HVM guest user mode MMIO emulation DoS vulnerability

The handle_mmio function in arch/x86/hvm/io.c in the MMIO operations emulator for Xen 3.3 and 4.x, when running an HVM guest, does not properly reset certain state information between emulation cycles, which allows local guest OS users to cause a denial of service (guest OS crash) via unspecified operations on MMIO regions.

logic error (not properly reset state)



x86/hvm: don’t leave emulator in inconsistent state

The fact that handle_mmio(), and thus the instruction emulator, is being run through twice for emulations that require involvement of the device model, allows for the second run to see a different guest state than the first one. Since only the MMIO-specific emulation routines update the vCPU’s io_state, if they get invoked on the second pass, internal state (and particularly this variable) can be left in a state making successful emulation of a subsequent MMIO operation impossible.

Consequently, whenever the emulator invocation returns without requesting a retry of the guest instruction, reset io_state.

 --- a/xen/arch/x86/hvm/io.c    Sun Jul 22 16:39:00 2012 +0100
 +++ b/xen/arch/x86/hvm/io.c    Thu Jul 26 16:56:35 2012 +0100
 @@ -176,6 +176,8 @@ int handle_mmio(void)
      rc = hvm_emulate_one(&ctxt);
 +    if ( rc != X86EMUL_RETRY )
 +        curr->arch.hvm_vcpu.io_state = HVMIO_none;
      if ( curr->arch.hvm_vcpu.io_state == HVMIO_awaiting_completion )
          curr->arch.hvm_vcpu.io_state = Hdle_mmio_awaiting_completion;


guest DoS