for guests using nested virtualization) for VMLAUNCH and VMRESUME were deferred too much. The hypervisor would try to use internal state which is not set up unless nested virtualization is actually enabled for a guest.
privilege uncheck (deferred check)
http://xenbits.xen.org/xsa/xsa75-4.2.patch
nested VMX: VMLANUCH/VMRESUME emulation must check permission first thing
Otherwise uninitialized data may be used, leading to crashes.
--- a/xen/arch/x86/hvm/vmx/vvmx.c
+++ b/xen/arch/x86/hvm/vmx/vvmx.c
@@ -1075,15 +1075,10 @@ int nvmx_handle_vmxoff(struct cpu_user_r
return X86EMUL_OKAY;
}
-int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs)
+static int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs)
{
struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
- int rc;
-
- rc = vmx_inst_check_privilege(regs, 0);
- if ( rc != X86EMUL_OKAY )
- return rc;
/* check VMCS is valid and IO BITMAP is set */
if ( (nvcpu->nv_vvmcxaddr != VMCX_EADDR) &&
@@ -1100,6 +1095,10 @@ int nvmx_handle_vmresume(struct cpu_user
{
int launched;
struct vcpu *v = current;
+ int rc = vmx_inst_check_privilege(regs, 0);
+
+ if ( rc != X86EMUL_OKAY )
+ return rc;
if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
{
@@ -1119,8 +1118,11 @@ int nvmx_handle_vmresume(struct cpu_user
int nvmx_handle_vmlaunch(struct cpu_user_regs *regs)
{
int launched;
- int rc;
struct vcpu *v = current;
+ int rc = vmx_inst_check_privilege(regs, 0);
+
+ if ( rc != X86EMUL_OKAY )
+ return rc;
if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
{
A malicious or misbehaved HVM guest, including malicious or misbehaved user mode code run in the guest, might be able to crash the host.
DoS